Last week Uber announced that 57 million customers accounts were breached. This sounds like just another example of a hack that hits headlines every week. But something has fundamentally changed. Companies can't protect customer data anymore. Why? Because there's a fundamental flaw in standard security.
Every company relies on the same set of secondary security questions to confirm a customer's identity: your social security number, mother's maiden name etc... The problem is, these data points don't ever change. Once breached, they're forever compromised. That means standard secondary questions are rendered completely useless.
Industries like retail, lending and others are not prepared for the massive spike in fraud is about to happen when hackers start successfully passing standard security checks.
This is not a hypothetical conundrum. It's happening today. Hackers are already using bots to attempt to authenticate using millions of compromised credentials. So what can companies do to protect customers and prevent fraud?
1. Reset customer passwords right now
Yes, you've heard this advice before. It sounds cliche and surely everyone's already heeded advice that is so simple, right? For some reason many companies still are not doing anything about it. Whatever internal politics need to be overcome, do it. Right now. Seriously. Communicate clearly that this action is being done in their best interest and because you care. That sort of proactive, personal touch transforms what could be a stressful situation into an opportunity to strengthen customer relationships.
2. Pick up the phone
Investigate suspicious behavior with human intervention. Call the customer and ask about more than their recent transactions. Throw in random relevant questions about their history with your business, weather in their home town; even a recent episode of Game of Thrones, anything that might throw off an unprepared hacker. How do they sound? Are they nervous? If their replies raise any suspicion, freeze the account and initiate a more thorough investigation.
3. Proactively identify accounts that are at risk
An efficient way to identify which accounts are at risk is to cross reference your customers' email addresses with Have I Been Pwned, a publicly accessible database of compromised accounts. The service offers an API so your engineering team can conveniently review credentials at scale. If any customers accounts are known to have been compromised, you can immediately freeze the account to minimize damage.
4. Require multi-factor authentication
This is not a recommendation. It's a must. There is no good reason not to require multi-factor authentication (MFA) in order to access your product or service. That added layer of protection increases the friction for a hacker to access an account.
While MFA will not prevent a breach, it could delay or dissuade a hacker looking for an easy score. There are many types of MFA: one-time passwords, biometrics, push notifications and more. There are also many vendors who offer affordable, convenient ways to integrate MFA into your authentication process, including Duo, RSA SecurID and Symantec.