Tag Archive for Two-factor authentication

| January 26, 2021
Comments Off on Data Privacy Day 2021

Data Privacy Day 2021

Data Privacy Day 2021Data Privacy Day in the U.S. is January 28, 2021. It is an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection

Why is Data Privacy Day important?

In this era with the rapid advancement in technology, having relevant data is the key to the success of any organization.  Almost every organization is collecting and combining the data in order to put the right content, in front of the right person, at the right time, and on the right platform. 

Why is Data Privacy Day important?The data is collected from the users or customers who submit their personal information trusting the firm will keep the data private. Users provide their personal information to the companies with the trust of receiving a better service and with the trust that their data is private, safe, and secure. But when the goes into the wrong hands and data privacy fails, bad things can happen. Data breaches result in cyber-criminals misusing user information for scams and identity theft. That is why everyone needs to “Own Your Their Data Privacy.” Here are resources to help you “Own Your Data Privacy.”

Update your Privacy Settings

Your purchase history, IP address, location, etc., has value – just like money. (How else does Mark Zuckerberg make his $100 billons?) Make informed data privacy decisions about sharing your data with companies. Consider the amount of personal information you are giving up and weigh it against the benefits you may receive. Use these resources provided by the National CyberSecurity Alliance (NCSA) to update your privacy settings on popular devices and online services.

Keep tabs on your apps

Keep tabs on your appsMany apps ask for access to personal information, like geographic location, contacts list, or photo album, before you can use their services. Be wary of apps that require access to information that is not required or relevant for the services they are offering. Use these tips from the Data Detox Kit, to protect your data privacy. Keep your apps up to date. Delete unused apps on your devices.

Manager your passwords!

You don’t need to be overwhelmed by all your log-ins and passwords. Use a password manager to keep your data private and track your strong passwords. Add an extra layer of protection by activating Two-Factor Authentication (2FA) whenever it is available. With 2FA, even if a cybercriminal steals your password, they won’t be able to access your account.

Take action!

  • Make sure your computer is free from known viruses, spyware, and discover if your computer is vulnerable to cyber-attacks. Use these Free Security Check-Up resources from NCSA to protect your data privacy.
  • Check your online safety know-how with a privacy and security quiz. Get started with the National Privacy Test and Google Phishing Quiz. To measure how good you are at protecting your privacy.
  • Join the National Cyber Security Alliance – and LinkedIn on January 28, 9 a.m. for the signature video conference event Data Privacy in an Era of Change. It gathers data privacy experts from industry, government, academia, and non-profit for keynotes, panels, and discussions on current topics in data privacy – Register here.
  • Show your support for Data Privacy Day by using one of the International Association of Privacy Professionals’ official Data Privacy Day virtual backgrounds for video collaborations.

rb-

Data Privacy Day reminds us of the value of our data and the rights for data transparency. It is the day that tells us to re-evaluate and identify the flaws in how we have been collecting, sharing, and using the data. The day persuades us to find a way to patch the loopholes so that our valuable data do not get tampered with malicious malware, misused, or lost.

 

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| September 7, 2016
Comments Off on Stop using SMS for Two-Factor Authentication

Stop using SMS for Two-Factor Authentication

Stop using SMS for Two-Factor AuthenticationFollowers of the Bach Seat know that passwords suck and no longer provide reliable security. Because automated mass cybercrime attacks are hammering businesses daily, the National Institute of Standards and Technology (NIST) is disrupting the online security status–quo. According to InfoWorld, the US government’s standards body has decided that passwords are not good enough anymore. NIST now wants government agencies to use two-factor authentication (2FA) to secure applications, networks, and systems.

NIST logoTwo-factor authentication is a security process where the user provides two means of identification from separate categories of credentials. The first is typically something you have, a physical token, such as a card. The second is usually something you know like a PIN number.

The proposed standard discourages organizations from sending special codes via SMS messages. Many services offer two-factor authentication. They ask users to enter a one-time passcode sent via SMS into the app or site to verify the transaction. The author writes that weaknesses in the SMS mechanism concern NIST.

NIST now recommends that developers use tokens and software cryptographic authenticators instead of SMS to deliver special codes. They wrote in a draft version of the DAG; “OOB [out of band] using SMS is deprecated and will no longer be allowed in future releases of this guidance.”

Short Message Service (SMS)Federal agencies must use applications that conform to NIST guidelines. This means for software to be sold to federal agencies, it must follow NIST guidelines. InfoWorld says this is especially relevant for secure electronic communications.

SMS-based Two-Factor Authentication is considered insecure by NIST for a number of reasons. First, someone other than the user may be in possession of the phone. The author says an attacker with a stolen phone would be able to trigger the login request. In some cases, the contents of the text message appear on the lock screen, which means the code is exposed to anyone who glances at the screen.

SMS based two-factor authentication (2FA)InfoWorld says that NIST isn’t deprecating SMS-based methods simply because someone may be able to intercept the codes by taking control of the handset, that risk also exists with tokens and software authenticators. The main reason NIST appears to be down on SMS is that it is insecure over VoIP.

The author says there has been a significant increase in attacks targeting SMS-based two-factor authentication recently. SMS messages can be hijacked over some VoIP services. SMS messages delivered through VoIP are only as secure as the websites and systems of the VoIP provider. If an attacker can hack the VoIP servers or network they can intercept the SMS security codes or have them rerouted to her own phone. Security researchers have used weaknesses in the SMS protocol to remotely interact with applications on the target phone and compromise users.

Signalling System 7 (SS7) Sophos’ Naked Security Blog further explains some of the risks. There is malware that can redirect text messages. There are attacks against the Signalling System 7 (SS7) protocol. SS7 controls how the phone system works.  (rb- Some believe that TLA’s hacked SS7 to spy on citizens.) This hack allows an attacker to divert the SMS containing a one-time passcode to their own device, which lets the attacker hijack any service, including Twitter (TWTR), Facebook (FB) or Google (GOOG) Gmail, that uses SMS to send the secret code to reset the account password.

Mobile phone number portability also poses a problem for SMS security. Sophos says that phone ports, also known as SIM swaps can make SMS insecure. SIM swap attacks are where an attacker convinces your mobile provider to issue you a new SIM card to replace one that’s been lost, damaged, stolen or that is the wrong size for your new phone.

SIM swap attacksSophos also says in many places it is very easy for criminals to convince a mobile phone store to transfer someone’s phone number to a new SIM and therefore hijacking all their text messages.

ComputerWorld highlights a recent attack that used social engineering to bypass Google’s two-factor authentication. Criminals sent users text messages informing them that someone was trying to break into their Gmail accounts and that they should enter the passcode to temporarily lock the account. The passcode, which was a real code generated by Google when the attackers tried to log in, arrived in a separate text message, and users who didn’t realize the first message was not legitimate would pass the unique code on to the criminals.

NIST’s decision to deprecate SMS two-factor Passwordauthentication is a smart one,” said Keith Graham, CTO of authentication provider SecureAuth. “The days of vanilla two-factor approaches are no longer enough for security.

For now, applications and services using SMS-based authentication can continue to do so as long as it isn’t a service that virtualizes phone numbers. Developers and application owners should explore other options, including dedicated two-factor apps. One example is Google Authenticator, which uses a secret key and time to generate a unique code locally on the device for the user to enter into the application.

Hardware tokens such as RSA’s SecurID display a Hardware tokens new code every few seconds. A hardware security dongle such as YubiKey, used by many companies including Google and GitHub, supports one-time passwords, public-key encryption, and authentication. Knowing that NIST is not very happy with SMS will push the authentication industry towards more secure options.

Many popular services and applications offer only SMS-based authentication, including Twitter and online banking services from major banks. Once the NIST guidelines are final, these services will have to make some changes.

Fingerprint RecognitionMany developers are increasingly looking at fingerprint recognition. ComputerWorld says this is because the latest mobile devices have fingerprint sensors. Organizations can also use adaptive authentication techniques, such as layering device recognition, geo-location, login history, or even behavioral biometrics to continually verify the true identity of the user, SecureAuth’s Graham said.

NIST acknowledged that biometrics is becoming more widespread as a method for authentication, but refrained from issuing a full recommendation. The recommendation was withheld because biometrics aren’t considered secret and can be obtained and forged by attackers through various methods.

Biometric methods are acceptable only when used with another authentication factor, according to the draft guidelines. NIST wrote in the DAG;

[Biometrics] can be obtained online or by taking a picture of someone with a camera phone (e.g. facial images) with or without their knowledge, lifted from objects someone touches (e.g., latent fingerprints), or captured with high-resolution images (e.g., iris patterns for blue eyes)

Biometrics

At this point, it appears NIST is moving away from recommending SMS-based authentication as a secure method for out-of-band verification. They are soliciting feedback from partners and NIST stakeholders on the new standard. They told InfoWorld, “It only seemed appropriate for us to engage where so much of our community already congregates and collaborates.

You can review the draft of Special Publication 800-63-3: Digital Authentication Guidelines on Github or on NIST’s website until Sept. 17. Sophos recommends security researcher Jim Fenton’s presentation from the PasswordsCon event in Las Vegas that sums up the changes.

VentureBeat offers some suggestions to replace your SMS system:

  • Hardware tokens that generate time-based codes.
  • Apps that generate time-based codes, such as the Google Authenticator app or RSA SecurID,
  • Hardware dongles based on the U2F standard.
  • Systems that use push notifications to your phone.

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
| July 30, 2016
Comments Off on More IRS Tech Troubles

More IRS Tech Troubles

More IRS Tech TroublesThe U.S. gooberment agency in charge of extorting collecting taxes from citizens, but not businesses, has more IT troubles. In the past, the IRS has had problems with hackers attacking its online systems which exposed more than 720,000 taxpayer accounts. It has had data breaches that released 101,000 taxpayer SSNs, Its internal processes are so weak that the IRS could not find 1,300 PC’s to complete the upgrade from Windows XP.

collecting taxes from citizens, but not businessThe latest report says that the IRS off-boarding processes are so porous that former employees have “unauthorized entry.” Former employees have access to workplaces, IRS computers, taxpayer information, and could allow them to misrepresent themselves to taxpayers, according to an article at Nextgov.

The article cites a new watchdog report. In the report, there was a random sampling in 2014 that said the IRS couldn’t verify it had recovered all security items from more than 66 percent of roughly 4,100 “separated” employees. The employees had left due to retirement, resignation, death, etc.

If the IRS had just checked with me, this would not have been a surprise. In 2014 wrote about this issue. Lieberman Software released the results of a survey of IT security professionals. 13% of IT Pros at the RSA Conference 2014 admitted to being able to access previous employers’ systems using their old credentials. Perhaps even more alarming is that of those able to access previous employers’ systems nearly 23% can get into their previous two employers’ systems using old credentials.

rb-

two factor authenticationThis is just another example of why passwords suck. If the tax collectors used a two-factor authentication (2FA) process, chances are must greater that ex-employees would not be able to access taxpayer’s records. Two-factor authentication is a security process where the user provides two means of identification from separate categories of credentials. 

An authentication factor is an independent category of credentials used for identity verification. The three most common categories are often described as something you know (the knowledge factor), something you have (the possession factor), and something you are (the inheritance factor). For systems with more demanding requirements for security, location and time are sometimes added as fourth and fifth factors.

One rising authentication measure is biometrics. Biometrics is the measurement and statistical analysis of people’s physical and behavioral characteristics. The technology is mainly used for identification and access control. The basic premise of biometric authentication is that everyone is unique and an individual can be identified by his or her intrinsic physical or behavioral traits. An individual’s biometric uniqueness can fulfill the inheritance factor of identify verification (“something you are”). Using biometrics in its various forms (I have written about different forms of biometrics on the Bach Seatvoice, brain waves, retina scan, behavioral biometrics, etc.) when combined with a strong password can form a 2FA.

There are drawbacks to using biometrics for authentication too.

Related articles
  • Global Two-factor Biometrics Industry to Grow at a CAGR of 22.87% to 2020 (newsmaker.com.au)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| March 23, 2016
Comments Off on Fake Fingerprints Can Open Your Phone

Fake Fingerprints Can Open Your Phone

– Updated 03-30-2016 – The Business Insider proves that you can use Play-Doh to fool the fingerprint sensor in your Phone.

Fake Fingerprints Open GalaxyI have pointed out a number of times that biometrics will not be the complete final solution for passwords. Biometrics is the measurement and statistical analysis of people’s physical and behavioral characteristics. The technology is mainly used for identification and access control. The basic premise of biometric authentication is that everyone is unique. An individual can be identified by his or her intrinsic physical or behavioral traits.

Fake Fingerprints Can Open Your PhoneThere is a huge issue with biometrics.  You can’t change your intrinsic physical or behavioral traits if they get stolen or hacked. Well, now there is more proof that biometrics can be hacked without cutting off a finger.

Hack mobile phone authentication

Two smarty Sparty’s from Michigan State University’s biometrics group has figured out a way to hack mobile phone fingerprint authentication. According to Help Net Security, the MSU researchers can hack your secure phone by using just a scanner, a color inkjet printer, a special type of paper, and ink.

AgIC silver conductive ink cartridgesTurns out that the attack is easy to execute. The first step is to scan the target’s fingerprint image at 300 dpi or higher resolution. Then, the image is mirrored and the original or binarized fingerprint image is printed on the glossy side of an AgIC special paper. The printer uses AgIC silver conductive ink cartridges (along with normal black ink).

Magical conductive ink

CrunchBase explains that advances in material science have made it possible to manufacture almost magical conductive ink. AgIC silver conductive ink has tiny silver particles and can be purchased online. The ink is printed by standard Brother printers. The ink dries in a few seconds and conductivity emerges instantly when the traces are drawn on special photo inkjet printing paper also available online.

spoofed fingerprintAll in all, an attacker can have a spoofed fingerprint that would allow him to access a phone protected with fingerprint authentication in less than 15 minutes, and the cost of all the tools he needs to do this does not surpass $500.

Researchers Kai Cao and Anil Jain successfully managed to fool the fingerprint sensors on the Samsung (005930) Galaxy S6 and Huawei (002502) Hornor 7 phones.

They posted a demo of the attack on YouTube:

 

The attack is an improvement over Germany’s Chaos Computer Club’s attack against Apple (AAPL) Touch ID on iPhone 5S by lifting a fingerprint of the genuine user of a glass surface and then making a spoof fingerprint. More details about the Michigan State researchers’ work can be found here (PDF).

Only a matter of time

Starbucks app hackedThe Sparty researchers note that not all mobile phones can be hacked using this method. But their experiment is proof of the urgent need for anti-spoofing techniques for fingerprint recognition systems, especially for mobile devices which are being increasingly used as a part of two-factor authentication for site access and payment processing like Apple Pay, Google (GOOG) Pay, or Samsung Pay.

The researchers warn that it is only a matter of time before hackers develop improved hacking strategies not just for fingerprints, but other biometric traits that are being adopted for mobile phones (e.g., face, iris, and voice).

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , ,
| August 12, 2014
Comments Off on Who Needs Two-Factor Authentication

Who Needs Two-Factor Authentication

Who Needs Two-Factor AuthenticationThe recent epidemic of online security breaches has shown the folly of passwords as the sole protector of your online data. As I have covered several times, most users depend on the same passwords. So what are we to do? One solution is Two-Factor Authentication.

John Shier at SophosNaked Security blog provided a primer on multi-factor authentication. Two-Factor Authentication is a subset of Multi-factor authentication (MFA).  MFA is an authentication process where two of three recognized factors are used to identify a user:

  • Sommulti-factor authenticationething you know – usually a password, passphrase, or PIN.
  • Something you have – a cryptographic smartcard or token, a chip-enabled bank card, or an RSA SecurID-style token with rotating digits
  • Something you are – fingerprints, iris patterns, voiceprints, or similar

How two-factor authentication works

Two-factor authentication works by demanding that two of these three factors be correctly entered before granting access to a system or website. So if someone manages to get hold of your password (something you know), the article says they still will not be able to get access to your account unless they can provide one of the other two factors (something you have or something you are).

Data breachThe author explains that secure tokens with rotating six-digit codes can be used to remotely access internal systems via a VPN session. Users need to give a username, a password, and the six-digit code from the secure token appended to a PIN. Home users can use a sort of two-factor authentication using SMS code verification. This is where, in addition to correctly entering your password (something you know), you must also correctly enter a numeric passcode sent to your mobile phone via SMS (something you have).

The availability of mobile network service and the unreliable nature of SMS can make SMS 2FA difficult. However, some services allow you to use an authenticator app in addition to your password which presents you with a different numeric one-time password (OTP) for each service that you register with the app. Both Google and Windows make these apps freely available in their respective stores.

Authenticator apps can be great for signing into sites like Google, Facebook, and Twitter even when your phone does not have service (mobile or otherwise).

Two-factor authentication makes it harder

SPAM emailParker Higgins at the EFF, says normal password logins, which use single-factor authentication, just check whether you know a password. This means anybody who learns your password can log in and impersonate you. Adding a second factor, like a PIN, something you know, with your ATM card, something you have, makes it harder to impersonate you. You need to both have a card and know its PIN to make a withdrawal.

Online two-factor authentication brings the same concept to your services and devices by using your phone—which means that even if your password is compromised by a keylogger in an Internet café, or through a company’s security breach, your account is safer according to the EFF.

That’s important because phishing, which is one of the most common ways in which accounts are compromised, only gets information about passwords. By adding a different factor, phishing attacks become much more complicated and much less effective according to Mr. Higgins.

APhishings two-factor authentication systems become more popular, they have gotten increasingly user-friendly; the EFF believes it doesn’t have to be a difficult trade-off of convenience for security. Major services like Twitter, Google (GOOG), LinkedIn (LNKD), Facebook (FB), Dropbox, Apple (AAPL), Microsoft (MSFT). GitHub, Evernote, WordPressYahoo (YHOO) Mail and Amazon (AMZN) Web Services have enabled two-factor authentication.

rb-

Users should get used to two-factor authentication. 2FA is not available everywhere but many of the most popular sites and services on the internet use the technology.  Hopefully, this will compel the rest to follow suit. There is Android malware in the wild that is specifically designed to steal SMS verification codes trying to thwart 2FA so you still need anti-malware on your mobile devices.

In the wake of recent POS attacks (which I covered here), DHS has recommended 2FA for POS systems. While it is not bulletproof, it does increase your security by making it harder for your accounts to be compromised. All users will need Two-Factor-Authentication Authentication.

Related articles
  • Fending off automated attacks with two-factor authentication (cloudentr.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , ,
« Older Entries