One Time Password Information

The Malware Threat Landscape Creates an Increasing Need for Strong Authentication

malware threat landscapeIf a polymorphic financial malware variant does not make sense to you, then it is doing its job. With the malware threat landscape growing rapidly through new malicious applications, it is very difficult to keep up with terminology for the majority of computer users. It is estimated by The Aite Group that 25 million new types of malware were distributed in 2011 and the number could possibly rise to 87 million released per year by 2015. So what is a polymorphic financial malware variant? Why is it increasing the need for better online banking security and ultimately the overall need for strong authentication?

Polymorphic just means the malware is ever changing, constantly growing into a more malicious and nefarious program to steal information. Some variants are targeted to hijack browser sessions and in extremely targeted attacks they are solely financial based. The real threat behind these new forms of software used to trick internet banking users is that they are incredibly hard to detect and get rid of.

Shylock is the name of a sophisticated new malware which hijacks financial live chat sessions to impersonate a member of the bank and steal confidential data which can be used for greater attacks. This is considered a browser based man-in-the-middle attack which is very deceptive and effective.

It is the new form of phishing since traditional phishing attacks required a user to visit the false site through some sort of initiation. These phishing sites are now quick to be taken down and often blacklisted before too much damage can be made so hackers needed a new trap. Now instead of initiating the victim to visit a hacked website, the malware lays dormant hiding until the user accesses a secured banking application. By being between the user and the bank this man-in-the-middle attack allows the thief to ask personal questions to steal confidential data. This is a combination of social engineering and hacking.

Malware is becoming so sophisticated that the programs can now avoid antivirus scans. Shylock actually utilizes 3 ways of staying active on an infected machine while also being undetectable. Instead of the software running its own process it instead latches onto every other application on the victim’s machine, effectively hiding in the memory. Even with an up-to-date anti-virus detection is still not a solution because the program will actually detect when a scan has started. By removing all files on the computer related to the malware it can avoid detection however the application remains hidden in the memory still active. Now that the program is hidden from antivirus software it is still hidden deep in the victim’s computer and has actually taken over the window shutdown process. During shutdown of the computer all files are recreated for the next time the user starts up their device.

If a victim’s computer can be hijacked without them knowing and the malicious software running undetected can be reinstated at startup then how secure could any security process be? Strong authentication which utilizes an out-of-band authentication method can protect against these types of man-in-the-middle attacks by separating a piece of the login process from the malware. Through a time based one-time password banks can securely identify a user by transmitting the OTP to the customer’s mobile phone. Not only does this remove a piece of the login credential from malware but it provides the customer with an alert when access is requested.

It has been said by Kaspersky Labs that 780 new malware applications are created everyday to siphon confidential financial data. This means man-in-the-middle attacks such as this are more common on the horizon as the malware threat landscape becomes more aggressive. Without effective, efficient and customer friendly security adoption of another process may not be easy. Strong authentication which utilizes an out-of-band one-time password not only provides a low cost solution but also creates a notification platform for online banking access.

5 Ways Strong Passwords Still Fail to Prevent Unauthorized Access

strong password protectionAlthough online safety through the use of strong passwords sounds like a viable safety measure for most sites and logins, strong passwords are still susceptible to hackers, malware, and phishing attacks. As more and more data breaches are reported, such as the recent incident of VeriSign being hacked, online users are constantly urged to change their login credentials. Many users and some so called internet security experts still rely on strong passwords to protect the online privacy and security of their information. As secure as they seem now, strong passwords continue to fail to protect against unauthorized access every day as more users rely on it.

Strong passwords can consist of a combination of letters, numbers and symbols. The higher number of characters in a password, the stronger the password is considered to be. These passwords are secure forms of protecting data, however internet technology is changing rapidly and security needs to also change and be more secure. Security such as out-of-band authentication can be used to add an additional layer of security to protect users and information stored online.

There are five things to consider when utilizing a strong password instead of a more secure solution such as out-of-band authentication.

Strong Passwords Are Still Susceptible to Data Breaches and Password Hashes

Some websites and organizations will sometimes store a password hash which is an encrypted format of a user’s password. This means that even though you are utilizing a strong password it may be stored in an unsecure database somewhere. This was the case in the Zappos.com data breach where customer’s emails and password hashes were stolen.

Strong Passwords Can Be Stored Passwords

Although they seem secure, there is always the chance for human error. Storing strong passwords in your web browser not only allows unauthorized access from within your browser, but leaves your password susceptible to hacking. By utilizing a simple root kit, anyone including non experienced hackers can access your data stored within your browser. All it takes is some perseverance and some reverse engineering and anyone could crack your strong password even under encryption.

Key Logging Software and Other Malware can Capture Strong Passwords

You may not store passwords in your browser, but just the very action of using one allows key logging software to siphon that data. Beyond key loggers there is plenty of malware out there which would steal your information through the same manner, possibly through allowing a hacker remote access into your system. Strong passwords may be recorded in a malware program and sent through the internet to a hacker’s data base for your password to be used at a later time.

Social Engineering of Security Questions

Almost every time you sign up for an account you are required to state security questions which could be used to authenticate your identity later. These very “security” questions could be the downfall to cracking your super secret strong password which consists of 22 characters mixed between letters, numbers and symbols. By using social engineering and a bit of creativity, a savvy crook could figure out your security questions and gain unauthorized access. More and more users are seeing their passwords stolen through the use of these “challenge questions” that aren’t always hard to guess if a hacker has some of your personal information.

Strong Passwords are Hard to Remember and User’s Often Store Them in Places Easy to Access

Possibly the biggest part of failure in strong passwords is that they are much harder to remember than passwords that consist of only words or numbers. Imagine your login credentials always consisted of the passphrase flower1 but recently you have upgraded your password to make it stronger and to something more secure such as 5t#rG1$2oO. How are you ever going to remember such an outrageous password? It could be such a strong password that it actually prevents you from accessing your own account. Because strong passwords use more characters and symbols, most people write down their new secure pass code and leave it near their computer or stored on their computer. This is the most unsecure form of securing your account. An unauthorized user can simply find your password on or next to your computer and login to your accounts.

Now that we’ve reviewed the 5 pitfalls of strong passwords, it is plain to see that a more secure method is needed. A very secure and cost effective approach to securing against data breach or unauthorized access is through out-of-band authentication. This secures access to user accounts by transmitting a one-time password to the user through a separate network than the one where access is requested. By utilizing an out-of-band network such as a separate network to send an SMS text message, key logging and other malware is prevented from accessing your one-time password. Also, costs are kept low because almost everyone already owns and uses a mobile phone daily which doesn’t require deployment of additional devices for users to carry.

As more incidents occur of strong passwords failing to protect against data breach and identity theft, users and organizations will look for a more secure solution. Out-of-band authentication is a strong form of authentication and will be adopted by many organizations and users in the future when it comes to protecting against unauthorized access. Out of band authentication is easy to implement, easy to use, cost efficient, and its effective in combat fraud.

How to Relieve Healthcare Breaches Through Authentication Security

out-of-band healthcare security

Over 385 healthcare data breaches have been reported since September of 2009 on the HHS.gov website. Reported by the Secretary of Health and Human Services, any breach of over 500 individual’s records is required by the HITECH Act to be posted on their website. Although this data alone is astonishing by taking a closer look we can easily see how a more secure method of data protection can be achieved.

The most common form of data breach is through lost or stolen devices containing unencrypted confidential data. With over half of healthcare breaches coming from this route alone it would seem like a no brainer to keep all data stored on a central server that can be accessed remotely. This would eliminate half of the problem by not allowing data to be stored on devices.

Encryption Can Be Cracked

Although encryption may seem like the easy answer it would only solve part of the problem. Encryption can be cracked… if given enough time with an encrypted file a not so savvy criminal could gain access to confidential information. Also when it comes to data, 3 years down the line when the level of encryption is far less than its current state the confidential information is still just as valuable. Although the information would be encrypted, the old security would allow modern programs to crack that security more easily.

Server Security and the Cloud

At one time server security would not have been an option however advancements in not only IT security but authentication allow servers including cloud computing to be one of the most secure forms of data protection. By not allowing the data to be transmitted or stored it would not be floating around on unsecure devices. Also only authorized individuals would have access to the server which would eliminate data from being seen by restricted users.

Cloud computing is becoming widely adopted by corporations because security and accountability can be handled by 3rd party companies with more experience. So arguably, it can be safer to store data out in the open on a cloud than your very own server since the cloud security would be stronger.

Out-of-Band Authentication Security

Everyone has a mobile phone which they carry with them constantly. There are very few times when an individual does not have their mobile phone with them. This makes it a very effective and efficient form of authentication security. By sending an OTP through SMS text message, a user can be identified through an out-of-band authentication method. Furthermore by keeping the process out-of-band the process prevents malware from stealing information for authentication. It is an added layer of protection which creates a secure form of identifying users.

Over 19 million individuals have been affected by healthcare data breaches according to the HHS.gov archive. Through out-of-band authentication security almost 10 million patients and physicians personal information would be safe since over half the problem comes from unsecure devices. Encryption may seem like a secure answer but in the end keeping the data off of devices is where true security lies.

Relax, We Have Out of Band One Time Password Data Breach Protection

out-of-band one-time passwordThe holidays are the time for giving while relaxing with family and friends. When everyone was preparing for their holiday on December 24th creatures were stirring while clicking a mouse. During the holiday a data breach of close to a million passwords lead to one embarrassed “intelligence” company and 200 gigabytes of personal information exposed. But how could this be? The year of the data breach is coming to an end and still companies do not have a secure password policy. Furthermore an out-of-band one-time password is fairly easy and inexpensive to implement while offering obvious security benefits.

Becoming more common recently, data breaches like this are all over the media. Companies are learning the hard way that they cannot skimp on security at any point in the chain. After all you are only as strong as your weakest link and the recent Stratfor data breach is a prime example. Although Stratfor had a password policy in place, findings from The Tech Herald said the policies were lacking enforcement.

In this situation the password policy only required a six character long password which contained a numerical digit. Upon cracking over 80 thousand passwords through simple means, The Tech Herald found many passwords which were not even six characters in length. Furthermore users were using commonly used terms, dates and personal references to create passwords.

Strong Password Creation

Strong passwords consist of case sensitive letters, numbers and symbols. By utilizing all types of characters it creates many more combinations to have to search through while cracking a password. Users should not use full words or terms while creating login credentials either. This allows for lists of common words to be loaded into a cracking program like the one used in the Stratfor data breach. Beyond creating a secure credential, users should change their password regularly to prevent it from being compromised.

Obviously support for stronger security must be present along with some sort of software based enforcement. However, infrastructure for this type of password security can be expensive to implement and can create an unpleasant user experience. After all who can remember a password like “B#13iL@9e”?

One-Time Password

Protecting users from themselves is not easy but a one-time password offers the ability for them to be fairly careless. Some ways of transmitting an OTP are not as secure as others though. In some cases an OTP will be delivered to the user through email which may also have been compromised. A very common problem is that people use the same password across all platforms, which means attackers may have access to the users email as well.

Out-of-Band One-Time Password

One of the easiest solutions for a more secure authentication process is an out-of-band one time password. The OTP allows users to be authenticated through their mobile phone and provides an added layer of protection from infected computers. Users benefit from the added protection gaining the ability to use simple login credentials.

With an OTP in place the weak Stratfor passwords would not have been an issue since the attackers would need to authenticate themselves before accessing the confidential data. Even if they were able to obtain the user’s login credentials and phone number they would not have access to “something you have”, which is your mobile phone. If the attackers had login credentials and an email address, without an out-of-band solution a savvy attacker may be able to gain access.

If your vision of authentication security is not all sugarplums dancing in your head you may not have had your holiday cut short by a data breach.