By now, many have heard about the massive cyberattacks that affected casino giants MGM Resorts and Caesars, leaving everything from room keys to slot machines on the fritz. Like many recent breaches, it’s a warning to improve security around digital identities — because that’s where it all started.
The origin story of this breach is similar to many we have seen lately: social engineering and impersonation attacks.
Hackers called MGM’s IT department and tricked the help desk into resetting legitimate logins, which they then used to launch a ransomware attack. The same group allegedly staged a rash of similar attacks across various other sectors, including a breach at casino rival Caesars Entertainment, which reportedly paid $15 million to get its data back days before the MGM attack.
The fact that casino companies — which live and die by their investment in security — could be breached so boldly exposed a basic blind spot in many networks: they don’t have enough checks and balances to ensure the people using their system are who they claim to be.
A known card counter will be quickly spotted and escorted out of the casino thanks to facial recognition technology. However, when it comes to protecting the digital network, many gaming companies still rely on passwords, which have proved to be the weak link in identity and access management (IAM).
Identity Management Vulnerabilities Exposed
The MGM attack highlights how vulnerable identity management systems are to hackers when focusing on identity authentication instead of identity verification. With just the right amount of social engineering, a hacker can manipulate the system. Organizations must fight this at the root cause, preventing these hackers from logging in because if you can’t stop a cybercriminal before they get network access, you’re in a reactive mode.
Traditionally, identity authentication relied on multifactor authentication (MFA), which often meant a push notification or a one-time code texted to the user’s phone. Still, even multifactor authentication has proved vulnerable.
Armed with some basic information, hackers can call a mobile provider and play the angry customer trying to activate a new phone; after a short while, they can port all the information in the victim’s phone to theirs, and they’re off to the races. Recently, an attack against a number of cryptocurrency platforms was traced back to such a “SIM-jacking.” Thieves reportedly tricked T-Mobile into resetting the phone of an employee of the consulting firm managing the crypto platforms’ bankruptcy operations.
The bad guys are now armed with all sorts of technology tools, from artificial intelligence to deepfakes that can pass off an Eastern European hacker for a New York accountant with a new phone. Meanwhile, businesses are paying the price for not using readily available technology to modernize their identity stack.
Beyond Biometrics: The Need for Genuine Verification
In the 60 years since the invention of passwords, access management has evolved from sticky note security to a number of authentication processes meant to short-circuit credential theft and abuse. Push notifications have become a common tool but can be vulnerable to “MFA fatigue.”
Features such as Apple’s Touch ID and Face ID have popularized the use of biometric markers for authentication. However, as demonstrated in the SIM-jacking case, cell phones can also be tools for hackers, not just protective measures.
Authentication keys, which rely on a physical token to generate an encrypted verification code, improve on MFA with authentication standards such as Fast Identity Online (FIDO). Google has even gone one step further and created a key that is resistant to quantum decryption to protect against hackers armed with quantum computers.
It’s a nice try, but all these authentication methods still have passwords at their root. They bind the user’s identity to a device- usually a cell phone- instead of their actual, proofed identity, as verified through biometrics, government-issued ID, or other reliable documents. IAM needs to modernize and evolve from mere authentication to factual identity verification.
Financial Implications of Breaches
Modernizing IAM requires an up-front investment in budgets, time, and effort, but you only need to do the math of data breaches to see how it pays off. MGM Resorts’ revenue losses from the breach could be over $8 million per day, and the company’s stock took a significant hit when the news broke.
The first step in this process is to capture biometrics and verified identity documents from authorized users, such as employees, partners, and customers, during day zero registration or account creation to be used subsequently to verify identity.
A verified credential — such as digital employee identification cards, digital passports, and digital educational certificates — will include metadata that cryptographically proves who issued it, and tampering would be spotted. Unfortunately, biometrics can be stolen, just like passwords, so that data also needs to be secured. Blockchain is a proven technology for protecting digital assets, so why not use it to protect arguably the most valuable asset, which is your identity?
Immutable audit logs that go along with the distributed ledger can ensure that if something goes sideways, information security can see who accessed what resources and when and by which method.
Instead of accepting that a user’s phone was stolen or their account hacked, they can see if their Live ID (“real” biometric) was used to gain access. It makes it much easier to determine what happened and react before the blast radius of the hack grows.
Rethinking Authentication in the Digital Age
At its most basic, most of what passes for identity authentication today is copying and pasting. It is not a biometric logging in the user; it is just being used to copy and paste a password into the app. Ultimately, it’s just a time-saving measure, not security.
Even most passwordless authentication has a username and password built-in somewhere. Bad actors can still take that username and password and set up workflows on another system. So long as they reset the password, they’re ready to roll because the root of the identity verification remains the password.
MGM and Caesars are just the latest examples of the threats all businesses face regarding identity-based defenses. To take a truly proactive stance against hackers, security must shut down their logins, replacing authentication with a cryptographically proven identity. Then, enable users with a non-disruptive way to conveniently re-verify identity anytime continuous monitoring flags excessive risk related to their online behaviors.
Whenever you have something vouching for an identity, you’ve got a problem. Can a one-time code or a device truly stand in for an identity? IAM needs to be modernized. It needs to connect with people — real people, not devices.