D\u00e9j\u00e0 vu can suck sometimes.\n\nEarlier this year, I wrote about the importance of organizations reviewing their password management strategies. I also emphasized that companies need to urgently review their employee access protocol, writing that companies must \u201cmake it a point to do continuous employee training to help your teams avoid being duped by phishing and malware tactics.\u201d\n\nBut casino gaming companies MGM Resorts International and Caesars Entertainment were caught short in this area in recent weeks by hackers using identity-based and social engineering attacks that spoofed identity to gain access to secure systems.\n\nAccording to reports, MGM and Caesars were both customers of identity management company Okta. The firm had seen continuous patterns of activity that showed that bad actors tried to get passwords to privileged user accounts. Okta issued an alert to clients in late August warning about incoming threats by hackers to gain access to \u201cmanipulate the delegated authentication flow via Active Directory (AD) before calling the IT service desk at a targeted organization, requesting a reset of all MFA factors in the target account.\u201d\n\nCaesars noted in a filing that an "unauthorized actor" had stolen data in a social engineering attack targeting an outsourced IT support vendor, according to an InfoSecurity report. Caesars had seen some evidence of recent suspicious activity and learned on September 7 that its systems had been compromised, with the bad actors hacking into a loyalty program database with members' Social Security and driver's license numbers.\n\nAccording to reports, the hacker groups identified as BlackCat\/ALPHV and Scattered Spider are behind these attacks. Caesars and MGM were held to cash ransom demands in exchange for not releasing the data into the wild. Some reports noted that both organizations complied with the demands by paying the hackers \u2018tens of millions of dollars.\u2019\n\nBoth events showed a consistent pattern of using an employee\u2019s identity and using social engineering to fool the IT helpdesk into providing access. According to a Reuters report, these ransomware bandits also breached the systems of several other companies operating in manufacturing, retail, and technology.\n\nUnderstanding black hat attacks\n\nRansomware heists have become increasingly common in recent years as they have become more profitable for hackers.\n\nThe formula is well-known: black hat hackers encrypt a company's data and demand a ransom payment for the decryption key. If the company does not pay the ransom, the hackers threaten to release the data to the public or sell it to other criminals. These cyber thieves target companies of all sizes but are often keen on enterprise organizations with valuable data.\n\nThis vulnerability is not unique to MGM nor Okta; it's a systemic problem with multi-factor authentication. MFA, which was designed to authenticate devices, falls short in secure enrollment and recovery processes which is critical where identifying the human user is critical. This is an acknowledged limitation stemming from its original design as it wasn't developed to address this specific challenge.\n\nIt\u2019s worth re-mentioning that a 2022 study by security company Tessian and Stanford University professor Jeff Hancock found that employee mistakes and human errors were the cause of 88% of data breach events. IBM Security pegged that same number higher, to 95%.\n\nIn addition to the financial cost of the ransom payment, businesses can also lose revenue and productivity due to downtime and the need to recover from the attack. Ransomware heists can also damage a company's reputation and erode customer trust.\n\nHow to combat ransomware attempts\n\nSadly, these events are likely to continue until industry mechanisms are installed to fact-check a person\u2019s identity. This should happen across the board.\n\nShould companies enact a \u2018secret word\u2019 response to verify one\u2019s identity? Here\u2019s a simple analogy: when you accidentally trip your home security system at home, your home security company contacts you to confirm if a break has occurred. When you answer, the company may ask for a \u2018secret word\u2019 to verify that it is you, the homeowner, and it was an accidental trip of the system. It sounds simple, but it could be a hedge against similar social engineering and phishing hacks. But this simplistic solution doesn\u2019t scale and has its own vulnerabilities.\n\nTaking this to the next level, a better solution to this problem would be an automated method to digitally validate a conversation on a peer-to-peer basis. This would verify that these identified persons are conversing within or outside an organization. It\u2019s almost eerily similar to an early Star Trek episode (Whom Gods Destroy) when Spock encounters duplicate versions of Captain Kirk and requires a specific answer from Captain Kirk to be assured of the real Kirk\u2019s identity. Okta has suggested adding video to the authentication workflow to address the spoofing issue, but this can easily be circumvented by all of the generative AI-based solutions in the market, similar to the Captain Kirk identity duplication.\n\nIdentity technology can solve this issue at scale, and innovative startup companies have begun to emerge. AI-enabled software solutions can add routine flows within your processes to prompt users to verify their identity as additional security before transactions or account changes. Today there are systems that can also verify attributes such as age and account ownership before speaking to an agent.\n\nNumerous use cases can extend from call center verification to enterprise use verification and even into other business and personal categories in the years ahead. We should all be assured that we are interacting authentically with the person(s) who they say they are. It might make us feel safer and more secure in our connected world.