Blog Feed
Comic stories #2
Criminal Chronicle: – Yesterday a famous spammer was killed. 300 million addresses are in the list of suspects. A coder is standing by the window and closes and opens it. Closes and opens. Another one comes up and asks: – What are you doing? – Well, see: I can close it, I can open it, but I cannot minimize...
read moreWill Google’s Authentication without Passwords Be Safe?
I guess that’s not only me, who’s tired of passwords: we should remember them, they should be strong enough not to be guessed or brute forced, and even more, they should be different for each website. But it has recently turned out, that not only I think so. A few days ago I have come across the information that Google is testing a new system of authentication without passwords that will allow refusing the password entry when logging into the account. User authentication will be reduced to simply clicking ‘Yes’ button on a smartphone, thus confirming the identity and getting access to the account. Being a specialist in information security, I decided to share my opinion about this authentication solution. There are some doubts about its feasibility and security. Besides, I would like to find out what do you think about it. The data exchange is performed via GCM (Google Cloud Messaging). When the notification is sent to the user’s device, he or she should accept it to log into the account. According to the Rohit Paul, who have informed the world about this innovation, the system works according to the two-factor authentication principle. At first, the user needs to log into the smartphone (the first factor), and only then he will be able to accept the Goggle’s notification and enter the account (the second factor). But I dare to disagree as this scheme has a few ‘buts’: It would be a serious mistake to consider this method to be a real two-factor authentication. When clicking the button ‘Yes’, the user actually confirms only one factor – the factor of owning the phone. The second factor (knowledge) is not checked by the system. 2-factor authentication involves the use of two different factors at the same time – a knowledge factor + ownership factor or biometrics. The key idea of 2FA is that the advantages of one factor can overlap the downsides of another one. If your smartphone is locked, lost, or you simply cannot reach it, you can enter the account with the usual login and password. This means that the second factor is optional. What will prevent an attacker from taking advantage of this loophole? It is not a big problem for a hacker to get the password using phishing, social engineering, brute force, etc. In fact, such an innovation can even make the situation with the account protection worse. The attacker now will even have a choice – either to guess or steal the password or to infect the user’s smartphone with a virus. It is worth mentioning that 87% of Android smartphones are vulnerable. The bulletins about the iOS vulnerabilities also creep in from time to time. The new authentication without passwords system with signal transmission via GCM, which is being tested by Google, is obviously not designed to strengthen the data protection. Perhaps, such a scheme is suitable to simplify the login process as the user needs only to press a single button. In this case, I agree, it is convenient and pleasant for most users because all people are lazy by their nature. But if taking the data protection seriously, in my opinion, it is better to stay off the authentication without passwords method and use 2FA with one-time passwords instead. Today, there are...
read moreComic stories #1
Do you know why Bing is searching so long? – It is Googling! Wikipedia: I know everything! Google: I’ll find everything! Facebook: I know everyone! Internet: Without me you are nothing! Electricity: Well well! Perhaps one day Google will be improved so much, that on the request, “Where is the other sock?” you will get the answer: – Under the bed,...
read moreWill Passwords Survive?
In a rapidly changing world, even the things that seem unshakable and undeniable can change. One of such things is passwords. We got used to them so much that it is even strange to question their necessity. But, let’s try. Do we really need common reusable passwords? The network is overloaded with discussions about passwords’ downsides and low level of protection. Even the beginner at hacking can hack the majority of passwords. Besides, the owners of different accounts do not always use passwords in a proper way. They rarely change them, keep them in a place accessible for other people, and choose short and easy-to-guess combinations. How to Choose and Use Strong Passwords Meanwhile, there are more reliable multifactor authentication methods, which give much greater assurance that it is the user of the account who enters it. For example two-factor authentication with one-time passwords. It is successfully used by a growing number of websites. And talking about online resources, that deal with money (online banking or a payment system), 2-way authentication of clients is an undisputed standard. 2-factor authentication works on the basis of simultaneous testing of two components that can confirm the legitimacy of the user: the knowledge and ownership. Knowledge factor is either a reusable password that the user enters when logging in the account or a PIN-code of OTP token. And the second factor – the ownership – can be a mobile phone, which gets SMS messages with one-time passwords, or a hardware or software OTP token. Thus, the process of sending one-time passwords to these devices is this second factor confirming the ownership. How does 2-factor authentication work? Practice shows that the use of hardware OTP tokens as the means of user authentication provides a higher degree of protection than the well-known SMS delivery method. What are the advantages of OTP tokens? OTP tokens work autonomously without using open communication channels and Internet connection. To use OTP token, as a rule, you need to enter a PIN-code. This further protects the account from unauthorized access. The token generates passwords using the most modern data encryption algorithms. For example, Protectimus OTP tokens use three different generation algorithm: TOTP, HOTP, and OCRA. In the case you need an even higher degree of protection, you can use a strong authentication system with ‘challenge-response’ algorithm. In this case, each party of the authentication process has a predetermined secret key. Its values are taken into account when creating a temporary password and decoding it during the authentication. The reliability of 2FA is based on the fact that flaws and vulnerabilities of one factor may be offset by the advantages of another factor. So, if the attacker knows the password or the PIN-code, the absence of the one-time password will prevent him from entering your account. And vice versa, if somebody gets your phone or OTP token he or she cannot confirm the user’s legitimacy without entering the PIN-code to unlock the device or without the ordinary password. Will the reusable passwords survive? After all, they, in spite of all the downsides, remain an essential element of two-factor authentication. Won’t 2FA lose all its power if the passwords are ‘canceled’? I think it is possible to do without passwords if 2FA keeps its much-needed first factor – the knowledge. After all,...
read moreMobile Authentication Pros and Cons
The popularity of mobile devices increases every day. Smartphones, tablet computers, smart watches – today these lightweight portable ‘mini-computers’ are sold better than traditional desktops and laptops. This trend is set by the rhythm of modern life, full of flights and journeys – often on the other end of the world. Today, a lot of people don’t work in the traditional offices. They can work remotely in comfortable conditions – either at home or during the journey. A small, lightweight mobile device is convenient to be kept within reach of the hand. In this situation, there is an urgent need in reliable authentication methods to access personal and especially work-related accounts. Thus, the significance of mobile authentication cannot be overestimated. It is worth noting that the mobile authentication can denote two different things: User authentication as the owner of the smartphone or tablet. User authentication in any service that supports two-factor authentication (2FA), using the smartphone as a token – mobile authenticator. Let us consider the second option in more detail as the more versatile and interesting one. Two-factor authentication process generally consists of two stages. At first, you enter a common reusable password assigned to you on a particular website. And the system checks the entered combination of symbols with the one stored in its database. If the first check is successful, there is the second step of user authentication, which finally confirms the right to enter the account. Usually, the system requires the OTP password (one-time password), which can be delivered to the user in different ways. And it is this very stage, the second stage of 2-factor authentication, the mobile gadgets can provide invaluable help. Mobile authentication in 2FA 1. Getting one-time password by SMS. When logging into a computer or laptop, the user enters the OTP passwords sent in SMS to confirm his identity. SMS authentication is considered very comfortable because the user doesn’t have to do anything to get the password. There is no need to go to the bank or post office for additional user authentication – hardware token. There is even no need to install any special software: the SMS function is originally installed on every phone. The user shouldn’t have anything else but a cell phone, a thing that almost everyone has today. But as you know, every coin has two sides – and this authentication method is not an exception. The fact is that mobile communication channels are protected rather weakly and theoretically fraudsters can connect and intercept the OTP password. Besides, the signal quality may be low. This means SMS can be received too late, and the one-time password, valid only for a short time, becomes of no use. 2. The smartphone as a one-time password generator. There are more modern and reliable ways to get the OTP password. For example, a special program that generates one-time passwords may be installed on the smartphone. This turns the device into a full OTP token or mobile authentication. Developers have created several applications of this type, suitable for a variety of mobile operating systems. Protectimus also has one – it is called Protectimus Smart. It can be installed free on Android and iOS smartphones, as well as on the smart watches Android Wear. The software token has a fairly wide range...
read moreHow does 2-factor authentication work?
Any more or less experienced Internet user came across 2FA at least once. But not everyone understands how it works. To use this powerful data protection tool more effectively let’s learn more about it. The first factor of 2-factor authentication – what we know Two-factor authentication starts with the usual standard password used for signing in on any website. Usually, the users themselves choose the password to create an account. And itself, the reusable password is not reliable enough and can provide only an elementary basic level of account protection in 2-factor authentication. This password is the first ‘key’ to unlock the account. Yet, the reusable password, especially if chosen wisely, is an important component of two-factor authentication as it is a knowledge factor. The category of knowledge factors may also include PIN-codes. What follows the procedure of password entering? There are few different variants. The second factor of 2-factor authentication – possible variants Two types of authentication can be used as the second factor of 2FA: What we have. Hardware tokens in the form of a smart cards, certificates with the digital signature, tokens generating time-based OTP passwords. These authentication means need a physical connection and usually the knowledge of the PIN-code. The user also needs to install special software on the computer he or she uses to interact with OTP token when logging in. To some users, this method seems not comfortable as they have to carry hardware tokens with them all the time and keep an eye on their safety. If a smart card or hardware token is lost or stolen, the client’s authentication will be impossible. What we are. This group of authenticators includes the integral biometric characteristics of the person. These can be a fingerprint, retina pattern, face shape, voice, etc. The identifiers of this type use cryptographic methods and means. Most commonly biometric authentication is applied to control access to the premises or equipment – such as at the walk-through enterprises and organizations. Biometric authentication is not the most reliable to be used for the access control on distance (as on the Internet). The one-time passwords are good as they are relevant during only one session. Even in the case, when hackers intercept the OTP password, this password will be useless when they will try to re-use it. Methods of one-time passwords generation To understand what principles 2-factor authentication uses in its work, it is important to imagine how one-time passwords are generated and how they become known to the legitimate user entering the system. There are several ways to deliver the password: to send by e-mail; to send by SMS; to give a list of one-time passwords in advance; to generate the OTP password with the help of software or hardware token. OTP passwords stability is primarily achieved by using complex constantly improving algorithms. Protectimus offers the solutions that use three major algorithms. HOTP – HMAC-Based One-Time Password Algorithm. The basis for the OTP generation according to this algorithm is the number of procedures the user underwent and the secret key known beforehand by both parties. The same values are taken into account during the authentication validation on the server. TOTP – Time-based One-time Password Algorithm. This authentication algorithm generates the OTP password considering the time parameter. Typically, not a specific time is used, but rather...
read moreHow to Choose and Use Strong Passwords
In 2007, the most popular password among the Internet users was the word ‘password’. Later, people have realized that strong passwords should include not only letters but also numbers. And in 2008 “password1” became the users’ favorite password. Despite all efforts of cyber security experts, who tried to explain to the average users, that predictable and frequently used passwords cannot be trustworthy, “password1” is still wearing the leader’s yellow jersey. Perhaps, only “123456” can compete with it for the crown. All these passwords do not lose popularity even today. At least, let’s recall the list of the most popular passwords of Ashley Madison users laid open to the public this fall. Most people understand the importance of data protection on the Internet and the importance strong passwords, providing it. At the same time, mistakes, which we make while choosing and using passwords, make this protection almost useless. What factors should be taken into account to choose really strong passwords, appropriate for their real work: the protection of our data in the network? More passwords – strong and different A scary large number of people use the same password for all their accounts. In the best case – two. It’s like having one key “for all occasions”: for the apartment, garage, office, bank safe. The loss of such a key endangers absolutely all objects it protects. After hacking one even the strongest password, the hacker will have a full access to all confidential data. And, for example, a dishonest employee of one of the systems you are registered even doesn’t have to hack any system to get your confidential data of money. After receiving a login and password from a database of this system, he will be able to get access to all your other accounts with the same password. Ideally, you should use a different combination for each website. It is especially important for e-mail services and bank accounts. Strong passwords are complex, long, and non-standard It is important to define what password is secure. Doubtless, a correct password must be long enough – not less than 8-10 characters. It is well known that the more senseless is the combination of letters, numbers, and special characters, the more difficult it is to hack them. But how is it possible to remember a senseless password? There are different original methods of creation both credible and memorable passwords. One of them is a mnemonic technique. To create a new strong password, you need to remember a phrase from a song, movie, or a favorite poem, which is meaningful for you. After that, you should write out the initial letters of the first 5-7 words, and insert a special character between them. For everybody except you, this combination will not make sense, and at the same time, you will be able to recollect it with ease. This “key” does not have to be stored on a hard disk or on a piece of paper where it is accessible to fraudsters. What should those users, who do not want to spend time and energy on creating strong passwords but still want to protect their accounts, do? Before, there was only one variant: to use the password manager. But, like any other computer program, password managers are vulnerable. Fraudsters can hack them. Still, passwords created...
read moreThe Most Common Ways of Credit Card Fraud
The faster is the technical progress developing, the more sophisticated and ingenious become the fraudsters’ attempts to turn it to their advantage. The more actively we replace cash money in our pockets with credit cards, the more ways to hack money from our bank accounts emerge. Not to become an easy prey for fraudsters, it is useful to know what techniques the violators use to steal data from credit cards. We are going to provide an overview of the fraudsters’ favorite methods of credit card fraud. How does the credit card fraud occur? Whatever scheme is used for credit card fraud, one of the main tasks of the violator is to find out a credit card PIN. For this purpose a fraudster may use: ATM overlays on a keypad. The thief sets a barely noticeable cover plate on the top of the real buttons. And this device is able to “remember” the digits of every PIN-code. A miniature camera can be attached just above the screen under the hood of the ATM and transmit images to the nearby fraudster’s laptop. Yet, it’s easy to withstand this method if to have a habit of covering a keyboard with your hand while typing the PIN (just in case). Visual observation. The PIN-code may be simply peeped by the person standing nearby. Fake ATM. They are usually installed in popular walking areas. Of course, this ATM does not give money. Instead, it records all PIN-codes of the inserted cards. It can also read data embedded in the magnetic strip. These data may further help to make a full-fledged copy of the credit card. A fake ATM is a large-scale variant usually applied for a long-term operation. It’s unlikely that anyone would turn to this method for the sake of one or two stolen PIN-codes. Once a fraudster receives a PIN-code, he needs to get a credit card data. He can steal it – the simplest method. He can defraud the card holder. For this purpose, a special plastic envelope unnoticeable at a casual glance is enclosed into the card slot. When a cardholder tries to withdraw money, the ATM does not ‘see’ the card through the envelope. It’s also impossible to return the card without knowing how to do this. Then a seemingly well-meaning stranger comes up and says that recently he has faced the same problem and tackled it by typing the PIN-code twice and pressing the enter button. After a several predictably failed attempts a victim goes to inform the bank about the incident. The fraudster gets your credit card with an envelope (he knows how to do that) and withdraws the money, using the code you just entered. These two methods have one disadvantage: the limited time for cards use. When realizing the fraudster has stolen money from the card, the customer will immediately ask the bank to block it. The more time passes after the fraudster had withdrawn the money, the better it is for him. That’s why there is one more method. He can make a duplicate of a credit card. Another one way to get necessary information is skimming credit cards. Here again, the main instrument is a pad placed over the real card slot, but not to make a credit card invisible for the ATM, but to copy...
read moreHardware or Software Token – Which One to Choose?
Striving for maximum versatility and convenience is the main trend of our time. It triggers a general affection (which often borders on addiction) for smartphones. For a modern person, these small devices embody the principle “All that is mine, I carry with me”. A regular phone has now become a mini laptop computer, which also enables you to make calls (but it is no longer its leading feature). Since any computer should have a reliable data protection system and two-factor authentication is one of its most important elements – developers have proposed a solution that turns a smartphone into a full-fledged OTP token. Users and cyber security experts gladly accepted this means of authentication as it is really convenient. As for the advantages, they are quite weighty. Let’s take Protectimus SMART as an example of a convenient software token for one-time password generation: The smartphone is always at hand, available at any time, and the application, installed on it, is also available. Token has a PIN-code, allowing protecting an OTP passwords generator from unauthorized access in the case your phone for various reasons occurs into the wrong hands. Flexible configurations: the choice of the password length and algorithm of its generation. You can create many tokens on one device. There are versions available both for Android and iOS Moreover, you can use smart watches Android Wear to get OTP passwords as well. It supports the data signing function (CWYS), which allows protecting transactions from such threats as data modification, replacement, and banking Trojans with automated transfer system. Data protection with the help of software token Protectimus Smart does not require any expenses – the application is absolutely free. Do software tokens have any disadvantages? Unfortunately, they do. And the main one is that the devices, on which we install software tokens, are not completely isolated from external influences. First of all, from computer viruses. This is especially true for Android smartphones, the majority of which have those or other vulnerabilities. Time-tested hardware tokens are completely devoid of this problem. Although many advanced users and experts consider hardware tokens the devices of the past, in reality, today they remain the most reliable means of two-factor authentication. Not the most convenient, perhaps. But this is the matter of dispute. Is it so difficult to use a traditional hardware token? Let’s try to understand what progressives usually say about it: The battery of a hardware OTP token cannot be recharged, unlike the smartphone with the software token on it. Those who think so, forget that the work period of a hardware token battery is 3-5 years. In most cases it exceeds the lifecycle of the smartphone battery. And even more – you have to charge the smartphone’s battery every day. The chances that the smartphone will run down at the right time are much higher than that of the OTP token. A hardware token is inconvenient to carry and can be lost. It may be objected saying that you can also lose the smartphone. As for carrying, the modern hardware tokens are very small, light and often have a pleasant design, which makes them nice and stylish things. For example, the token Protectimus One has a shape of a small key fob and can be easily attached to a keychain...
read moreWhy Everyone Should Care About Data Protection
There is an opinion that an average Internet user can not be a subject of interest for hackers and other thieves of confidential data. The head of the CIA or celebrity is a completely different story. But what can hacker expect from an ordinary person? No intriguing secrets, no big money. It seems like there is no need in data protection for common people. But everyone thinking this way is seriously mistaken. There are a lot of network fraudsters and not so many top people to go around. Thus, hackers do not shun ordinary people’s accounts. Especially because many of us think that they are too ‘boring’ for hackers and, therefore, do not have any data protection. Why is data protection important for an average person? Smartphones are vulnerable. For many people smartphones have become not only electronic organizers. We use them for chatting with friends or business partners, for making online-purchases, buying train and music concerts tickets. But the smartphones are usually protected far worse than computers. On the Internet, you can read a lot of stories telling how an innocent user may get a ‘bonus’ in the form of a full-fledged Trojan virus together with a downloaded application. The latter makes all the data on a smartphone (addresses, phone numbers, and passwords) available for hackers. Not so long ago, the police exposed a criminal group that has managed to create a botnet of more than 16 thousand Android smartphones. All smartphones were infected with the malware allowing stealing money from victims’ bank cards. Data protection on your computer is the issue of primary importance. Today, almost every family has a computer. Any computer connected to the Internet is a potential source of danger. It is enough just to click on the link in the phishing email to ‘give’ your data to fraudsters. And these e-mails are usually quite convincing and look just like real messages from banks and other major institutions. Downloading illegal content containing a lot of ‘surprises’ is out of the question. Smart TV – a new target for the hackers. Devices using Smart TV systems are an easy prey for the hackers. Some models are capable of recording the user’s actions and even the conversations taking place nearby. Digital locks are also a rather easy target. They are often used on the front doors, yard gates and in the garages. Unfortunately, such a lock, if desired, can be broken by a simple password guessing. What data protection methods can enhance your cyber security? Strong passwords You should choose passwords seriously and pay attention to their reliability as it is a key, which unlocks the access to all accounts: from social networks to bank accounts. So the password should be: Reliable, long, and containing both characters and numbers. There are different password managers that may come to your assistance while choosing passwords. But as a newly discovered vulnerability in a famous password manager KeePass has showed lately, you should be careful even with them. Individual for every website where the user is registered. Quite often, having stolen one password, hackers gain access to all other victims’ accounts. Kept in a safe place. And this place is not a piece of paper taped to the monitor. Two-factor authentication When a reusable password appeared to be hacked,...
read more