Cyber-security in 2023

Andrew Shikiar at FIDO Alliance gives his predictions for what can we expect from the cyber-security industry in 2023

 

The last twelve months online haven’t been short of action - good and bad. From high-profile breaches and widespread smishing attacks to metaverse speculation and Twitter drama. Not forgetting, of course, the major news in March that saw public backing of new passwordless log-in technology (FIDO passkeys) from some of the world’s largest platform vendors – admittedly we were extra excited about this one…   

 

Unsurprisingly, cyber-security has grown in the public’s consciousness far more than in any other year. How we secure and identify ourselves online is becoming much more of a mainstream consumer talking point and in 2023, this will only continue to grow.  

 

With the year ahead in mind, here are my top predictions for what we can expect to shape the next year and get everyone’s attention.  

 

MFA bypass attacks

Several high-profile cloud service providers will be hit with MFA bypass attacks. Cloud service providers are growing in size, data and influence, making them prime targets for cyber-attacks. In 2023, we’ll see a lot more high-profile, sophisticated attacks that bypass legacy MFA like passwords and SMS OTPs.  

 

Cloudflare and Twilio already shared their experiences this year of being attacked as part of the 0ktapus hack, with employees targeted via SMS and attackers circumventing OTP codes. While attacks will rise, we can thankfully also expect more stories with happier endings, like Cloudflare’s, which was ultimately protected from data compromise due to the use of strong FIDO security keys. 

 

Smarter smishing

Smishing is going to get smarter. Smishing – or SMS-based phishing attacks – has grown massively in the second half of 2022 and is going to be blowing up our notifications even more next year.  Not only that, but these attacks may also become even harder to spot as attackers refine their techniques. 

 

In the UK, messages asking users to book COVID vaccines caught many victims in 2022, as well as fake package delivery messages from attackers posing as brands like Royal Mail and DHL. More personal data available online, plus smarter AI and data scraping tools, are going to make these attacks more convincing and trick even those who think they’re clued up.

 

The silver lining is that as smishing becomes more prevalent, consumers will put less trust in SMS as a communications channel which, we hope, will accelerate service providers’ move away from SMS-based MFA in favour of passkeys and other forms of unphishable authentication.  

 

The beginning of the end for SMS OTPs

Speaking of SMS-based MFA, 2023 is also going to be the year they are finally broadly recognised as not fit for purpose when it comes to strong authentication. Not all MFA is created equal.

 

And in the last twelve months, there’s been a huge uptick in hacker toolkits available on the dark web that make bypassing MFA cheap and trivial. Unsurprisingly, this correlates with both the rise in consumer usage and the boom in attacks.  

 

Ultimately, it boils down to one key distinction – phishable and non-phishable credentials. A one-time passcode is a human-readable and shareable credential, meaning it can be phished and leveraged to take over accounts in the same way passwords are.  

 

Non-phishable credentials 

Speaking of non-phishable credentials, I couldn’t give my predictions for the next year without a nod to passkeys – one of the most exciting advances in consumer online security for decades.

 

The passkey concept was introduced by FIDO Alliance and the world’s largest platform vendors in 2022 and was widely welcomed as a more secure replacement for passwords, already being utilized by PayPal and other service providers. Passkeys are currently supported in Apple platforms with full support in Android, Chrome and Windows anticipated by early 2023.   

 

It follows that we will see more major brands adopting passkeys in 2023 - which will lead to broader consumer awareness and demand. Already, it’s promising that our recent research found nearly 40% of 18-34-year-olds had this technology on their radar - a figure we can expect to rise both among this age group and more broadly. 

 

The cyber-security industry has an ever-increasing vital role in our society. Whatever the next year holds, 2023, we’re ready for you!   

 

---

 

Andrew Shikiar is Executive Director at FIDO Alliance  

 

Main image courtesy of iStockPhoto.com