Last week, two crore BigBasket users were informed that their data was stolen from BigBasket and uploaded for sale on the dark web for $50,000. While the company reassured users that the financial information (saved credit and debit card stored on servers) was out of reach of hackers—most companies tend to use separate servers for this purpose—and the password data was hashed, it still raises concerns over cyber-readiness of Indian start-ups.
There is little doubt that given the increasing bouts of attacks, companies need to spend more on cybersecurity, and this cannot be achieved until they are asked to commit a certain percentage of expenditure. But there is also a need to steer them to other alternatives and ask for greater collaboration. Banks, for instance, have adopted the two or three-factor authentication. However, these are not too safe either.
SMS and email, the two modes of authentication used by banks, were not built keeping in mind the safety aspect. Although companies have evolved safer email systems, one-time authentication messages are still the least safe aspect as message communication can easily be intercepted. Receiving a message over WhatsApp can be a solution, but it is again not too safe, and the costs are prohibitive.
Then there is the issue of duplication of passwords. Given the multiplicity of accounts, most users tend to use the same password across services. So, if a hacker gains access to one account, its easier to gain access to another. While many banks have eliminated the need for passwords with regard to smartphone apps, internet pin is still a requirement for all.
And, it is not surprising if the password is the same across the email service and bank account. Password generators and password managers are one solution. But an article published in Forbes, quoting Microsoft’s director of Identity Security, Alex Weinert, details, passwords, even the most complex ones, are not entirely safe.
While Weinert discusses the use of biometric identifiers as the safest means, not many banks or Indian companies have been open to that idea. Despite having a mobile-first strategy, most are averse to having a biometric identifier as a login option. One because these methods are not entirely reliable. Two, the consumer mindset also needs to change.
A better option, however, which has still remained unexplored is the use of authenticators. While such services verify password information and can carry out 2FA without an OTP with data saved on phone memory, they haven’t found wide acceptance. Hardware components like password keys or USBs have also failed to take off.
The trend is picking up in the western world, and Indian companies need to take advantage of this as well. More services need to integrate with the likes of Microsoft, Google or LastPass to enable two-factor authentication.
Google and Microsoft are already doing this for their emails and logins, but other services like banks, utilities and digital wallets need to collaborate as well. Collaboration is the key for a safer cyberspace