Blog Feed
Comic stories #3
The Photoshop is 25 this year. Well, actually it is 38 but looks 25. A man comes home. Sits at the computer and starts shouting at his wife: – Did you do this? – No, how could I? – Did you? – With whom? – Tell me, did you do this? – Well, it was just once with the neighbor… – I asked if you changed the password to the...
read moreStrong Authentication Methods in 2016
At the beginning of the new year, everyone is trying to predict what it will bring: what trends will prevail in the economy and politics, what outfits will be the most fashionable, what books will possess the minds and souls, how inventors and developers will surprise and delight fans of technological progress. Let’s try to predict how the technologies and strong authentication methods would develop in 2016, what new things are waiting for us, and to what extent they are better than those already familiar to everybody (and whether they are better at all). One main trend immediately catches the eye: many large companies, dictating fashion in the IT-market, strive to create such means of strong user authentication that will provide a high level of data protection, and at the same time simplify the authentication procedure when logging in. For example, it suffices to mention only such names as Pay Pal (the largest international money transfer system) and Google. Now these companies are actively working to ease multi-factor authentication process for their users. Developers offer different, often quite exotic strong authentication methods that, according to their authors, will help to unite the reliability and ease of use. It is quite natural that every developer defends the prospects of his own method. Perhaps, the only thing that unites them all is awareness of the need to change something in the traditional multi-factor authentication procedure. Today, it is most often based on 2-factor authentication (2FA) with one-time passwords (OTP). But what alternatives are available? 1. Avoiding use of a static password as the first factor. This is one of the most promising variants at this moment. If it is used competently, we can get easy-to-use and reliable two-factor authentication at the same time. For example, almost any token is additionally protected with the PIN-code you need to enter before starting work with a device. Why not use this PIN-code as the first step of two-step authentication – the factor of knowledge? While a smartphone with software token or a hardware OTP token can easily serve as the second factor of authentication – the factor of ownership. Moreover, both the software and hardware tokens may support CWYS function (data signature), that further enhances the level of protection. 2. One-time passwords – into the dustbin of history. Many users don’t want to waste their time entering one-time passwords to log into this or that account. Especially if during a single session they need to enter the OTP password several times (such precaution is practiced when it is especially important to protect the connection). The developers are constantly looking for new ways to avoid this inconvenience. Not so long ago, they have come up with such strong authentication method as the background noise. Google is working on the authentication method that allows sending signals to the smartphone via GCM (Google Cloud Messaging). Another interesting way of 2 step verification with the help of smartphone has been presented by the Clef Company. 3. New types of hardware tokens, immune to viruses. Contemporary USB-tokens may be vulnerable to viruses located on the computers they are connected to. But not so long ago the improved USB-tokens Yubikey have been presented to the world. Yubikey OTP tokens generate one-time password only after the user clicks a special button on it....
read moreComic stories #2
Criminal Chronicle: – Yesterday a famous spammer was killed. 300 million addresses are in the list of suspects. A coder is standing by the window and closes and opens it. Closes and opens. Another one comes up and asks: – What are you doing? – Well, see: I can close it, I can open it, but I cannot minimize...
read moreWill Google’s Authentication without Passwords Be Safe?
I guess that’s not only me, who’s tired of passwords: we should remember them, they should be strong enough not to be guessed or brute forced, and even more, they should be different for each website. But it has recently turned out, that not only I think so. A few days ago I have come across the information that Google is testing a new system of authentication without passwords that will allow refusing the password entry when logging into the account. User authentication will be reduced to simply clicking ‘Yes’ button on a smartphone, thus confirming the identity and getting access to the account. Being a specialist in information security, I decided to share my opinion about this authentication solution. There are some doubts about its feasibility and security. Besides, I would like to find out what do you think about it. The data exchange is performed via GCM (Google Cloud Messaging). When the notification is sent to the user’s device, he or she should accept it to log into the account. According to the Rohit Paul, who have informed the world about this innovation, the system works according to the two-factor authentication principle. At first, the user needs to log into the smartphone (the first factor), and only then he will be able to accept the Goggle’s notification and enter the account (the second factor). But I dare to disagree as this scheme has a few ‘buts’: It would be a serious mistake to consider this method to be a real two-factor authentication. When clicking the button ‘Yes’, the user actually confirms only one factor – the factor of owning the phone. The second factor (knowledge) is not checked by the system. 2-factor authentication involves the use of two different factors at the same time – a knowledge factor + ownership factor or biometrics. The key idea of 2FA is that the advantages of one factor can overlap the downsides of another one. If your smartphone is locked, lost, or you simply cannot reach it, you can enter the account with the usual login and password. This means that the second factor is optional. What will prevent an attacker from taking advantage of this loophole? It is not a big problem for a hacker to get the password using phishing, social engineering, brute force, etc. In fact, such an innovation can even make the situation with the account protection worse. The attacker now will even have a choice – either to guess or steal the password or to infect the user’s smartphone with a virus. It is worth mentioning that 87% of Android smartphones are vulnerable. The bulletins about the iOS vulnerabilities also creep in from time to time. The new authentication without passwords system with signal transmission via GCM, which is being tested by Google, is obviously not designed to strengthen the data protection. Perhaps, such a scheme is suitable to simplify the login process as the user needs only to press a single button. In this case, I agree, it is convenient and pleasant for most users because all people are lazy by their nature. But if taking the data protection seriously, in my opinion, it is better to stay off the authentication without passwords method and use 2FA with one-time passwords instead. Today, there are...
read moreComic stories #1
Do you know why Bing is searching so long? – It is Googling! Wikipedia: I know everything! Google: I’ll find everything! Facebook: I know everyone! Internet: Without me you are nothing! Electricity: Well well! Perhaps one day Google will be improved so much, that on the request, “Where is the other sock?” you will get the answer: – Under the bed,...
read moreWill Passwords Survive?
In a rapidly changing world, even the things that seem unshakable and undeniable can change. One of such things is passwords. We got used to them so much that it is even strange to question their necessity. But, let’s try. Do we really need common reusable passwords? The network is overloaded with discussions about passwords’ downsides and low level of protection. Even the beginner at hacking can hack the majority of passwords. Besides, the owners of different accounts do not always use passwords in a proper way. They rarely change them, keep them in a place accessible for other people, and choose short and easy-to-guess combinations. How to Choose and Use Strong Passwords Meanwhile, there are more reliable multifactor authentication methods, which give much greater assurance that it is the user of the account who enters it. For example two-factor authentication with one-time passwords. It is successfully used by a growing number of websites. And talking about online resources, that deal with money (online banking or a payment system), 2-way authentication of clients is an undisputed standard. 2-factor authentication works on the basis of simultaneous testing of two components that can confirm the legitimacy of the user: the knowledge and ownership. Knowledge factor is either a reusable password that the user enters when logging in the account or a PIN-code of OTP token. And the second factor – the ownership – can be a mobile phone, which gets SMS messages with one-time passwords, or a hardware or software OTP token. Thus, the process of sending one-time passwords to these devices is this second factor confirming the ownership. How does 2-factor authentication work? Practice shows that the use of hardware OTP tokens as the means of user authentication provides a higher degree of protection than the well-known SMS delivery method. What are the advantages of OTP tokens? OTP tokens work autonomously without using open communication channels and Internet connection. To use OTP token, as a rule, you need to enter a PIN-code. This further protects the account from unauthorized access. The token generates passwords using the most modern data encryption algorithms. For example, Protectimus OTP tokens use three different generation algorithm: TOTP, HOTP, and OCRA. In the case you need an even higher degree of protection, you can use a strong authentication system with ‘challenge-response’ algorithm. In this case, each party of the authentication process has a predetermined secret key. Its values are taken into account when creating a temporary password and decoding it during the authentication. The reliability of 2FA is based on the fact that flaws and vulnerabilities of one factor may be offset by the advantages of another factor. So, if the attacker knows the password or the PIN-code, the absence of the one-time password will prevent him from entering your account. And vice versa, if somebody gets your phone or OTP token he or she cannot confirm the user’s legitimacy without entering the PIN-code to unlock the device or without the ordinary password. Will the reusable passwords survive? After all, they, in spite of all the downsides, remain an essential element of two-factor authentication. Won’t 2FA lose all its power if the passwords are ‘canceled’? I think it is possible to do without passwords if 2FA keeps its much-needed first factor – the knowledge. After all,...
read moreMobile Authentication Pros and Cons
The popularity of mobile devices increases every day. Smartphones, tablet computers, smart watches – today these lightweight portable ‘mini-computers’ are sold better than traditional desktops and laptops. This trend is set by the rhythm of modern life, full of flights and journeys – often on the other end of the world. Today, a lot of people don’t work in the traditional offices. They can work remotely in comfortable conditions – either at home or during the journey. A small, lightweight mobile device is convenient to be kept within reach of the hand. In this situation, there is an urgent need in reliable authentication methods to access personal and especially work-related accounts. Thus, the significance of mobile authentication cannot be overestimated. It is worth noting that the mobile authentication can denote two different things: User authentication as the owner of the smartphone or tablet. User authentication in any service that supports two-factor authentication (2FA), using the smartphone as a token – mobile authenticator. Let us consider the second option in more detail as the more versatile and interesting one. Two-factor authentication process generally consists of two stages. At first, you enter a common reusable password assigned to you on a particular website. And the system checks the entered combination of symbols with the one stored in its database. If the first check is successful, there is the second step of user authentication, which finally confirms the right to enter the account. Usually, the system requires the OTP password (one-time password), which can be delivered to the user in different ways. And it is this very stage, the second stage of 2-factor authentication, the mobile gadgets can provide invaluable help. Mobile authentication in 2FA 1. Getting one-time password by SMS. When logging into a computer or laptop, the user enters the OTP passwords sent in SMS to confirm his identity. SMS authentication is considered very comfortable because the user doesn’t have to do anything to get the password. There is no need to go to the bank or post office for additional user authentication – hardware token. There is even no need to install any special software: the SMS function is originally installed on every phone. The user shouldn’t have anything else but a cell phone, a thing that almost everyone has today. But as you know, every coin has two sides – and this authentication method is not an exception. The fact is that mobile communication channels are protected rather weakly and theoretically fraudsters can connect and intercept the OTP password. Besides, the signal quality may be low. This means SMS can be received too late, and the one-time password, valid only for a short time, becomes of no use. 2. The smartphone as a one-time password generator. There are more modern and reliable ways to get the OTP password. For example, a special program that generates one-time passwords may be installed on the smartphone. This turns the device into a full OTP token or mobile authentication. Developers have created several applications of this type, suitable for a variety of mobile operating systems. Protectimus also has one – it is called Protectimus Smart. It can be installed free on Android and iOS smartphones, as well as on the smart watches Android Wear. The software token has a fairly wide range...
read moreHow does 2-factor authentication work?
Any more or less experienced Internet user came across 2FA at least once. But not everyone understands how it works. To use this powerful data protection tool more effectively let’s learn more about it. The first factor of 2-factor authentication – what we know Two-factor authentication starts with the usual standard password used for signing in on any website. Usually, the users themselves choose the password to create an account. And itself, the reusable password is not reliable enough and can provide only an elementary basic level of account protection in 2-factor authentication. This password is the first ‘key’ to unlock the account. Yet, the reusable password, especially if chosen wisely, is an important component of two-factor authentication as it is a knowledge factor. The category of knowledge factors may also include PIN-codes. What follows the procedure of password entering? There are few different variants. The second factor of 2-factor authentication – possible variants Two types of authentication can be used as the second factor of 2FA: What we have. Hardware tokens in the form of a smart cards, certificates with the digital signature, tokens generating time-based OTP passwords. These authentication means need a physical connection and usually the knowledge of the PIN-code. The user also needs to install special software on the computer he or she uses to interact with OTP token when logging in. To some users, this method seems not comfortable as they have to carry hardware tokens with them all the time and keep an eye on their safety. If a smart card or hardware token is lost or stolen, the client’s authentication will be impossible. What we are. This group of authenticators includes the integral biometric characteristics of the person. These can be a fingerprint, retina pattern, face shape, voice, etc. The identifiers of this type use cryptographic methods and means. Most commonly biometric authentication is applied to control access to the premises or equipment – such as at the walk-through enterprises and organizations. Biometric authentication is not the most reliable to be used for the access control on distance (as on the Internet). The one-time passwords are good as they are relevant during only one session. Even in the case, when hackers intercept the OTP password, this password will be useless when they will try to re-use it. Methods of one-time passwords generation To understand what principles 2-factor authentication uses in its work, it is important to imagine how one-time passwords are generated and how they become known to the legitimate user entering the system. There are several ways to deliver the password: to send by e-mail; to send by SMS; to give a list of one-time passwords in advance; to generate the OTP password with the help of software or hardware token. OTP passwords stability is primarily achieved by using complex constantly improving algorithms. Protectimus offers the solutions that use three major algorithms. HOTP – HMAC-Based One-Time Password Algorithm. The basis for the OTP generation according to this algorithm is the number of procedures the user underwent and the secret key known beforehand by both parties. The same values are taken into account during the authentication validation on the server. TOTP – Time-based One-time Password Algorithm. This authentication algorithm generates the OTP password considering the time parameter. Typically, not a specific time is used, but rather...
read moreHow to Choose and Use Strong Passwords
In 2007, the most popular password among the Internet users was the word ‘password’. Later, people have realized that strong passwords should include not only letters but also numbers. And in 2008 “password1” became the users’ favorite password. Despite all efforts of cyber security experts, who tried to explain to the average users, that predictable and frequently used passwords cannot be trustworthy, “password1” is still wearing the leader’s yellow jersey. Perhaps, only “123456” can compete with it for the crown. All these passwords do not lose popularity even today. At least, let’s recall the list of the most popular passwords of Ashley Madison users laid open to the public this fall. Most people understand the importance of data protection on the Internet and the importance strong passwords, providing it. At the same time, mistakes, which we make while choosing and using passwords, make this protection almost useless. What factors should be taken into account to choose really strong passwords, appropriate for their real work: the protection of our data in the network? More passwords – strong and different A scary large number of people use the same password for all their accounts. In the best case – two. It’s like having one key “for all occasions”: for the apartment, garage, office, bank safe. The loss of such a key endangers absolutely all objects it protects. After hacking one even the strongest password, the hacker will have a full access to all confidential data. And, for example, a dishonest employee of one of the systems you are registered even doesn’t have to hack any system to get your confidential data of money. After receiving a login and password from a database of this system, he will be able to get access to all your other accounts with the same password. Ideally, you should use a different combination for each website. It is especially important for e-mail services and bank accounts. Strong passwords are complex, long, and non-standard It is important to define what password is secure. Doubtless, a correct password must be long enough – not less than 8-10 characters. It is well known that the more senseless is the combination of letters, numbers, and special characters, the more difficult it is to hack them. But how is it possible to remember a senseless password? There are different original methods of creation both credible and memorable passwords. One of them is a mnemonic technique. To create a new strong password, you need to remember a phrase from a song, movie, or a favorite poem, which is meaningful for you. After that, you should write out the initial letters of the first 5-7 words, and insert a special character between them. For everybody except you, this combination will not make sense, and at the same time, you will be able to recollect it with ease. This “key” does not have to be stored on a hard disk or on a piece of paper where it is accessible to fraudsters. What should those users, who do not want to spend time and energy on creating strong passwords but still want to protect their accounts, do? Before, there was only one variant: to use the password manager. But, like any other computer program, password managers are vulnerable. Fraudsters can hack them. Still, passwords created...
read moreThe Most Common Ways of Credit Card Fraud
The faster is the technical progress developing, the more sophisticated and ingenious become the fraudsters’ attempts to turn it to their advantage. The more actively we replace cash money in our pockets with credit cards, the more ways to hack money from our bank accounts emerge. Not to become an easy prey for fraudsters, it is useful to know what techniques the violators use to steal data from credit cards. We are going to provide an overview of the fraudsters’ favorite methods of credit card fraud. How does the credit card fraud occur? Whatever scheme is used for credit card fraud, one of the main tasks of the violator is to find out a credit card PIN. For this purpose a fraudster may use: ATM overlays on a keypad. The thief sets a barely noticeable cover plate on the top of the real buttons. And this device is able to “remember” the digits of every PIN-code. A miniature camera can be attached just above the screen under the hood of the ATM and transmit images to the nearby fraudster’s laptop. Yet, it’s easy to withstand this method if to have a habit of covering a keyboard with your hand while typing the PIN (just in case). Visual observation. The PIN-code may be simply peeped by the person standing nearby. Fake ATM. They are usually installed in popular walking areas. Of course, this ATM does not give money. Instead, it records all PIN-codes of the inserted cards. It can also read data embedded in the magnetic strip. These data may further help to make a full-fledged copy of the credit card. A fake ATM is a large-scale variant usually applied for a long-term operation. It’s unlikely that anyone would turn to this method for the sake of one or two stolen PIN-codes. Once a fraudster receives a PIN-code, he needs to get a credit card data. He can steal it – the simplest method. He can defraud the card holder. For this purpose, a special plastic envelope unnoticeable at a casual glance is enclosed into the card slot. When a cardholder tries to withdraw money, the ATM does not ‘see’ the card through the envelope. It’s also impossible to return the card without knowing how to do this. Then a seemingly well-meaning stranger comes up and says that recently he has faced the same problem and tackled it by typing the PIN-code twice and pressing the enter button. After a several predictably failed attempts a victim goes to inform the bank about the incident. The fraudster gets your credit card with an envelope (he knows how to do that) and withdraws the money, using the code you just entered. These two methods have one disadvantage: the limited time for cards use. When realizing the fraudster has stolen money from the card, the customer will immediately ask the bank to block it. The more time passes after the fraudster had withdrawn the money, the better it is for him. That’s why there is one more method. He can make a duplicate of a credit card. Another one way to get necessary information is skimming credit cards. Here again, the main instrument is a pad placed over the real card slot, but not to make a credit card invisible for the ATM, but to copy...
read more