Posts Tagged ‘One Time Password’

5 Ways Strong Passwords Still Fail to Prevent Unauthorized Access

strong password protectionAlthough online safety through the use of strong passwords sounds like a viable safety measure for most sites and logins, strong passwords are still susceptible to hackers, malware, and phishing attacks. As more and more data breaches are reported, such as the recent incident of VeriSign being hacked, online users are constantly urged to change their login credentials. Many users and some so called internet security experts still rely on strong passwords to protect the online privacy and security of their information. As secure as they seem now, strong passwords continue to fail to protect against unauthorized access every day as more users rely on it.

Strong passwords can consist of a combination of letters, numbers and symbols. The higher number of characters in a password, the stronger the password is considered to be. These passwords are secure forms of protecting data, however internet technology is changing rapidly and security needs to also change and be more secure. Security such as out-of-band authentication can be used to add an additional layer of security to protect users and information stored online.

There are five things to consider when utilizing a strong password instead of a more secure solution such as out-of-band authentication.

Strong Passwords Are Still Susceptible to Data Breaches and Password Hashes

Some websites and organizations will sometimes store a password hash which is an encrypted format of a user’s password. This means that even though you are utilizing a strong password it may be stored in an unsecure database somewhere. This was the case in the Zappos.com data breach where customer’s emails and password hashes were stolen.

Strong Passwords Can Be Stored Passwords

Although they seem secure, there is always the chance for human error. Storing strong passwords in your web browser not only allows unauthorized access from within your browser, but leaves your password susceptible to hacking. By utilizing a simple root kit, anyone including non experienced hackers can access your data stored within your browser. All it takes is some perseverance and some reverse engineering and anyone could crack your strong password even under encryption.

Key Logging Software and Other Malware can Capture Strong Passwords

You may not store passwords in your browser, but just the very action of using one allows key logging software to siphon that data. Beyond key loggers there is plenty of malware out there which would steal your information through the same manner, possibly through allowing a hacker remote access into your system. Strong passwords may be recorded in a malware program and sent through the internet to a hacker’s data base for your password to be used at a later time.

Social Engineering of Security Questions

Almost every time you sign up for an account you are required to state security questions which could be used to authenticate your identity later. These very “security” questions could be the downfall to cracking your super secret strong password which consists of 22 characters mixed between letters, numbers and symbols. By using social engineering and a bit of creativity, a savvy crook could figure out your security questions and gain unauthorized access. More and more users are seeing their passwords stolen through the use of these “challenge questions” that aren’t always hard to guess if a hacker has some of your personal information.

Strong Passwords are Hard to Remember and User’s Often Store Them in Places Easy to Access

Possibly the biggest part of failure in strong passwords is that they are much harder to remember than passwords that consist of only words or numbers. Imagine your login credentials always consisted of the passphrase flower1 but recently you have upgraded your password to make it stronger and to something more secure such as 5t#rG1$2oO. How are you ever going to remember such an outrageous password? It could be such a strong password that it actually prevents you from accessing your own account. Because strong passwords use more characters and symbols, most people write down their new secure pass code and leave it near their computer or stored on their computer. This is the most unsecure form of securing your account. An unauthorized user can simply find your password on or next to your computer and login to your accounts.

Now that we’ve reviewed the 5 pitfalls of strong passwords, it is plain to see that a more secure method is needed. A very secure and cost effective approach to securing against data breach or unauthorized access is through out-of-band authentication. This secures access to user accounts by transmitting a one-time password to the user through a separate network than the one where access is requested. By utilizing an out-of-band network such as a separate network to send an SMS text message, key logging and other malware is prevented from accessing your one-time password. Also, costs are kept low because almost everyone already owns and uses a mobile phone daily which doesn’t require deployment of additional devices for users to carry.

As more incidents occur of strong passwords failing to protect against data breach and identity theft, users and organizations will look for a more secure solution. Out-of-band authentication is a strong form of authentication and will be adopted by many organizations and users in the future when it comes to protecting against unauthorized access. Out of band authentication is easy to implement, easy to use, cost efficient, and its effective in combat fraud.

How to Relieve Healthcare Breaches Through Authentication Security

out-of-band healthcare security

Over 385 healthcare data breaches have been reported since September of 2009 on the HHS.gov website. Reported by the Secretary of Health and Human Services, any breach of over 500 individual’s records is required by the HITECH Act to be posted on their website. Although this data alone is astonishing by taking a closer look we can easily see how a more secure method of data protection can be achieved.

The most common form of data breach is through lost or stolen devices containing unencrypted confidential data. With over half of healthcare breaches coming from this route alone it would seem like a no brainer to keep all data stored on a central server that can be accessed remotely. This would eliminate half of the problem by not allowing data to be stored on devices.

Encryption Can Be Cracked

Although encryption may seem like the easy answer it would only solve part of the problem. Encryption can be cracked… if given enough time with an encrypted file a not so savvy criminal could gain access to confidential information. Also when it comes to data, 3 years down the line when the level of encryption is far less than its current state the confidential information is still just as valuable. Although the information would be encrypted, the old security would allow modern programs to crack that security more easily.

Server Security and the Cloud

At one time server security would not have been an option however advancements in not only IT security but authentication allow servers including cloud computing to be one of the most secure forms of data protection. By not allowing the data to be transmitted or stored it would not be floating around on unsecure devices. Also only authorized individuals would have access to the server which would eliminate data from being seen by restricted users.

Cloud computing is becoming widely adopted by corporations because security and accountability can be handled by 3rd party companies with more experience. So arguably, it can be safer to store data out in the open on a cloud than your very own server since the cloud security would be stronger.

Out-of-Band Authentication Security

Everyone has a mobile phone which they carry with them constantly. There are very few times when an individual does not have their mobile phone with them. This makes it a very effective and efficient form of authentication security. By sending an OTP through SMS text message, a user can be identified through an out-of-band authentication method. Furthermore by keeping the process out-of-band the process prevents malware from stealing information for authentication. It is an added layer of protection which creates a secure form of identifying users.

Over 19 million individuals have been affected by healthcare data breaches according to the HHS.gov archive. Through out-of-band authentication security almost 10 million patients and physicians personal information would be safe since over half the problem comes from unsecure devices. Encryption may seem like a secure answer but in the end keeping the data off of devices is where true security lies.

How to Prevent Fraud Using Out Of Band Authentication

out-of-band authentication fraudOver the past few decades, fraud has increased dramatically with the use and advance of technology. Hackers fraudulently access confidential data, steal the information and sell it online. Hackers can also sometimes utilize that information to gain access to other information sources to cause even more damage. In some cases, thieves fraudulently identify themselves as the hacked users and use their billing information to order products or services online. Whichever way the data is used, this type of fraud can be prevented by utilizing an out-of-band authentication method.

Fraud spawns from malware which are malicious programs hidden on a victim’s computer siphoning pieces of confidential data. Once an attacker has their trojan, virus, key logger or one of many malicious applications they can start to gain pieces of information that could potentially be used for a data breach. By gaining information such as usernames, passwords and sometimes an OTP, a hacker can fraudulently identify themselves as an authentic user and steal information from private networks.

In some cases a fraud victim’s information can be stolen through a phishing site which looks identical to the website that the user is trying to access online. This phished information could then be used to access sensitive data online and it can also be used to access other websites where the logins may be the same. Out of band authentication methods protect against unauthorized access of personal information by using a dynamic one time password which can safely be received through a separate channel than the primary one.

Online banking attacks can be prevented utilizing out of band authentication methods. An attacker may try to make an online purchase, transfer money or withdrawal funds by fraudulently accessing a user’s account. Out of band authentication can prevent unauthorized transactions by sending a one-time password to the user’s mobile phone or any other device which can utilize a separate network of communication than the access point to confirm transactions. If the user receives a one-time password when they did not initiate a transaction, they can decline it and can report it to their financial institution for further investigation.

Out-of-band authentication provides an added layer of protection while accessing information or making transactions. By utilizing the separate network of communication, a one-time password is kept hidden from attackers as well as verifying the user through ownership of a token generating device. If an attacker were to compromise login credentials or install malware on a computer used for authentication, they still would not be able to gain access to the one-time password which is sent either to the mobile device or something else the authorized user has that can receive and communicate some form of out of band authentication. Out of band authentication can be used to secure and prevent some of the most commonly known and most sensitive data breaches.

Data breaches are covered by the media these days often, but it is for good reasons. With information gained from a data breaches like the RSA data breach, an attacker can fraudulently access accounts to obtain more information for more serious attacks. This is why prevention of fraud should start at the access level. Once access is granted and compromised, vital information can be used and attackers can access the victim’s sensitive data.

PCI DSS Could Benefit from Out of Band One Time Password Authentication

PCI DSS out-of-band OTPThe PCI DSS or payment card industry data security standard protects cardholder’s identities however does PCI DSS compliance mean your customers confidential data is well protected? Although there is requirement for strong security, technology is changing rapidly and attackers are becoming savvier. Malware is everywhere and the chance of interaction with an infected computer, whether company or client side, is inevitable.

There does not have to be a complete overhaul of the compliance standards but instead an addition. With so many consumer interactions being handled through mobile devices today an out of band one time password authentication process would eliminate many troubles without expensive burdens placed on the financial institutions.

PCI DSS compliance was developed by Visa, JCB, MasterCard and American Express and requires the implementation of two factor authentication. Authentication is required for any remote access to the network however there is no requirement for an out of band OTP. All that is required is 2 of 3 factors be present before an identity is securely authenticated. However if a password is transmitted it must only be encrypted using strong cryptography.

The problem with not requiring out of band authentication by utilizing a separate network for the OTP is that all operations of the authentication process are handled in one location. This leaves the process vulnerable to man-in-the-middle attacks where an infected computer or device is transmitting information and an attacker intercepts the transmissions.

Becoming more common in the media, man-in-the-middle attacks are often the way hackers gain access for data breaches. When only one device is used for identifying a user the ease of phishing information or implementing malicious software to gain identification information for authentication is relatively trivial.

By utilizing out of band one time password authentication the OTP is sent through a different transmission network such as the phone company’s network. This creates a problem for hackers since gaining access to both of the devices, the computer and mobile phone, can be a difficult task and beyond that being able to sync both hacked transmission networks to one owner would be almost impossible.

When you think about authentication security especially for an industry with as much value as financial verticals have, you want the strongest protection possible. Protecting you customer’s personal data goes beyond PCI DSS compliance because customer trust is the future of any business. By utilizing a smarter process you eliminate the chance that a weak link in the chain leaves you susceptible. Whether the client’s computer or the businesses computer is infected it would not matter, the attacker could only receive so much identifiable information for the authentication process.

When it comes to the customer a company does need protection through strong authentication, however, no expensive burden should be passed on to the client. Some out of band OTP authentication processes utilize proprietary tokens rather than mobile devices that have proven to be less than effective.

Some very large data breaches such as the RSA data breach have been attributed to tokens not utilizing truly dynamic passwords. Also the extra hardware to carry around and the expense associated with these tokens and their network does not make them a viable out of band one time password source.

By utilizing a mobile phone as the token device the user would not need to carry anything extra. SMS text messages also utilize an already existing infrastructure so there is no added cost of running a new network.

Even though PCI DSS compliance can benefit from out of band OTP authentication it does not mean a company could not offer stronger security that is seemingly inexpensive for its consumers. Not to mention that a data breach does not look well on your company record and could potentially destroy you business.