This Could Be the End of User Name and Password

6 minute read
Superintendent of the New York State Department of Financial Services Benjamin Lawsky Interview
Benjamin Lawsky superintendent of the New York State Department of Financial Services, speaks during a Bloomberg Television interview in New York on Nov. 24, 2014.Scott Eels—Bloomberg/Getty Images
By Massimo Calabresi

A top New York State regulator is “very likely” to impose new cyber-security rules on much of the banking and insurance industries after high profile cyber-intrusions at Anthem and JP Morgan Chase, law enforcement officials tell TIME.

The move could spell the beginning of the end for a decade-long debate among state and federal regulators over whether to require companies to go beyond the simple user name and password identity checks required to access many computer networks at the heart of America’s financial system and could affect everyone from employees at those firms to the consumers they serve.

Early investigations in the Anthem case suggest foreign hackers used the user name and password of a company executive to get inside Anthem’s system and make off with personal data for 80 million people, including names, addresses and Social Security numbers, the law enforcement officials tell TIME. Anthem had invested in extensive cyber defenses in recent years, but the officials say initial investigations suggest the theft could have been averted if the company had embraced tougher methods for verifying the identity of those trying to access its systems.

That shortcoming reflects systemic weaknesses found throughout the industry in an upcoming study by the New York State Department of Financial Services, a version of which was reviewed by TIME. Among the most worrying findings was a marked level of over-confidence among insurance industry officials regarding the security of their systems. “Anthem is a wake-up call to the insurance sector really showing that there is a huge potential vulnerability here,” says Benjamin Lawsky, the department’s superintendent.

While many big health, life and property insurers boast robust cyber-defenses, including encryption for data transfers, firewalls, and anti-virus software, many still rely on relatively weak verification methods for employees and consumers, and have lax controls over third-party vendors that have access to their systems and the personal data contained there, according to the report. The study follows a similar review by Lawsky’s office of the banking sector late last year that led to tighter cyber-examinations for banks doing business in New York.

These Vintage Computer Ads Show We've Come a Long, Long Way

http://pop.bitpig.com/oldads/nov/pdp-11-70.jpg
1974
1976
1976
http://www.everyjoe.com/2009/07/30/technology/blast-from-the-past-the-3398-10mb-hard-disk/
1977
http://www.mopo.ca/uploaded_images/honeywell_email-763551.jpg
1977
http://www.vintagecomputing.com/wp-content/images/retroscan/ibm5110_large.jpg
1978
1978
1980
http://www.macmothership.com/gallery/MiscAds/AdamAd.JPG
1980
http://www.vintagecomputing.com/wp-content/images/retroscan/ibm_pc_woman_large.jpg
1981
http://www.aresluna.org/attached/computerhistory/ads/international/lotus/pics/byte8311
1983
http://www.vintagecomputing.com/wp-content/images/retroscan/msmouse_large.jpg
1983
http://www.vintagecomputing.com/wp-content/images/retroscan/osborne_large.jpg
1983
http://pop.bitpig.com/oldads/nov/keeping-up.jpg
1984

As the fourth-largest state and the home to many of the corporations in question, New York could affect consumers in other states with its decisions.

For more than a decade, federal and state regulators have debated measures to require increased security at banks and insurance companies that handle the financial and personal details of hundreds of millions of Americans. In 2005, the federal body charged with setting the examination standards for federal regulators concluded [pdf] that simple user name and password systems were “inadequate” for “transactions involving access to customer information or the movement of funds to other parties,” but stopped short of requiring tighter measures. Updated guidance in 2011 [pdf] also stopped short of requiring them.

MORE Apple Might Make Computers You Control With Hand Gestures

The primary federal regulator of big banks, the Office of the Comptroller of the Currency (OCC) says different banks need to assess their own risks in determining whether to use additional verification methods. Other regulators have worried that if one agency, like the New York State Department of Financial Services, tightens standards on its own, the result will be a patchwork of rules that make life difficult for banks doing business across the country.

Still, most agree that username and password security alone is increasingly vulnerable to hackers. As American Banker reports:

Most of the security breaches that occur in banking today use compromised credentials. More than 900 million consumer records have been stolen [in 2014] alone, according to Risk Based Security; 66.3% included passwords and 56.9% included usernames. According to Verizon’s latest Data Breach Investigations Report, weak or stolen login credentials were a factor in more than 76% of the breaches analyzed.

The additional measures New York State is likely to require are known as “multi-factor authentication” and include a range of approaches to verify the identity of those trying to sign on to a computer system. Options include sending a confirmation number to an individual’s cell phone, using a fingerprint or other biometric authentication, or using a separate identification source, like a swipe card.

Lawsky has not decided whether his new rule would require institutions to use multi-factor authentication only for employees and third-party vendors, or whether consumers would be required to use them too. However, requiring major banks and insurers under his purview—such as Barclays, Goldman Sachs, Anthem and others—to adopt multi-factor authentication could change the industry standard.

Lawsky says he is eager to see that change. “The password system should have been buried a long time ago, and its high time we buried it,” Lawsky tells TIME. “We really need everyone to go to a system of multi-factor verification. It is just too easy, whether through basic hacking or through phishing or stealing basic information, for hackers to get a password and a user name and then to get into a system,” he says.

MORE Why Your Passwords Are Easy To Hack

State and federal officials have argued that banking and insurance cyber vulnerabilities pose a threat not just to the accounts of individual consumers, but potentially to the stability of the entire financial system. The Obama administration’s recently released National Security Strategy says, “the danger of disruptive and even destructive cyber-attack is growing,” thanks to “malicious government, criminal, and individual actors,” targeting the networked infrastructure on which economy, safety, and health rely.

The New York State Department of Financial Services study of the insurance industry shows most are largely convinced they are confronting and defeating hackers. 58% claimed they had experienced no security breaches during the three years preceding the 2013-14 study, while 35% said they had only between one and five such incidents.

To some that suggests naiveté on the part of the industry. As FBI Director James Comey said last fall, “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”

In addition to the new rules on identity verification, Lawsky expects to impose new requirements on third-party vendors that have access to insurance company databases. Those vendors often have lower cyber-security standards and are not required to describe those standards to the companies even though they often have full access to personal data held by the company.

See The 15 Best Video Game Graphics of 2014

Call of Duty: Advanced Warfare
Call of Duty: Advanced Warfare. Activision's futuristic first-person shooter in which players take on a rogue private military company uses a brand new engine built specifically for PCs and new-gen consoles to handle its cutting-edge lighting, animation and physics. Sledgehammer Games/Activision
Far Cry 4
Far Cry 4. This pulled back shot of fictional Himalayan region Kyrat is in-game, believe it or not, rendered with an overhauled version of the engine Ubisoft used to design Far Cry 3. Ubisoft
The Last of Us Remastered
The Last of Us: Remastered. Naughty Dog's meditation on the worst (and best) of humanity is built on technology that reaches back through the studio's pulp-adventure Uncharted series. The graphics are so impressive, TIME recently assigned a conflict photographer to photograph inside the game.Ashley Gilbertson for TIME
Alien: Isolation
Alien: Isolation Built from scratch, the Alien: Isolation engine's outstanding deep space visuals all but replicate the set design of Alien film concept artists H.R. Giger and Ron Cobb's work. The Creative Assembly
Assassin's Creed Unity
Assassin's Creed Unity. Ubisoft says it "basically remade the whole rendering engine" in its AnvilNext design tool to handle the studio's meticulous recreation of Paris during the French Revolution. Ubisoft
Child of Light
Child of Light Inspired by filmmakers like Hayao Miyazaki and artist Yoshitaka Amano, Child of Light's hand-drawn artwork puts the lie to presumptions that graphical richness depends on shader support or polygon counts. Ubisoft
Destiny
Destiny Built from scratch by ex-Halo studio Bungie, Destiny's game engine was designed to scale across the next decade, says the studio. Bungie
Mario Kart 8
Mario Kart 8 Nintendo's kart-racer for Wii U reminds us that raw horsepower is just a facet of crafting a beautiful game world. Nintendo
Infamous Second Son
Infamous Second Son Sucker Punch's freeform Seattle-based superhero adventure models all sorts of minutia, from the intricate wrinkling of an aged character's face to the way eyelids stick, slightly, before separating when characters blink. Sucker Punch Productions
Monument Valley
Monument Valley Escher-like at first glance, Ustwo's mind-bending puzzler was also inspired by posters, bonsai plants, arabic calligraphy and filmmaker Tarsem Singh's The Fall. Ustwo
Grand Theft Auto V
Grand Theft Auto V Rockstar's remastered crime spree opus was crafted from an in-house engine first employed in a game that simulated table tennis. Rockstar
Titanfall
TitanfallRespawn Entertainment
Forza Horizon 2
Forza Horizon 2 Turn 10's Euro-racer actually models light refracted through drops of moisture, the render tech plausibly simulating something as intangible but essential as the earth’s atmosphere. Microsoft Studios/Turn 10 Studios
80 Days
80 Days Inkle's anti-colonialist vamp on Jules Verne's famous novel uses crisp art deco imagery inspired by travel posters to unfurl 80 Days' tale of intrepid globetrotters Monsieur Fogg and his valet Passepartout. Inkle
Tomb Raider: Definitive Edition
Tomb Raider Crystal Dynamics' radical reboot of its popular series about an athletic archaeologist uses a modified version of the engine that powered Tomb Raider: Legend in 2006. Square Enix

Read next: The 7 Biggest Lies You’ve Been Told About Hacking

Listen to the most important stories of the day.

More Must-Reads From TIME

Contact us at letters@time.com