Passwords, the key to cybercriminals' access to your identity

Igor Lukic, founder of Hackron and cybersecurity expert, reveals the modus operandi of cybercriminals and exposes why the user and password-based identity authentication method is the weakest link in the entire cybersecurity framework.

The methods of cybercriminals are becoming increasingly aggressive and, in recent times, they are targeting SMEs and individuals more frequently, who unlike large corporations, lack the means or capacity to defend themselves, as revealed by Igor Lukic, founder of Hackron and cybersecurity expert.

For Lukic, there is no doubt that the user and password-based identity authentication method is the weakest link—the least secure method, in other words—in the entire cybersecurity scheme.

Among the examples cited by Lukic during his presentation at the B-FY Pulse event, a real case stands out, recorded by the Spanish national police, in which a user is induced to reveal their key and password through a phone call.

Posing as bank officials, cybercriminals inform the user that an online charge has been made with their card. The user claims that they did not make the transaction. At that moment, the criminals state that they will send a message with a link to their phone, and they should click on the link and then enter their password.


Lukic emphasized that even though cybercrime is carried out remotely, it is as violent and ruthless as any other type of crime.
Lukic emphasized that even though cybercrime is carried out remotely, it is as violent and ruthless as any other type of crime.

Data is the target

Obtaining user data is the objective of the criminals because once they have it, they can access the victim's account, whether it's a bank account, email account, or any other digital asset. Additionally, by using the user's password, the system won't detect it as a strange or unauthorized activity, and therefore, the incident won't be reported within the first 24 hours.

“Once they have your username and password, and they enter your email, they can reset the password and lock you out of your digital life because normally we consolidate all our social media, banking, and other accounts into a single email,” explained Lukic.

Lukic emphasized that even though cybercrime is carried out remotely, it is as violent and ruthless as any other type of crime. “A ransomware is nothing more than a kidnapping, and kidnappers have no morals,” he said.

Understanding the Dark Web

Lukic painted a current picture of the so-called Dark Web, where various types of cybercriminals operate. These include:

  • Script kiddies, very young and emotionally immature hackers with limited skills, but capable of causing significant harm.
  • Malicious insiders, individuals who operate from within organizations and collaborate with cybercriminals for a price.
  • Organized cybercrime, which refers to criminal organizations with complete business structures and service offerings, operating from the Dark Web.
  • Activists, highly dangerous hackers with great capabilities who act based on political, religious, social convictions, etc.
  • Cyberterrorists.
  • State-authorized agents.

Lukic explained that the Dark Web offers services for all types of attacks, just like a legitimate marketplace, and that digital criminal organizations amass large sums of money, reinvest in the growth of their operations, recruit personnel, and operate like any other company.

He stressed that most attacks originate from database breaches and the sale of identities or credentials.

Identity is highly valuable

Identity in the digital world is an extremely valuable asset. Cybercriminals can use it to apply for credit in our name, drain our bank accounts, change our passwords, and have full control over our digital life.

Given the weakness of password-based authentication methods, including those that employ multi-factor authentication (MFA or 2FA), systems like B-FY offer a reliable form of identity authentication.

B-FY is a biometric "Identity as a Service" (IDaaS) system that allows customers to truly authenticate their users rather than simply matching authentication credentials. This system utilizes the biometric tools integrated into the device's operating system, requires no effort from the user, and has no learning curve.

Furthermore, there are no costs associated with recurring identifications, such as those generated by sending text messages each time identity verification is needed.

Farewell to passwords

One of the standout features of B-FY is that it does not use passwords or any other possession or knowledge-based credentials. To identify the user, it only needs to validate their phone number and email, linking them to their device along with their biometric pattern.

This allows for exclusive identification from that physical device and with the user's biometrics. Even in the event of device theft, criminals won't be able to access services protected by B-FY since it would require the owner's biometric data.

Additionally, B-FY guarantees the privacy and security of the user's biometric data since it never leaves their physical device or gets stored on servers susceptible to hacking. The user always has full control over their biometric data.

Protecting identity is crucial

Igor Lukic's presentation highlights the reasons why protecting our identity in the digital environment has become more crucial than ever. Passwords, as an authentication method, are increasingly vulnerable to cybercriminals.

It is essential to adopt more secure authentication systems like B-FY, which use biometrics to ensure reliable and frictionless identification. We cannot allow our digital assets and online life to be exposed to cybercriminals.