Firms must take blame for security breaches, says KPMG


Companies that are compromised by hackers can not afford to shift responsibility to customers for “weak” passwords, says security researcher Yiannis Chrysanthou.

Rather than focussing on something the user knows, like a password, they should focus on introducing multi-factor authentication based on something the customer has, like a smartcard, or something a customer “is,” like fingerprint verification, in order to make credential theft and impersonation much harder.

Chysanthou, who is part of KPMG’s cyber security team, made the comments in response to a series of high profile attacks on internet-based businesses.  “Organisations seem to believe that if they force users to pick long complex passwords and then store them only in their cryptographically hashed formats, they are relatively safe,” he said. “The reality is that we hear of password breaches time and time and again, and this needs to change!”

The problem with focussing on passwords, says Chrysanthou, is that these are often encrypted and stored in a database alongside usernames and emails. Once hackers have stolen and published the database, these cryptographic has algorithms are often hacked within a matter of days.

Multi-factor authentication will block traditional attacks relying on guessing or stealing a user’s password because the password itself will no longer be sufficient. Of course this extra security comes with increased investment but the improved customer protection makes it viable and valuable,” he said.