The Financial Industry - Courts Try to Prove Reasonable Security
Filed under: Authentication Security, Data Security, General Information, IT Security, Security Attacks, Uncategorized
$1,901,269 is how much attackers were able to wire out of Experi-Metal’s Comerica bank account in the span of three hours. This was a phishing attack that cause damage to Experi-Metal Inc. (EMI)’s financial assets and raised the questions of liability and “What is reasonable security?”
The continuing court case is attempting to answer that question. Looking at the facts, although Comerica was putting authentication policies in place, such as using secure token technology, there was still a user created gap which allowed for the attackers to gain access. An attack only needs access to happen.
Although Comerica was able to recover all of the funds but $560,000 EMI is still pressing charges, saying that Comerica exposed EMI’s users to the phishing attack. Comerica is of course implying that any EMI employee responsible for financial transactions should have caught on that the phishing site was a scam.
The decision has still not been made in the favor of either company in terms of liability. Although the contracts originally signed by the two companies will favor Comerica Bank, the fact that the banking industry demands stronger authentication and therefore Comerica has easier access to advanced technologies does not look good for them. It will be interesting to see how the case progresses in mid-November.
BankInfoSecurity.com: to read and have a copy of the full article - Click Here
The Trojan Horse: Sneaking Past Your City Walls
Filed under: Authentication Trends, Data Security, General Information
For centuries the Trojan horse was a weapon of war; a historical piece of trickery and deceit, which was used to bring down the City of Troy. Now in this century, when searching the term Trojan horse, the first result to appear is about the technology verison of the Trojan horse. As many of us know malware stands for malicious software. The vehicle in which it obtains its unwanted access is the Trojan horse programs. These carriers are great at disguise, trickery, and breaking down the walls of your personal identity and even financial status.
Recently a new Trojan horse program has appeared, and has many concerned. Trojan Horses, as many of us know, are invasive, but this new one goes beyond that, targeting specifically financial institutions and Internet Explorer users. The new name to fear: W32.Silon. With the target of financial institutions, Silon can intercept Internet Explorer sessions, and steal credentials. Many say this attack has two heads, the generic Trojan horse approach into all applications, and then the financial focus.
When it comes to logging onto your bank account online, that is when to watch out. The Silon Trojan will intercept between the token protected financial sites and the user, putting up a façade that looks like their normal login screen. This allows them to transmit your credentials to hackers, to be able to obtain your financial data, and reap the rewards. The main thing that is clear about this attacker is that it is following and changing wih the authentication trends. With more advanced authentication techniques, attacks are becoming more and more sophisticated. The Silon is a prime example, as it attacks the two prong stronger authentication methods with ease. Bank accounts beware!
For more information check out these links:
http://en.wikipedia.org/wiki/Malware
http://en.wikipedia.org/wiki/Trojan_horse_(computing)
http://in.sys-con.com/node/1162320
Portable Devices: Be Careful Where You are Storing Your Information
Filed under: Authentication Security, Data Security, General Information, Portable Device Security
160,000 portable devices are misplaced in Chicago taxicabs every year. Although this seems like a random fact, it should be a rude awakening for those of you who have portable devices, which contain almost all of your business and personal information. Just imagine for a minute that you lose your Blackberry in the airport? Would you panic?
Nowadays portable devices are holding an amazing amount of information, and are almost acting like small computers for business professionals, when out of the office. Stored information can include:
- Social Security Numbers
- Emails
- Website Credentials
- Passwords
- Company Planning and Contacts
- Confidential customer and/or company information
With all of this information being stored on these small portable devices it is becoming a big concern. Many businesses have started to implement mobile device security plans, and seem to be less concerned with the cost of the device, and more in tune with the cost of losing and/or recovering the information.
In the following article, “Lost Black Berry? Data Could Open a Security Breach”, there are a few cases of lost devices that caught my attention:
- A device that contained the personal numbers of congress members
- Losing a device in the O’Hare airport
- Having it stolen out of your car
- Selling it on ebay, without remembering to delete all of the data
All of these cases are extremely dangerous to the owner of the device, and the information inside. There are cases as well when laws become involved. For instance, if a doctor loses their Blackberry, which contains client information, it does not only effect the owner of the device. With the healthcare industry, it can violate the Health Insurance Portability and Accountability Act, or with the financial and public companies this could easily violate the Sarbanes-Oxley Act.
In order to combat these issues certain techniques have been created. Such as:
- Biometrics
- Passwords (If enabled by the user)
- Remote Data Deletion (Only works if the phone is turned on)
All of these techniques have their benefits and down sides as well. It is clear that we need to protect the data on these devices as though they are another computer to be protected. It is important to understand what sort of implications loosing the device has, and whether or not the company is ready to handle any such issues.
Can Single Sign On be improved?
Filed under: Authentication Trends, Data Security, General Information, IT Security, password security
Single Sign On (SSO) is the concept of an end-user needing one username and password pair to gain access to multiple data sensitive resources. SSO provides a tremendous ROI (return on investment) as having one password to remember, significantly reduces the involvement of helpdesk personnel in the maintenance of passwords, not to mention the increased productivity and job satisfaction for the end-user.
With almost all benefits, comes a down side and SSO is no exception. Having one password protecting multiple resources delivers much sought after improvements. However, if the one password is compromised, ALL the resources are now subject to intrusion. The traditional technology of having a different password for each resource certainly reduces this risk, but brings us back to helpdesk and end-user frustration and costs.
Wouldn’t it be great if the security of multiple passwords and the ROI of SSO could be combined to form a very secure and prosperous union?
Good news! This article introduces technologies designed to improve single authentication and when combined with SSO creates a very powerful union designed to protect and serve. SSO in combination with Smart Cards or One Time Password Tokens will improve the single authentication and enhance the benefits gained from SSO.
Smart Card Technology
Instead of using a password that can be discovered by a user with negative intentions, Smart Cards can be used to prevent unauthorized access to sensitive data. Physically, a Smart Card is a hand held card with integrated circuits that has the ability to process data. Data is moved from the card to the reader via contact metal or radio frequencies. Access to the controlled resource is granted only when the user has a card and a pin/password needed to verify ownership of the card. Requiring both the physical device and the knowledge of the password makes for an extremely difficult to crack security system. The likelihood of a malicious intruder discovering both the card and the pin is extremely low and therefore significantly more secure than a single password.
One Time Password Tokens
A One Time Password or OTP is a password that allows access for a single session or transaction. Should the password be recorded by a would-be intruder during the single login session, they will not be able to use the password as it becomes invalid after the single transaction. The OTP is generated and made available by a number of different technologies. There are handheld devices that display the OTP or the OTP can be delivered through a user’s cell phone. The provider of the OTP is configured with an algorithm that generates the OTPs from a random source. Various algorithms are used to generate passwords in such a way that the next password cannot be guessed or determined by an intruder.
It would take some time and investment, but employing a SSO solution combined with improved single authentication will provide a powerful and cost effective security system to a company that cannot take chances with their secure data.
Phishing, Spear Phishing & Whaling: Attacks That Are on the Rise
Filed under: Authentication Trends, Data Security, IT Security
With security breaches occurring constantly, some of the ones to look out for are the email attacks coming into your mailbox. Currently attacks such as phishing, spear phishing, and whaling are on the rise. In order to bring light to these attacks, it is key to understand what they are, and how to prevent them.
Phishing: “In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.” – Wikipedia.com
Spear Phishing: A much more targeted attack on a target. Usually the targets are linked to vital information, such as checkbooks, SSN’s, and credit card numbers.
Whaling: These are possibly the worst. Executives and “big fish” in the company are targeted for their passwords and vital information.
According to a recent article on blogtalkradio.com, “Criminal Hackers Clean Out Bank Accounts Using Spear Phishing”, attacks like these are increasing by at least 50%. Phishing attacks are powerful and can damage bank accounts and identities in days. The article discusses a case where $440,000 was taken over the course of five days without the account owners even knowing.
These attacks are usually in the form of emails, which can even look like company documents. Once the user clicks on any link which appears to be from the “important” source, a virus is usually downloaded and allows the attacker to see all of your user data. There are even instances when these viruses will attach to the user’s web browser, and allow the attacker to see all sites visited, including personal sites, such as online banking.
So with this information it is key to also offer some solutions to these attacks:
-
Have anti-virus protection installed in your computer
-
Look into getting a Credit Freeze
-
Check your bank statements often and keep track of financials
Finally, the obvious solution is to not open emails that you don’t trust, no matter what. Recently at PistolStar we addressed this exact issue with the U.S. navy. The government, as an industry, relies on their information being secure. Recent regulations have now required that all government emails contain a digital signature, to verify the sender. Basically if it is not signed, it is not trusted. We created an Email-Signature Plug-In that signs all outgoing unsigned emails, to make sure the receivers know who the email is from, and that they are a trusted sender.
With the implementiation of such plug-ins, regulations, and solutions the number of attacks will hopefully decrease. The key is to make sure that you and your company are secure and protected, and remember….
If it’s not signed, it is not trusted!
Bookmarklet-based Password Managers Exposed
Filed under: Data Security, General Information, IT Security, Uncategorized, password security
Due to the number of websites a user accesses per day, and that most require authentication, it is no wonder why everyone is looking for tool to remember their passwords. Websites are using techniques such as mixing capital letters, symbols, and spaces to increase the strength of the password, and the difficulty of hacking and obtaining it.
One way that users are keeping track of these multiple credentials is with password management tools. These usually remember the password for the user, so forgetting it is not an option. Unfortunately it has been found that these tools can also decrease security and allow for a window of opportunity for hackers to come in.
In the article by Rachel Kremen, “Plugging a Password Leak: How a Simple Fix made Password Managers More Secure” the issues with password managers that use bookmarklets, to automate the login in process for the user’s websites, was exposed. The researchers investigated six popular bookmarlet-based password managers, Verisign, MyVidoop, Clipperz, PassPack, and MashedLife. The findings were alarming.
The way that these managers work is by storing the user’s passwords to their favorite sites, on a central server. When the user visits the site again, the bookmarklet is used to see which site the user is on, and provide the credentials.
Researchers found this to be a red flag. The main question that was brought up, is how does the manager know for sure that the website it thinks the user is on, actually is? After running tests, they discovered that with a few pieces of code, the manager could be fooled and produce the credentials for the user’s website, even when not visiting the site itself.
Hackers could easily obtain the credentials for bank websites, credit cards, and other personal information. The password manager would provide the credentials, without recognizing that it is actually a hacker’s website it is providing to.
Luckily the solution was easy. With implementation and SSL, using the referrer header would make the forgery of the website difficult. The password manager services researched did take the researchers up on the suggestion, made the changes, and/or informed their users.
Imagine the losses that could occur. With everyone placing their trust in websites, it is vital to protect the information to access them. Although remembering these passwords can be challenging, so is tracking a cyber criminal who has taken your identity. With these tools it is important to understand what knowledge you are providing to them, and how it will be used. Putting your passwords in all one basket is not necessarily the best plan for secure authentication.
What’s New with Password Protection?
Filed under: Authentication Security, Authentication Trends, Data Security, password security
In a recent article a common issue was being discussed, password security. It is apparent that people have a hard time remembering, and creating strong secure passwords. It also seems impossible to have users remember passwords successfully for all of the applications they use, including the websites they visit as well. In response to this constant struggle between user and password, people, like PistolStar, have come up with solutions.
One of them is creating a strong challenge question and response method for users to self-service their own passwords. This allows them to create questions specific to them, which will later be used to confirm their identitiy. This has been a successful and strong method for quite some time, but now people are wondering what else is possible.
On The Blog of Content Protection, authored by Eric Diehl, the posting “Retrieveing Passwords Through Social Interaction” brought to light a strange way to go about recovering your password. Microsoft began to think of recovering passwords, as “not what you know, but who you know”. This created the idea of using trustees to recover your password.
The user would define a list of trustees, and who would then receive recovery codes. Once the user forgot their password they would contact their trustee for the recovery code. This was an interesting concept which created a security wall made of human interaction.
With this solution does come many issues, such as forgetting who your trustees are, and the time it takes to retrieve the codes from the trustees. You can read more in Microsoft’s report:
It’s Not What You Know, But Who You Know: A Social Approach to Last-Resort Authentication
The idea of social marketing is being chased after by marketers everywhere, but what about social password recovery? Developers are you ready to jump out of your seats….or stay seated? You decide.
Layoffs: Studies Say There Are Threats to Data
Recently in Insurance Buyers’ News, a direct mail newsletter, came to our office and included a serious article that businesses should be considering today. Unfortunately with layoffs still occurring, the numbers of disgruntled employees is rising, which poses a threat to a company’s data.
“Layoffs Increase Data Breach Risks”, discusses a recent example with a systems administrator. He demanded money and references, or else he would attack the servers. Although he was caught and prosecuted, the damage that could have been done would have been a serious cost to the company.
Studies are beginning to show that employees are not planning on taking just their pens when they leave, but also vital information. The question of course becomes, how are you going to protect your data? It is important to be prepared, especially if there is a possibility of layoffs in the near future.
We recommend a few key tactics to protecting your company from the potential threat:
-
Control access to applications
-
Create a strong SSO solution with stronger authentication
-
Allow administrators to be able to easily audit usernames and inactive users
Many laid off employees have been found to still be able to access their old accounts, even after the layoff occurred. Treating employees with respect is a way to make these hard times smoother, but protecting your data, and current employees is key.
Twitter Faces Security Breach: Is your identity safe?
Social media has become the talk of the town lately. With Facebook, Twitter, and Myspace taking over how all of us share information, it is no wonder why they are targets for cybercriminals. Security and authentication requirements for many of these sites are not withstanding these attacks. The latest attack is on Twitter.
In a recent survey, produced by Osterman Research Inc. , the author of multiple PistolStar whitepapers, they dove into the world of Twitter, and its usage. Most surveyed have only been using the site for up to 3 months, but at least 50% see it becoming more important to them, in the future. This being said it is amazing how much information people are willing to provide to these sites, making them prime targets for identity theft, and other security breaches.
A recent article on Telegraph.co.uk, discussed a threat to Twitter users’ login credentials. A site called TwitViewer, was an add-on site, which allowed users to see who was viewing their profile. Unfortunately when they were prompted to enter in their credentials, they were handing them over to criminals. Twitter suggested to those who used the site, to change their username and password immediately.
These social media sites are becoming targets, due to the vast amount of information that users are willing to provide. When this much information is provided, a username and password really becomes a very sensitive piece of information. It is important to ask yourself…. can you prove your identity beyond your password?
To read more go to:
“Twitter in New Security Scare”
In the news: Authentication a chief priority, top issue
Filed under: Authentication Security, Authentication Trends, Data Security, IT Security
It’s nice to receive validation of what you do, and we’ve had the pleasure of actually seeing it in print several times in the past several weeks. People in the industry, from security pros responding to surveys to an industry influencer, have spoken out on authentication.
First, to cheer up everyone who’s thinking pessimistically about prospects for the economy, there’s the survey of security pros in the financial services industry (most hard hit by the recession, remember?) which found that almost 50% report improved funding for security projects in the next six months. The big(ger) news is that the respondents ranked authentication, encryption and network access control as “high priorities.” The study was conducted by SearchFinancialSecurity.com and reported in “Financial security pros expect improved funding in second half of 2009.”
In a recent tech industry talk about what the Internet still needs to make it complete, Vinton Cerf, the chief Internet evangelist at Google and co-designer of the TCP/IP protocols that are the foundation of the Internet, stated that one of the Internet’s most critical needs is authentication. He said that anyone doing business involving the Internet (and who isn’t?) should be “deeply concerned” with incorporating authentication. One of the many articles on Cerf’s talk “The Internet is incomplete…” can be found on Computerword.com
Yet another survey, this one by another company in the space, revealed that the adoption of strong authentication is growing. Among its findings: strong authentication and single sign-on (SSO) are “driving organizational cost efficiencies, security and employee productivity” and strong authentication is “no longer being used exclusively for remote access.” More info as well as access to the full survey report can be found in the article, “National Strong Authentication Survey Shows Uptick in Adoption and Growing Synergy with Single Sign-on Solutions” in the Cloud Computing Journal.
We’ll inform you on other news reports on authentication as we find them!