Two Factor Authentication Information

Small Healthcare Organization and SMBs Pose Largest Risk of Data Breach

healthcare smbs risk Like a wildfire data breaches have become the topic of discussion and the future of these attacks is changing just as rapidly. Out of the countless studies released by experts including The Ponemon Institute, Verizon and the United States Secret Service, we can see that many data breaches are due to loss and theft. Small healthcare organization and small to medium sized businesses have the biggest risk but the threat is not hackers. Instead it is the professionals who are being trusted with confidential data on devices without proper training or repercussion.

Why are Small Healthcare Organizations at Risk?

Of the total reported healthcare data breaches on HHS.gov, 67% were caused by theft and loss, resulting in 78% of stolen individual records. Physicians need to have access to confidential patient data at many times throughout their day, so they are already at risk of data loss or theft. However many small healthcare organizations are often reluctant to join the cloud due to security concerns. Even more daunting is the fact that theft and loss result in 92% of computer related data breaches, resulting in 97% of stolen records. By utilizing an in house network and allowing protected health information to be stored on mobile devices a smaller practice is actually putting their patient’s confidential data at risk.

Why are Small to Medium Sized Businesses at Risk?

Many small businesses lack the desire to be secure and state there is not enough money in their budget. However Ponemon recently surveyed IT professionals who work for companies with less than 100 employees and found that 78% believe data breaches are caused by employee negligence. How much does it cost to educate employees about weak passwords and data handling procedures? The highest percentage of breaches occurred from the loss of mobile devices and laptops. This form of negligence accounts for a third of the problems small businesses have with data breaches. Yet SMB’s are still reluctant to move their private data to a cloud computing system.

Verizon stated in its 2011 Data Breach Report that the cloud is not the problem when it comes to security. Healthcare has recently been moving toward the cloud to secure its confidential data but this is most likely due to government regulations like the HIPAA Security Rule. Small businesses are facing other concerns with the cloud though. Instead of worrying about security from hackers they are seeing the potential for these cloud computing services to steal their confidential information.

So what is a cost effective alternative that offers efficient security for data and can be created in house? Utilizing a central database for information not only limits data loss through employee negligence of data and passwords, but it also offers better accountability for businesses and healthcare facilities. By removing data from mobile devices such as smartphones, tablets and laptops, companies remove responsibility from employees. Also security of one single server is much easier to maintain than having to educate employees about security of their devices.

Through out-of-band two-factor authentication a company can limit access to authorized individuals only. Also by utilizing a one-time password sent through SMS text message this out-of-band authentication method can provide notifications when access is requested. This is an added layer of protection that also provides small businesses and healthcare facilities with a cost effective solution. The future of data breaches ultimately lies on the companies who store personal customer data however a simple and easy to implement solution is awaiting them.

The Malware Threat Landscape Creates an Increasing Need for Strong Authentication

malware threat landscapeIf a polymorphic financial malware variant does not make sense to you, then it is doing its job. With the malware threat landscape growing rapidly through new malicious applications, it is very difficult to keep up with terminology for the majority of computer users. It is estimated by The Aite Group that 25 million new types of malware were distributed in 2011 and the number could possibly rise to 87 million released per year by 2015. So what is a polymorphic financial malware variant? Why is it increasing the need for better online banking security and ultimately the overall need for strong authentication?

Polymorphic just means the malware is ever changing, constantly growing into a more malicious and nefarious program to steal information. Some variants are targeted to hijack browser sessions and in extremely targeted attacks they are solely financial based. The real threat behind these new forms of software used to trick internet banking users is that they are incredibly hard to detect and get rid of.

Shylock is the name of a sophisticated new malware which hijacks financial live chat sessions to impersonate a member of the bank and steal confidential data which can be used for greater attacks. This is considered a browser based man-in-the-middle attack which is very deceptive and effective.

It is the new form of phishing since traditional phishing attacks required a user to visit the false site through some sort of initiation. These phishing sites are now quick to be taken down and often blacklisted before too much damage can be made so hackers needed a new trap. Now instead of initiating the victim to visit a hacked website, the malware lays dormant hiding until the user accesses a secured banking application. By being between the user and the bank this man-in-the-middle attack allows the thief to ask personal questions to steal confidential data. This is a combination of social engineering and hacking.

Malware is becoming so sophisticated that the programs can now avoid antivirus scans. Shylock actually utilizes 3 ways of staying active on an infected machine while also being undetectable. Instead of the software running its own process it instead latches onto every other application on the victim’s machine, effectively hiding in the memory. Even with an up-to-date anti-virus detection is still not a solution because the program will actually detect when a scan has started. By removing all files on the computer related to the malware it can avoid detection however the application remains hidden in the memory still active. Now that the program is hidden from antivirus software it is still hidden deep in the victim’s computer and has actually taken over the window shutdown process. During shutdown of the computer all files are recreated for the next time the user starts up their device.

If a victim’s computer can be hijacked without them knowing and the malicious software running undetected can be reinstated at startup then how secure could any security process be? Strong authentication which utilizes an out-of-band authentication method can protect against these types of man-in-the-middle attacks by separating a piece of the login process from the malware. Through a time based one-time password banks can securely identify a user by transmitting the OTP to the customer’s mobile phone. Not only does this remove a piece of the login credential from malware but it provides the customer with an alert when access is requested.

It has been said by Kaspersky Labs that 780 new malware applications are created everyday to siphon confidential financial data. This means man-in-the-middle attacks such as this are more common on the horizon as the malware threat landscape becomes more aggressive. Without effective, efficient and customer friendly security adoption of another process may not be easy. Strong authentication which utilizes an out-of-band one-time password not only provides a low cost solution but also creates a notification platform for online banking access.

How to Prevent Fraud Using Out Of Band Authentication

out-of-band authentication fraudOver the past few decades, fraud has increased dramatically with the use and advance of technology. Hackers fraudulently access confidential data, steal the information and sell it online. Hackers can also sometimes utilize that information to gain access to other information sources to cause even more damage. In some cases, thieves fraudulently identify themselves as the hacked users and use their billing information to order products or services online. Whichever way the data is used, this type of fraud can be prevented by utilizing an out-of-band authentication method.

Fraud spawns from malware which are malicious programs hidden on a victim’s computer siphoning pieces of confidential data. Once an attacker has their trojan, virus, key logger or one of many malicious applications they can start to gain pieces of information that could potentially be used for a data breach. By gaining information such as usernames, passwords and sometimes an OTP, a hacker can fraudulently identify themselves as an authentic user and steal information from private networks.

In some cases a fraud victim’s information can be stolen through a phishing site which looks identical to the website that the user is trying to access online. This phished information could then be used to access sensitive data online and it can also be used to access other websites where the logins may be the same. Out of band authentication methods protect against unauthorized access of personal information by using a dynamic one time password which can safely be received through a separate channel than the primary one.

Online banking attacks can be prevented utilizing out of band authentication methods. An attacker may try to make an online purchase, transfer money or withdrawal funds by fraudulently accessing a user’s account. Out of band authentication can prevent unauthorized transactions by sending a one-time password to the user’s mobile phone or any other device which can utilize a separate network of communication than the access point to confirm transactions. If the user receives a one-time password when they did not initiate a transaction, they can decline it and can report it to their financial institution for further investigation.

Out-of-band authentication provides an added layer of protection while accessing information or making transactions. By utilizing the separate network of communication, a one-time password is kept hidden from attackers as well as verifying the user through ownership of a token generating device. If an attacker were to compromise login credentials or install malware on a computer used for authentication, they still would not be able to gain access to the one-time password which is sent either to the mobile device or something else the authorized user has that can receive and communicate some form of out of band authentication. Out of band authentication can be used to secure and prevent some of the most commonly known and most sensitive data breaches.

Data breaches are covered by the media these days often, but it is for good reasons. With information gained from a data breaches like the RSA data breach, an attacker can fraudulently access accounts to obtain more information for more serious attacks. This is why prevention of fraud should start at the access level. Once access is granted and compromised, vital information can be used and attackers can access the victim’s sensitive data.

PCI DSS Could Benefit from Out of Band One Time Password Authentication

PCI DSS out-of-band OTPThe PCI DSS or payment card industry data security standard protects cardholder’s identities however does PCI DSS compliance mean your customers confidential data is well protected? Although there is requirement for strong security, technology is changing rapidly and attackers are becoming savvier. Malware is everywhere and the chance of interaction with an infected computer, whether company or client side, is inevitable.

There does not have to be a complete overhaul of the compliance standards but instead an addition. With so many consumer interactions being handled through mobile devices today an out of band one time password authentication process would eliminate many troubles without expensive burdens placed on the financial institutions.

PCI DSS compliance was developed by Visa, JCB, MasterCard and American Express and requires the implementation of two factor authentication. Authentication is required for any remote access to the network however there is no requirement for an out of band OTP. All that is required is 2 of 3 factors be present before an identity is securely authenticated. However if a password is transmitted it must only be encrypted using strong cryptography.

The problem with not requiring out of band authentication by utilizing a separate network for the OTP is that all operations of the authentication process are handled in one location. This leaves the process vulnerable to man-in-the-middle attacks where an infected computer or device is transmitting information and an attacker intercepts the transmissions.

Becoming more common in the media, man-in-the-middle attacks are often the way hackers gain access for data breaches. When only one device is used for identifying a user the ease of phishing information or implementing malicious software to gain identification information for authentication is relatively trivial.

By utilizing out of band one time password authentication the OTP is sent through a different transmission network such as the phone company’s network. This creates a problem for hackers since gaining access to both of the devices, the computer and mobile phone, can be a difficult task and beyond that being able to sync both hacked transmission networks to one owner would be almost impossible.

When you think about authentication security especially for an industry with as much value as financial verticals have, you want the strongest protection possible. Protecting you customer’s personal data goes beyond PCI DSS compliance because customer trust is the future of any business. By utilizing a smarter process you eliminate the chance that a weak link in the chain leaves you susceptible. Whether the client’s computer or the businesses computer is infected it would not matter, the attacker could only receive so much identifiable information for the authentication process.

When it comes to the customer a company does need protection through strong authentication, however, no expensive burden should be passed on to the client. Some out of band OTP authentication processes utilize proprietary tokens rather than mobile devices that have proven to be less than effective.

Some very large data breaches such as the RSA data breach have been attributed to tokens not utilizing truly dynamic passwords. Also the extra hardware to carry around and the expense associated with these tokens and their network does not make them a viable out of band one time password source.

By utilizing a mobile phone as the token device the user would not need to carry anything extra. SMS text messages also utilize an already existing infrastructure so there is no added cost of running a new network.

Even though PCI DSS compliance can benefit from out of band OTP authentication it does not mean a company could not offer stronger security that is seemingly inexpensive for its consumers. Not to mention that a data breach does not look well on your company record and could potentially destroy you business.