Blog Feed
What Is Phishing and How Not to Fall into Its Nets
Phishing is a special kind of online fraud, which presupposes fishing out the user’s login and password or another sensitive information with the aim to enter the naive user’s account and to cause damage both to the user and to the system the hacker managed to get access to. What is the phishing attack and what are its objectives? One of the main phishing methods is mass mailing, often from a bank or another service. For example, it can be a notification about the receipt of the money order. The mail proposes to learn more details about this money order by clicking on the link in it. the link usually leads to the fake website, which only looks like the real one. Any email address available on a public domains, forums, and different groups in social networks can fall a prey to the phishing attack. Special bots constantly search the internet looking for the active e-mail addresses to enter them to the spam list. Often hackers attack a certain site and its clients. Most often among such companies are banks and other financial companies running their business online. A hacker creates a fake version of a legal resource. As a rule, it is enough to create only a login page – hackers do not need more. After the user logs in, he receives the message with notification that the authentication data are wrong. In most cases, this is a trustworthy signal that he just entered a fake web page. Meanwhile, the hackers manually or automatically withdraw money from the victim’s account. Phishing attacks are dangerous. It is hard to recognize such threats and stop them. This happens because a hacker doesn’t need a direct physical access to the victim’s computer. And, thus, data protection system doesn’t raise the alarm. The hackers get all the necessary information from the users. First of all, they are interested in passwords and logins to enter social networks and websites, and the credit card numbers and PIN-codes. How to minimize damage from phishing attacks? When you are working on the Internet, it is necessary to follow these simple rules: Carefully check the sender of the email, and do not follow suspicious links. If it is possible, contact the company by telephone, and check whether it has sent the letter to you or not. Keep all your passwords in secret and do not to give them to anyone under any ground. Big companies do not require sending confidential information (credit card numbers, passwords) via e-mail and other unencrypted channels. The customer’s data protection is extremely important for them. Type the addresses of the websites storing your sensitive information manually. Or use your own bookmarks. But do not click on e-mail links. When typing by hand it is important to pay attention to what is written in the address bar of a site which requires login and password. Often the domain name of the fake site only slightly differs from the original one – sometimes the difference is only in one letter. Regularly update your browser and anti-virus programs. The majority of modern web browsers can identify phishing websites and do it better with each update. The websites of banks and payment systems must have a secure connection by the protocol HTTPS. If this protocol is...
read more9 Data Protection Tips for Safe Online Shopping
Annual sales season is in full swing! Black Friday, Cyber Monday and Christmas Sales cause an unprecedented stock-jobbing. Everyone wants to make his or her best bargain in 2015. Besides, today there is no need in exhausting shopping in malls and emporiums. We can order everything from home with the help of the computer or smartphone. But, in anticipation of the holidays and bargains we should not forget about the importance of data protection. After all, hackers are also preparing for the holidays. They invent new ways to celebrate them in the expense of other people. We decided to remind you the basic rules of cybersecurity, which you should follow during shopping at online stores. Following these rules, you will avoid becoming a victim of fraud, and will celebrate Christmas with joy in your eyes. Data protection rules during online shopping: Attachments to the letters from online stores may contain Trojan viruses. Especially those, who promise fabulous discounts. Often the references in letters from unknown emails lead to phishing sites. The only task of such websites is to steal information (card numbers, passwords). When you receive the letter from an unverified source, it is better to delete immediately. Don’t open attachments and don’t follow links it contains. Before you order anything in the online store and provide the information about your payment card number, spend some time to read the comments from other users of this particular website. Public Wi-Fi can be created by hackers to steal passwords and logins. We don’t recommend making purchases by connecting to an open channel. If you are going to buy something using a smartphone, it is better to turn off Bluetooth and to use the mobile connection to get access to the Internet. The mobile connection provides better protection. Data protection starts with strong passwords. To be so, the password must consist of letters in different cases, numbers, and special characters. We repeat once again: the name of your pet and your own date of birth – is not the best choice for the password. On the Internet, we often meet offers to install different useful programs for free. Remember, such a “gift” can hide an adware or even Trojan virus. Two-factor authentication (2FA) should be turned on any website that holds or obtains confidential users’ data. This is especially important for the resources which transfer the funds on the Internet. Among them are banks, payment systems, currency exchanges, etc. With this method of payment, the fraudsters do not even need to steal someone’s plastic card. It is enough to know its number (PAN), expiration date, CVV, and the name of the owner. But if the system uses two-way authentication, then even owning all the information about the payment card and its owner, attackers will not be able to carry out any transaction on behalf of the user. One-time passwords are delivered of generated in different ways: SMS, token, email, mobile token. The most popular method of organizing data protection today presupposes the installation of a special application for one-time passwords generation on the smartphone. For example, Protectimus developed a software token Protectimus SMART, which can be installed on Android and iOS smartphones, and even on the smart watch. Mobile authentication is enough reliable and does not require much effort from the...
read moreIdentification, authentication, and authorization – what’s the difference
Identification, authentication, and authorization. We all face these three concepts every day, but not everyone knows the difference. Since these terms are essential in data protection, they deserve to be explained better. To begin, let’s take an example from everyday life. It will help you to understand the difference between authentication and identification in general. A new employee comes to work for the first time. At the entrance, he introduces himself to a security guard and says that he is a new manager. Thus, he identifies himself – tells who he is. The security guard does not believe the words he says. He demands to provide evidence that this person is a new manager and has the right to enter the office. To solve the problem, the employee has to show his pass with the photo. And the security guard should compare it with his list of registered employees. The employee confirms his authenticity – this is authentication. Finally, a forbidden door opens, and the guard lets the employee in. Once the employee receives the permission to enter the office the authorization happens. In the virtual world, everything is almost the same as in the real. Only the names of the “characters” are changing. The security guard is a server that controls the access to the website. And the manager who came to work – a user who wants to log in. It should be added that the security guards will repeat the procedure every day. Even when all the security guards know the manager by his look and name. They just do their job, like the server does. All three concepts – identification, authentication, and authorization – are the stages of one process that controls users’ access to their accounts. To perform any action on a website, the user must “introduce himself” to the system. User’s identification means presenting grounds for the entry to the site or service. As a rule, your username or email address provided during registration serve as identificators. If the server finds in its database the data coinciding with that entered by the user, the user’s identification is successful. Login is a perfect thing. But where is the guarantee that it was entered by the person registered on the site? To finally verify the user’s identity, the system typically authenticates the user. Now, more and more often the two-factor authentication is used. A usual static password serves as the first factor. The second factor may be different depending on the types of authentication methods used in this or that case: one-time password or PIN-code; magnetic stripe cards, smart cards, certificates with a digital signature; biometric factors: voice, retina, fingerprints, etc. Despite the rapid development of biometric authentication methods, they are not enough reliable when used remotely. It is not always possible to guarantee the correct operation of devices and applications which perform retina or fingerprints scanning. You cannot be 100% sure whether the mould of the hand or fake user’s picture is used during verification. So this method can be considered valid only if authentication is directly controlled. For example, biometrics is quite efficient when the employee enters the office. Under the conditions when the verifier and the verified are remote, as it happens on the Internet, the 2-factor authentication method using one-time passwords...
read morePassword Manager KeePass Is Vulnerable
It is not news that a fair amount of threats waits for the user in the vast global network. And it is clear that the best way out is to keep valuable information in encrypted form and protect it with a strong password. But the fact that it is possible to “pull” out in a form of a simple text file all the data from the password manager – the program which encrypts and generates passwords – became a surprise for many. A well-known cross-platform free password manager KeePass appeared to be under the threat. Password Manager KeePass has demonstrated its vulnerability This password manager came into service in 2003. At first, there was only a version for Windows, but later the password manager started support of other operating systems: starting from Linux and Max OS X for the desktops and laptops and to the mobile platforms Android and Pocket PC. Until recently KeePass has been considered almost invulnerable and its users could feel safe. If to take into account that it a free cross-platform solution, which had a good reputation for a long time, you can imagine the number of users who have entrusted the storage of their passwords to this program. This problem can touch almost everyone. Fortunately, the person who discovered the vulnerability is not a hacker. It is a Security Assessment employee Denis Andzakovic. He posted on GitHub a free tool called KeeFarce able to decrypt all data (usernames, passwords, notes) stored in the KeePass Password database. The operating principle of this tool is based on the introduction of the DLL-injection to the victim’s computer. During the KeePass runtime, an application-cracker exports currently open database decrypts it and creates a text file, which the hacker will be able to pick up later on his own (in the case of physical access to the victim’s computer) or get remotely. Andzakovic notes that the vulnerability of the KeePass data protection is not a problem only of this program. DLL-injection may be introduced (by using a Trojan virus, for example) into any password manager. How to protect your data if your password manager was hacked So how the data protection should be carried out taking into account the identified risks? Which means should we use to secure our data against a password attack? The answer is quite simple and clear to everyone: it is two-factor authentication. Such means of authentication as tokens, special smartphone applications or one-time passwords delivery via SMS, act as a second “defense line” for the user’s account. Their advantage is that every generated password is valid only for a short period of time. And even if the hacker intercepts OTP password, in a minute he needs to intercept a new one. There are even further ways to secure one-time password. For example, the CWYS function (transaction data signing). Modern authentication methods can help to protect your account even if somebody stills the password. You need only to set up 2FA (two-factor authentication) on any account, where it is possible. The confidence that the attackers would not be able to take control of your account even if an encrypted password is stolen will offset some time expenditures and inconveniences related to the two-factor...
read moreCybersecurity Lesson from T-Mobile and Experian
Recently, the whole world and especially the U.S. citizens have been stirred up by the news about the leakage of credit history data of 15 million subscribers of the international mobile operator T-Mobile. What is notable in this story is that the information was not stolen directly from T-Mobile’s database but from the servers of its partner – Experian. Considering this example in details gives a valuable cybersecurity lesson, so let’s review it now. The popular proverb says, ‘No man is an island’. It is much easier to solve any task together. Not everyone and not always has a possibility, time and enough knowledge to solve the specific problem personally and comprehensively. Thus, to reach success in business, large companies often cooperate with other companies that provide them with certain types of services. Depending on the type of services, some providers may ask the registration data of the company or the personal data of its employees and customers. It is to be noted that two-factor authentication provider Protectimus is not among such partners. During the authentication process, Protectimus does not require and doesn’t transfer any users’ personal data. It is reasonable, since often we enter the requested information automatically, without giving due attention to how and where these data will be stored, who can get this information, and what consequences this may entail. How T-Mobile users’ data have been stolen A good example of such carelessness became the cooperation between the T-Mobile Company, working in the field of mobile communications, and global information service Experian, which assessed the customers’ credit history before they signed a contract with T-Mobile. This partnership resulted in a large scandal – personal information of 15 million T-Mobile customers was stolen by unknown violators from Experian server. The stolen data included names, dates, birthdays, addresses of the clients, as well as encrypted social security numbers, passport details and driver’s license numbers of people who used or intended to use the T-Mobile service in the period from September 01, 2013 to September 16, 2015. This sensational event demonstrated the basic lesson of cyber security – each and everyone should take care of data security. Hackers are crafty, and if they can’t find a gap in the system of one company, then they’ll find it in a partner’s company and will get all the information they need. Thus, everyone should think whether their data is in reliable hands, whether they don’t let their partners down, and their partners don’t let them down. So, we cleared up that the main lesson of cybersecurity is that both partners are obliged to take care of the data protection, and keep information on resources carefully protected from compromise. For example, Experian’s mistake led to a chain of troubles for its innocent partner and its clients. It is still unknown how the hackers managed to gain access to the Experian servers, and moreover, to gain access to the T-Mobile encrypted files. But it is clear that the company did not fully take care of the security of confidential information, which should be stored under lock and key. In connection with the situation, it is our duty to remind you that one of the key elements of data protection is two-factor authentication of users via hardware tokens or special applications for smartphones, which generate one-time...
read moreHow to Make the Internet of Things Safe
In recent years, the Internet of Things has been developing rapidly. Today, not only computers and smartphones can access the network. Many kinds of home appliances, including refrigerators and washing machines, are also connected to the World Wide Web. The idea of such devices is certainly good: Internet connection allows you to manage them even at a considerable distance. It’s comfortable to use a smartphone on your way home to ‘order’ the microwave to warm up dinner for your arrival and coffee machine – to make a cup of refreshing beverage. But such innovations also have a downside. Every network communication attracts hackers with new viruses attempting to take over other people’s secrets. Is the modern Internet of Things safe? In the case of computers and smartphones, data protection is one of the main concerns of developers and device manufacturers. But the security of the Internet of Things is obviously not up to par. Here are some facts proving this: Not long ago, HP has conducted a research of ten home video surveillance systems from different manufacturers, and only one used two-factor authentication to gain access to the system! All these systems had other serious security breaches: from the absence of blocking after repeated incorrect password entering – to the possibility of watching streaming video from cameras without authentication. During this year’s experiment, a Jeep Cherokee was brought under control by a simple netbook while moving on the highway. The person who controlled the car remotely could turn the cooling on maximum and turn on the wipers, as well as change the radio wave. The attempts by a driver, who participated in the experiment, to cancel these orders manually were of no success. Later, during a test in the garage, the researchers distantly blocked jeep wheels. Had it happened on the track, it would lead to a serious accident and even death. Samsung TVs with Smart TV function are capable not only to collect data about the user’s behavior but also to send this information to the third person. An example that at first glance seems absurd. Trojan viruses written specifically for the coffee machine were detected. Just a few years ago, such stories existed only on the pages of science fiction novels. Nowadays, they have ceased to be the fruit of creative people’s imagination and moved to the subjects of news feeds. Do manufacturers of “smart” things know about the serious problems with data protection in their devices? Of course, they do! But at the current stage of Internet of Things development manufacturers give preference to the introduction of new functions and to the speed with which the items are brought to the market. Thus, they don’t care about security, which requires a large investment and does not bring quick profit. Customers also rarely think about the dangers lurking in the Internet of Things and often do not even use the available protection means. The temptation to seize new opportunities prevails over the caution. How to protect the Internet of Things against hacking In reality, the IoT (Internet of Things) security doesn’t need much to cover most of the ‘holes’. It needs only reliable means of user authentication. A simple 2-factor authentication will not allow an unauthorized person to get access to the remote control of cars, cameras,...
read moreBiometric Authentication Pros and Cons
If someone steals your password, you can change it. But if someone steals your thumbprint, you can’t get a new thumb. The failure modes are very different. – Bruce Schneier The popularity and availability of information technologies are constantly increasing. And at the same time increases the number of threats associated with their use. The main one is the danger of critical information leakage – both personal and corporate. Thus, today data protection is the most important area of computer security experts’ work. The first and foremost method to prevent unauthorized access to any confidential information is to keep a wary eye on the legitimacy of users who have an access to it. The modern level of technology development allows solving this problem quite efficiently. More and more often different companies introduce two-factor authentication. In 2FA entering the login and password is just the first step. The additional step of authentication is the use of the one-time password. But to put an insurmountable barrier for hackers, we need one more obligatory component: the users’ desire to apply the experts’ achievements and to follow their recommendations. Yet, modern users want authentication to be not only reliable but also easy. That is why they not always activate 2FA on their accounts. Biometric authentication has become one of these easy ‘magic’ tools, which can make 2-factor authentication more popular. It seems what could be easier and more reliable? Each person has unique fingerprints, voice, facial features. They are always with us, we cannot lose them. And modern gadgets are advanced enough to read and analyze these identifiers. Not only ordinary people but also serious organizations fall for biometric magic. British banks have introduced biometric fingerprints for customer’s login. This technology has long been used to unlock the Apple’s smartphones. Now, this feature is being introduced into new Android smartphones models. Master Card is working hard to introduce selfies as the authentication method. Among other popular biometric authentication methods are the retina or iris scanning, authentication by a finger or palm venous patterns, by voice, pulse or even selfie. Is it convenient? Yes. Is it reliable? Well, this needs further investigation. What dangers can we meet using biometric authentication? Imperfect equipment. Since any biometric parameters are usually checked with average smartphones, which differ in quality, there is a probability of false negative result. For example, the system may consider the fingerprint suspicious because of a simple cut on a finger. Thus, it may refuse to recognize the authenticity of the owner of the account. In the case when the system uses multifactor authentication, and biometric data is just one of its components, the identification can be realized by an OTP (one-time password). But when biometric authentication is used as the second factor of 2FA (two-factor authentication) there is no possibility of one-time password check. The user will never be able to sign in because of this false alarm. Not only law-abiding citizens use the fruits of technical progress. Attackers quickly become aware of the latest technological innovations. For example, several years ago there was a program that allowed you to add to a video a virtual replica of the person’s photo in real time. Today hackers can use such program to cheat the face scanner. They can show the dynamic moving video clone...
read moreTwo-Factor Authentication 2015: Opportunities and Prospects
Modern technologies have brought a lot of conveniences and opportunities into our lives, but also sharply reduced the chances of complete privacy. Photos that are not intended for prying eyes, credit card numbers, passwords for accounts in social networks and e-mail services, business documents stored in cloud services, the hand of a hacker is able to reach all this with little to no effort. Traditionally one of the most vulnerable aspects of computer security is strong authentication. Therefore, multifactor authentication methods are constantly being improved and developed. The usual two-factor authentication, when temporary passwords are delivered by a text message, is far from being the only option. Let’s see what means of security authentication exist nowadays and what means are being developed? 1. Applications for smartphones. According to recent studies, smartphones are used by about 50% of inhabitants of the Earth. If we take into account only the developed countries, where the problem of data protection is most acute, the numbers are even more impressive. That is why applications that can turn the smartphones of the users into an OTP token are increasingly distributed. In ‘Google Play’ and ‘App Store’ you can download Protectimus‘ mobile authentication application for Android and iOS smartphones and for Android Smart Watch. The Protectimus SMART application allows you: to select OTP (one-time password) generation algorithm, (HOTP, TOTP, OCRA); to set the length of the 2 step verification code (6 or 8 characters); to use the data signing function (CWYS), which protects from banking trojans and data modification; to create multiple tokens on a single device. The system of data protection with the help of a software application, however, has one drawback. If the signing in the account takes place from another device (PC, laptop), the software token properly fulfills its functions. But if you go to a site with the same device on which the mobile authentication app is installed, the effectiveness of the protection will be reduced. 2. Hardware tokens. Hardware OTP tokens can provide a higher level of information security. These devices operate autonomously; they don’t require an internet connection. In addition, one-time password token can be protected by a PIN-code to avoid unauthorized use in the case of loss or theft. Hardware tokens may look different, but they are always quite compact and small in size. For example, the ‘Protectimus Slim’ has a stylish design in the form of a credit card and TOTP token ‘Protectimus One’ is designed as a convenient key fob that can be worn together with the keys. The ‘Protectimus Ultra’ token stands out for its reliability. Its main feature is that the secret key is generated only during the activation of the token, which means that even the developers of the OTP token don’t know the secret key in advance. ‘Protectimus Ultra’ uses the OCRA algorithm (OATH Challenge-Response Algorithm), which is currently the most reliable one-time passwords generation algorithm. 3. Biometric methods. The previously described two-factor authentication methods are based on the one-time passwords generation while biometric techniques use different biometric parameters of the person instead of OTP passwords. Identification happens by the unique, peculiar to the only person’s individual parameters: voice, fingerprints, retina, or even selfie can act as identifiers. However, such ‘tools’, although very attractive in terms of ease of use, are not as...
read moreOne-Time Passwords: Generation Algorithms and Overview of the Main Types of Tokens
The use of one-time passwords Amid the constantly growing online business segment, data protection has to be particularly reliable. If you still can ‘survive’ the hacking of your personal page on social networks (though it’s extremely unpleasant too), the loss of business information can lead not only to the loss of reputation and income but even to the closure of the company. One of the most defenseless points in the information security is the reliable user authentication of everyone attempting to access his or her account on a particular website. Common reusable passwords are well known to everyone and are pretty useless at the present level of hacker threats. They are unable to withstand the pressure of attackers, equipped with such ‘tools’ as keyloggers, interception of the data, and methods of social engineering. Much higher level of protection can be provided by using one-time passwords. How one-time passwords are generated The most convenient and secure one-time passwords generation tool at the present moment is a token. It can be either a software token – an application for a tablet or Android/iOS smartphone or hardware token in the form of USB flash drive, trinket or credit card. For extra protection, each token can function along with the PIN-code, which should be used while entering the one-time password. One-time passwords are usually generated by using one of three algorithms: HOTP – HMAC-based one-time password algorithm. Server and OTP token keep count the number of authentication procedures performed by the user, and then generate the password, using this number in the calculations. The mismatch in the calculations between the server and the token may cause a problem. Such situation is possible, for example, if the user repeatedly presses the button for generation of an OTP password and doesn’t use the password later. TOTP – time-based one-time password algorithm. In this case, the password is created taking into account the internal clock of the token. TOTP is convenient, because the time of OTP password’s functioning is limited, which means it can’t be created in advance or used after the expiration term. OCRA – OATH challenge-response algorithm. This is a very reliable algorithm, assuming, however, a bit more steps than the previous ones. The mutual authentication of the user and the server occurs during its work. Unlike other algorithms, it uses a random number issued by the server as an input. It is worth mentioning that if you use the TOTP and OCRA algorithms, sort term passwords are produced, which significantly complicates the process of hacking. The tokens provided by Protectimus use all three algorithms. Protectimus ONE and Protectimus Slim tokens generate passwords according to TOTP algorithm, but particularly reliable Protectimus ULTRA tokens create the most secure OTP algorithm by using OCRA. Threats and risks of using one-time passwords No matter how reliable is the two-factor authentication with the one-time passwords, there are some dangers, which can be avoided, if you take care of the precautions. Interception of the OTP password. In this situation, which is often called ‘a man in the middle attack’, a hacker intercepts the authorized password and authorizes in the system. To avoid this, you can use 2FA with data signing function (CWYS), available in Protectimus SMART token. It allows considering not only the password, but also some other parameters...
read moreTwo-Factor Authentication with Background Noise: Is It Safe or Not
The term two-factor authentication is known for the majority of active users of the Internet. It is available on a variety of well-established websites conducting the work with the data of users: in social networks, email services, online banking. But unfortunately, not all the users use the benefits of this type of authentication. The most frequently this occurs because of some inconvenience with the standard 2FA procedure. The main reason for the inconvenience is that for getting a one-time password a user has to receive an SMS on his phone or to generate it with the help of software or hardware token. If you are using SMS authentication it is required: to have the phone by your side; to gave a stable signal of mobile connection (which is available not always and not everywhere); some efforts from the user: to unlock the phone, to read the message, to enter the received OTP code in the browser and to send the confirmation form. If you are using tokens, there are a number of other inconveniences: to get the token you must go to the bank; you always need to have the device with you; the PIN-code of the token should be kept in mind (or written down in a safe place); you have to make sure that the token will not be lost. As the practice shows, not everyone is ready for such sacrifices – even for their own safety. Therefore, software developers and experts on data protection are constantly improving the means of authentication, in every way trying to make the process easier for the owners of the accounts. For example, biometric authentication methods (retinal scans, fingerprints, selfie authentication) are actively developed. And not so long ago a team in Zurich, working in the ETH, invented a new way in which the two-factor authentication is performed automatically and does not require any effort, except the installation of a single application on a smartphone. This technology is called ‘Sound-Proof’, and it is based on the recording and further comparison of background noise at the location of the user. How the protection of data by this method is implemented? When there is an attempt to enter the site that supports the ‘Sound-Proof’ method, the application installed on the phone is recording the background noise for three seconds at the place where the user is located. At the same time, the computer microphone is also recording the noise. Then the recordings are being matched on the server. If the background noises are the same, this means that both devices (the computer and the smartphone) are in one place, and data protection system allows entry into account. To navigate the system it is not necessary to install any software on the computer, you just must have the application on your phone or tablet and permit your browser to use the microphone. That means that you can carry out authorization from someone else’s laptop or computer (for example, in a cafe). Even the phone itself does not need to be taken with you: the app works independently in the background. However, the smartphone or tablet should be connected to the network by the Wi-Fi or mobile internet. Judging by the number of users, the efforts spent for the authentication process (or rather,...
read more