As described in this article: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1346018,00.html, Monster.com employee login credentials were recently stolen. Now that hackers have their passwords, Monster's systems are at risk until every last password is changed -- and those users who happen to use the same passwords all over the place are at even greater risk. The solution, of course, is 2-factor authentication. If your password is just 1/2 of the login equation, you're protected even if the password is compromised.
That's the foundation of the SafeTelework with Enterprise-in-a-Flash system, based on patented 2-factor authentication. Ours isn't the only way to do it, though we think it's the best. Even if you choose a different product, please be sure it has 2-factor authentication enforcement 100% of the time. Otherwise, you're just putting yourself at risk.
Tuesday, January 27, 2009
Friday, November 14, 2008
Phishing For Second Factors
Just when you thought second-factor tokens from banks meant it was safe to go back in the (online) water, a new phishing spoof targets Citibank's two-factor token system.
http://voices.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html
This is something I've been nervous about since the very first of these random-number-rotation tokens came on the market. While certainly better than nothing, they remain vulnerable for the time that the current random number is valid. Even if that's only 60 seconds, it's still a viable window for attack.
The problem remains that it's just another password that is entered into a box and submitted across the wire to a server. That means it can be captured / stolen / spoofed, and during the 60-second window, it's the same as any other password.
The only solution is a device that has unique physical properties that are read and incorporated by the software directly into the authentication process in real time, rather than numbers that are transmitted across the connection.
This is the driving consideration behind the patented SecureChannel system at the core of the Enterprise-in-a-Flash secure remote access service.
http://voices.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html
This is something I've been nervous about since the very first of these random-number-rotation tokens came on the market. While certainly better than nothing, they remain vulnerable for the time that the current random number is valid. Even if that's only 60 seconds, it's still a viable window for attack.
The problem remains that it's just another password that is entered into a box and submitted across the wire to a server. That means it can be captured / stolen / spoofed, and during the 60-second window, it's the same as any other password.
The only solution is a device that has unique physical properties that are read and incorporated by the software directly into the authentication process in real time, rather than numbers that are transmitted across the connection.
This is the driving consideration behind the patented SecureChannel system at the core of the Enterprise-in-a-Flash secure remote access service.
Friday, October 17, 2008
Phones as second factors of authentication
I've been noticing a trend in the market towards acceptance of phones, particularly cell phones, as a mechanism for enforcing multi-factor authentication. While I applaud the attempt to make multi-factor authentication more ubiquitous by tying it to an already-prevalent device, I am worried.
Basically, the way it works is that you input your phone number into your profile at the online service you're logging into - be it a remote desktop product, your bank, or some other system. Then, when you hit the login page, you enter your username and password, and the system sends a message to your cell with a One Time Password (OTP), or calls you, at which point you press a button to indicate you've received the call. Once the host recognizes the OTP or receives your call confirmation button press, you're logged in.
It seems to me that there are several opportunities for trouble here.
First, it's complicated. Not very complicated, but complicated enough. It's another step or two that the average user may simply opt out of. Will users really adopt it if it's an optional feature?
How about logistical difficulties: Do I have to pay for the text message or call minutes every time I log in? What happens if I'm in an area without cell coverage, like a basement office or a remote vacation spot? What if my phone runs out of battery?
In terms of the security itself, what's to prevent someone from stealing my (presumably single-factor) website login and modifying my profile to put in their phone number?
In the end, I think it's probably better to stick with industry-standed methods for multi-factor authentication -- primarily separate hardware authentication tokens, issued in unique fashion to each user. This is just too important to entrust to a clever but potentially flawed methodology.
Basically, the way it works is that you input your phone number into your profile at the online service you're logging into - be it a remote desktop product, your bank, or some other system. Then, when you hit the login page, you enter your username and password, and the system sends a message to your cell with a One Time Password (OTP), or calls you, at which point you press a button to indicate you've received the call. Once the host recognizes the OTP or receives your call confirmation button press, you're logged in.
It seems to me that there are several opportunities for trouble here.
First, it's complicated. Not very complicated, but complicated enough. It's another step or two that the average user may simply opt out of. Will users really adopt it if it's an optional feature?
How about logistical difficulties: Do I have to pay for the text message or call minutes every time I log in? What happens if I'm in an area without cell coverage, like a basement office or a remote vacation spot? What if my phone runs out of battery?
In terms of the security itself, what's to prevent someone from stealing my (presumably single-factor) website login and modifying my profile to put in their phone number?
In the end, I think it's probably better to stick with industry-standed methods for multi-factor authentication -- primarily separate hardware authentication tokens, issued in unique fashion to each user. This is just too important to entrust to a clever but potentially flawed methodology.
Thursday, October 16, 2008
Implanted RFID Chip
I came across this item recently, regarding implanted RFID chips acting as a 2nd factor of authentication.
http://connectid.blogspot.com/2008/10/is-this-2-factor-authentication.html
I don't think there's any doubt that this is a form of multifactor authentication, as disturbing as it may be... The interesting, though academic, question is this: is the RFID chip then something that you have or something that you are?
http://connectid.blogspot.com/2008/10/is-this-2-factor-authentication.html
I don't think there's any doubt that this is a form of multifactor authentication, as disturbing as it may be... The interesting, though academic, question is this: is the RFID chip then something that you have or something that you are?
Wednesday, April 2, 2008
Passwords For All To See
While doing some market research the other day, Google presented us with several documents containing login information for GoToMyPC and LogMeIn user accounts. Usernames, passwords, access codes - the works. Just posted to the web for anyone to find. Plus a bunch of people's logins for e-commerce, online banking, and travel sites, among other things. It's really quite amazing how much security-sensitive information is just floating around cyberspace. And of course, the easy availability of passwords speaks directly to the need for people to be using 2-factor authentication as much as they can, so they're not vulnerable to password theft or inadvertent disclosure.
Shameless plug - here's the marketing slick we put together to help our prospects understand why this is important:
http://www.enterpriseinaflash.com/security/Password Security Breach 4-2-08.pdf
Shameless plug - here's the marketing slick we put together to help our prospects understand why this is important:
http://www.enterpriseinaflash.com/security/Password Security Breach 4-2-08.pdf
Tuesday, June 19, 2007
More Action from TriCipher
TriCipher's been in the news a lot lately, and that's good for them and for the whole multifactor movement. We like to see pickup on this technology, no matter whose it is.
http://internetcommunications.tmcnet.com/topics/broadband-mobile/articles/7666-tricipher-takes-identity-theft-prevention-mobile.htm
This article discussed the fact that they've released a USB-based solution, something near and dear to our hearts, because we also use a USB-driven system at Enterprise-in-a-Flash (http://www.enterpriseinaflash.com).
I'm concerned about the fact that they're allowing for customer self-provisioning. I'm not sure a bank would let you self-provision your ATM card onto any blank card you could get your hands on, and I'm not sure it makes sense to trust a user-provisioned authentication factor that they've put onto any unknown USB drive. But I'll have to see more about this before making a final judgment.
http://internetcommunications.tmcnet.com/topics/broadband-mobile/articles/7666-tricipher-takes-identity-theft-prevention-mobile.htm
This article discussed the fact that they've released a USB-based solution, something near and dear to our hearts, because we also use a USB-driven system at Enterprise-in-a-Flash (http://www.enterpriseinaflash.com).
I'm concerned about the fact that they're allowing for customer self-provisioning. I'm not sure a bank would let you self-provision your ATM card onto any blank card you could get your hands on, and I'm not sure it makes sense to trust a user-provisioned authentication factor that they've put onto any unknown USB drive. But I'll have to see more about this before making a final judgment.
Another Great Example
This blog entry by Dave Jevans presents another excellent example of a case where multi-factor authentication would have been valuable in preventing a costly security breach.
http://blog.ironkey.com/?p=136
Interestingly, the comment at the bottom of the page indicates that multi-factor authentication systems are vulnerable to Man In The Middle attacks. While that's true for the traditional One Time Password devices like RSA SecurID, it's not the case for more modern systems, including (shameless plug coming) the USB Flash Key based system offered by Enterprise-in-a-Flash (www.enterpriseinaflash.com), as well as numerous other innovative solutions on the market today. I'm hoping people start to learn more about the options and see that the market is responding to the requirements...
http://blog.ironkey.com/?p=136
Interestingly, the comment at the bottom of the page indicates that multi-factor authentication systems are vulnerable to Man In The Middle attacks. While that's true for the traditional One Time Password devices like RSA SecurID, it's not the case for more modern systems, including (shameless plug coming) the USB Flash Key based system offered by Enterprise-in-a-Flash (www.enterpriseinaflash.com), as well as numerous other innovative solutions on the market today. I'm hoping people start to learn more about the options and see that the market is responding to the requirements...
Subscribe to:
Posts (Atom)