Cyber security will always be an issue,
How can organisations beat malware and ransomware; and get a
stronger foothold in the cyber security landscape? Frank Abagnale Jr,
security consultant and former con man, says the tables will never be
turned "until we get rid of passwords"
“until we get rid of passwords”
— Frank Abagnale Jr
The security landscape has certainly changed since Frank Abagnale Jr impersonated a pilot, doctor and lawyer.
Frank Abagnale Jr
is a name some of you may be familiar with. His early life, between 16
and 21, has been documented in many adaptations: books, plays, TV
series’ and even a film; the playful biographic, Catch Me If You Can, produced and directed by Steven Spielberg.
“Most of these creatives have never even met me,” joked Mr Abagnale during his keynote at Oktane19 in San Francisco.
Frank Abagnale Jr during his “flying” days. “What equipment are you on?”
Abagnale Jr, today: a security consultant and lecturer for the FBI
academy and field offices. Photo by Jeffrey Langlois/Palm Beach Daily
Waiting in the lobby of the Beaumont Hotel, Mayfair, I was somewhat
nervous about meeting the subject of this film, portrayed so well by
Leonardo DiCaprio. His escapades, posing as a commercial aircraft pilot,
a doctor and a lawyer, seemed so far removed from reality that I didn’t
quite know what to expect — I needn’t have been anxious though, I was
greeted warmly and began an hour-long interview with Mr Abagnale and Ori Eisen, the founder and CEO of Trusona — the identity theft protection company based in Scottsdale, Arizona.
Ridding the world of passwords
Some would argue that we’re losing the cyber security war; data
breaches are an almost daily occurrence and organisations (both public
and private) are being overwhelmed.
The tables won’t be turned “until we get rid of passwords,” said Mr
Abagnale, almost immediately. “I can’t believe that passwords were
developed in 1964, when I was 16-years-old, and now today, at 71, we’re
still using passwords as a protocol to get into security systems. I
don’t understand why there are still passwords around when we know
passwords are the root cause of all these issues that we have.”
This comment was no understatement: Microsoft estimates that 63% of
network intrusions are a result of compromised user passwords and the
latest Verizon Data Breach Investigations Report found that 81% of
hacking-related breaches involved weak or stolen passwords.
The death of the password in the authentication age
Has the password had its day? Is authentication the future? Read here
A no-password reality is necessary for a secure future — and this is
why Mr Abagnale joined Trusona as an advisor; the company founded by his
friend of 20 years, Mr Eisen.
But, how does one even go about championing ditching the password;
something so ingrained in society? Before breaking down the cultural
hurdles it was first necessary to develop the technology: anti-replay.
According to TechTarget,
anti-replay makes ‘it impossible for a hacker to intercept message
packets and insert changed packets into the data stream between a source
computer and a destination computer.’
“Without anti-replay, a no-password future is impossible,” continued
Mr Abagnale. “And, over the last four years we’ve been developing it. It
is now accomplished.”
It seems that organisations are willing to embrace the technology.
Trusona have over 200 customers, including the USA’s largest bank and
insurance provider. “It’s the only insured verification system in the
world,” claimed Mr Abagnale. “And, we’re trying to bring it out to the
rest of the world.”
“There are different levels of Trusona. We developed it at a level 4
security for the Pentagon, the CIA and the FBI, but then realised very
quickly we could take it to level 2 — a tool for consumers to use and
eliminate the need for passwords,” he explained.
Passwords: the great security vulnerability
The password is insecure: a hacker could log into an individual’s
bank account and they wouldn’t even know. This is first issue; passwords
are easily lost and even more easily stolen, via phishing or malware
attacks. Once a cybercriminal has access to the password, they can
replay it over and over gain.
“Unfortunately, because passwords are free and easy, no one gave
design much thinking,” said Mr Eisen. “But, now the cost of passwords is
obvious” — they’re the great security vulnerability and largely
responsible for the data breaches that pepper news headlines.
Historically, security and user experience have been at odds with
each other, because everyone believed that making systems less user
friendly (longer, more complex passwords, for example) made them more
secure — this is a fallacy and hinders adoption rates, making systems,
ironically, less secure.
“This is not a computer-to-computer interaction with longer keys. These are humans we’re talking about,” continued Mr Eisen.
“My first 20 years at the FBI dealt with counterfeiting, forgeries,
embezzlement, and the last 20 years have all been cyber” — Mr Abagnale
Ease of use: the key to changing security culture
As a security practitioner, and as a former head of risk for Verisign
and American Express, Mr Eisen emphasised that ease of use is the most
This view is similar to Jared Spool, the world renowned UX (user
experience) expert, who famously coined the phrase: ‘If it’s not usable,
it’s not secure’:
“When we talk about passwords, the technology has to be frictionless,” reiterated Mr Abagnale.
“I always look to the future, and in the next two to three years I
see passwords being gone. I have three sons and five grandchildren — one
day, in the not too distant future, I see them being able to access a
range of services at the touch of a button.” He used the example of a
“I’d like to buy this car and finance it through a bank with the best
rate via an app. I’m not telling the dealer where I bank, what my
account number is, who employs me, how much money I make: I don’t have
to give them that information. And with Trusona, all of the data is kept
with the bank or the phone company; we keep none. So if tomorrow they
would hack Trusona, they get nothing because we keep no data.”
Identity and access management –– mitigating password-related cyber security risks
Newman, CEO of My1Login, helps explore the importance of identity and
access management in mitigating password-related cyber security risks.
Ditching the password
The world is entrenched in passwords, so the challenge is helping
organisations recognise the value of ditching the password and scaling a
system throughout their organisation that employees and consumers can
get on board with.
There are three different layers to this, according to Mr Eisen.
• People are willing to change: Not only
are users willing to change behaviour — but they also report higher
satisfaction rates with passwordless multi-factor authentication (MFA)
logins. In a study commissioned by Trusona and conducted by Blink, 70.2%
of users chose Trusona’s passwordless MFA over traditional passwords —
with 31% more satisfied with the MFA login. Also, the older age group
(55+) was 10% more likely to try passwordless MFA than the two younger
age brackets. “This isn’t because people love Trusona, it’s because they
hate passwords,” explained Mr Eisen. “If a company doesn’t realise how
much resentment is fomenting in people, they should first ask their
customers with a simple survey: do you like using our passwords,” he
• Cost: The second is cost. The call centres of any
large organisation are inundated with calls about forgotten passwords.
According to the study, nearly 30% of participants using passwords
needed help resetting them at least once during the 3-week timeframe —
at ~$25/call that adds up fast.
• Security: “With this technology, every single time
someone uses your identity, you need to say yes, this is me right now,”
said Mr Eisen. “For years and years we have shunned the users away from
security and this is the wrong way to go about it. Let them be part of
the solution and help with security.
“It’s hard to change, it’s not easy, but if you — as a responsible
organisation — don’t realise you need to change, you are a laggard,” he
Mr Eisen (L) and Mr Abagnale (R) are now working together to rid the world of the troublesome password.
“Criminals are all the same”
“One thing that never changes is that [cyber]criminals [,con artists]
are all the same,” said Mr Abagnale. The surface area is the thing
that’s different, but the motivations — in general — are the same: for a
young Frank Abagnale Jr, he was physically counterfeiting cheques,
while physically impersonating pilots, lawyers and doctors. Today, all
of this still happens, but in the virtual world — and it’s a lot easier.
In the second part of this interview,
we explored Mr Abagnale’s work at the FBI, the transition of crime from
the physical to the digital and how his early life experiences impacted
his dedication to preventing cybercrime.