As more facts have come to light about the Latitude Financial Services cyber-attack, the gravity of the situation for customers intensifies, inflicting profound reputational damage to the organization.

Last week it was said 328,000 customer records were stolen.  The revised estimate is now 14 million.  The size and scope of the Latitude hack now towers over the breaches of Optus and Medibank, inducting Latitude into a league that no one wants to be part of; The biggest data hacks in Australian history.

Customers are asking why their records, as old as 2005, were stored unencrypted and so easily exfiltrated?

IBM states it takes an organization an average of 227 days to identify, contain and ultimately plug the leak. By that stage the damage to reputation, trust and the bottom line is irreversible. As Warren Buffet famously said:
                             “It can take 20 years to build a reputation but only five minutes to ruin it.”

How can we address this issue and glean insights from the Latitude Financial case study?

“There are two types of companies. Those that have been hacked, and those that don’t know they have been hacked” – John T Chambers.  A crucial recommendation from cybersecurity leaders today is that if your organization doesn’t have at least one person dedicated to cybersecurity then you have left the door wide open for hackers. 

How was Latitude Financial beached?

Bitdefender reports that hackers infiltrated Latitude’s back office by intercepting a senior staff member’s login credentials. They then gained access to two other external service providers.  The high privilege account allowed hackers to gain access to multiple systems and the haemorrhage started. There is no way back as the genie cannot be put back into the bottle! 

How can attacks like this be prevented?

The issue lies in the fact that username-password credentials can be easily intercepted by hackers. Password Managers cannot solve the problem either.  When they load an encrypted password into a web form it is has to be un-encrypted – clear text – which is intercepted instantly by a Man-in-the-Browser. 

Until now, the industry’s only solution was Two Factor Authentication (2FA). Although this is an excellent idea it merely presents a second hurdle in series and is not infallible. If your browser is breached by a Man-in-the-Browser and have intercepted your login credentials then the hackers are only one step away from tricking you into revealing your second security factor. A little social engineering can accomplish this and the resulting reputational damage and financial consequences can be catastrophic.

The solution is to remove the single attack surface by going passwordless.

Embracing Passwordless!

In 2019, Gartner’s Ant Allen predicted 90% of mid-market SME’s and 60% of global enterprises would adopt Passwordless Authentication. Within two years Passwordless start-ups became the highest funded in cybersecurity history and today Apple, Google, and Microsoft each offer passwordless access to their own services.  With the capability now in every user device, analysts predict mass adoption as online service providers surge to deploy frictionless access for their own users.

Passwordless authentication eradicates the single attack surface making it incredibly difficult for hackers.

Stronger security builds user trust.  Frictionless access increases engagement.

These dual clear benefits for end-users translate to a competitive advantage and business driver for online service providers.

• Proof-of-Presence can be achieved using biometrics, screen patterns, or physical dongles, mitigating the risks from keyloggers, phishing and brute-force attacks that contribute to credential theft.
• An improved user experience and convenience increases engagement and eliminates the costs from users locked out of their systems.