Blog Feed
One-Time Passwords: Generation Algorithms and Overview of the Main Types of Tokens
The use of one-time passwords Amid the constantly growing online business segment, data protection has to be particularly reliable. If you still can ‘survive’ the hacking of your personal page on social networks (though it’s extremely unpleasant too), the loss of business information can lead not only to the loss of reputation and income but even to the closure of the company. One of the most defenseless points in the information security is the reliable user authentication of everyone attempting to access his or her account on a particular website. Common reusable passwords are well known to everyone and are pretty useless at the present level of hacker threats. They are unable to withstand the pressure of attackers, equipped with such ‘tools’ as keyloggers, interception of the data, and methods of social engineering. Much higher level of protection can be provided by using one-time passwords. How one-time passwords are generated The most convenient and secure one-time passwords generation tool at the present moment is a token. It can be either a software token – an application for a tablet or Android/iOS smartphone or hardware token in the form of USB flash drive, trinket or credit card. For extra protection, each token can function along with the PIN-code, which should be used while entering the one-time password. One-time passwords are usually generated by using one of three algorithms: HOTP – HMAC-based one-time password algorithm. Server and OTP token keep count the number of authentication procedures performed by the user, and then generate the password, using this number in the calculations. The mismatch in the calculations between the server and the token may cause a problem. Such situation is possible, for example, if the user repeatedly presses the button for generation of an OTP password and doesn’t use the password later. TOTP – time-based one-time password algorithm. In this case, the password is created taking into account the internal clock of the token. TOTP is convenient, because the time of OTP password’s functioning is limited, which means it can’t be created in advance or used after the expiration term. OCRA – OATH challenge-response algorithm. This is a very reliable algorithm, assuming, however, a bit more steps than the previous ones. The mutual authentication of the user and the server occurs during its work. Unlike other algorithms, it uses a random number issued by the server as an input. It is worth mentioning that if you use the TOTP and OCRA algorithms, sort term passwords are produced, which significantly complicates the process of hacking. The tokens provided by Protectimus use all three algorithms. Protectimus ONE and Protectimus Slim tokens generate passwords according to TOTP algorithm, but particularly reliable Protectimus ULTRA tokens create the most secure OTP algorithm by using OCRA. Threats and risks of using one-time passwords No matter how reliable is the two-factor authentication with the one-time passwords, there are some dangers, which can be avoided, if you take care of the precautions. Interception of the OTP password. In this situation, which is often called ‘a man in the middle attack’, a hacker intercepts the authorized password and authorizes in the system. To avoid this, you can use 2FA with data signing function (CWYS), available in Protectimus SMART token. It allows considering not only the password, but also some other parameters...
read moreTwo-Factor Authentication with Background Noise: Is It Safe or Not
The term two-factor authentication is known for the majority of active users of the Internet. It is available on a variety of well-established websites conducting the work with the data of users: in social networks, email services, online banking. But unfortunately, not all the users use the benefits of this type of authentication. The most frequently this occurs because of some inconvenience with the standard 2FA procedure. The main reason for the inconvenience is that for getting a one-time password a user has to receive an SMS on his phone or to generate it with the help of software or hardware token. If you are using SMS authentication it is required: to have the phone by your side; to gave a stable signal of mobile connection (which is available not always and not everywhere); some efforts from the user: to unlock the phone, to read the message, to enter the received OTP code in the browser and to send the confirmation form. If you are using tokens, there are a number of other inconveniences: to get the token you must go to the bank; you always need to have the device with you; the PIN-code of the token should be kept in mind (or written down in a safe place); you have to make sure that the token will not be lost. As the practice shows, not everyone is ready for such sacrifices – even for their own safety. Therefore, software developers and experts on data protection are constantly improving the means of authentication, in every way trying to make the process easier for the owners of the accounts. For example, biometric authentication methods (retinal scans, fingerprints, selfie authentication) are actively developed. And not so long ago a team in Zurich, working in the ETH, invented a new way in which the two-factor authentication is performed automatically and does not require any effort, except the installation of a single application on a smartphone. This technology is called ‘Sound-Proof’, and it is based on the recording and further comparison of background noise at the location of the user. How the protection of data by this method is implemented? When there is an attempt to enter the site that supports the ‘Sound-Proof’ method, the application installed on the phone is recording the background noise for three seconds at the place where the user is located. At the same time, the computer microphone is also recording the noise. Then the recordings are being matched on the server. If the background noises are the same, this means that both devices (the computer and the smartphone) are in one place, and data protection system allows entry into account. To navigate the system it is not necessary to install any software on the computer, you just must have the application on your phone or tablet and permit your browser to use the microphone. That means that you can carry out authorization from someone else’s laptop or computer (for example, in a cafe). Even the phone itself does not need to be taken with you: the app works independently in the background. However, the smartphone or tablet should be connected to the network by the Wi-Fi or mobile internet. Judging by the number of users, the efforts spent for the authentication process (or rather,...
read moreOut-of-Band Authentication
Out-of-band authentication (OOB) is one of the most popular types of two-factor authentication in the financial sector. It presupposes sending the one-time password to the user via a communication channel other than the main one, which is used for transactions on the Internet. Most often, during the OOB authentication, the OTP (One Time Password) is sent to the clients in the form of a text message via SMS or email and the company does not have to spend money to buy tokens or to require from users to install additional software on their smartphones. It must be noted that the Protectimus company also develops a new technology for out-of-band authentication – two-factor authentication with Push messages. This method is much cheaper than SMS authentication. Out-of-band authentication is widely used in financial, banking institutions, and other organizations with high security requirements for the transaction. This type of protection significantly complicates the process of hacking, since for a successful theft of money or data a hacker should compromise two separate independent channels. This method of protection from unauthorized access is quite widespread and easy to use, but its security is under a great doubt because there is always the threat of man-in-the-middle attack Man-in-the-middle attack According to the results of surveys of financial institutions staff, the man-in-the-middle attack is the most serious threat to online banking, e-business and payment gateways. Zeus, Sinowal, Carberp, and Clampi are the most widespread maleficent programs for this type of attack. The method of the man-in-the-middle attack involves compromising of the intermediary link, the penetration in data transfer protocol, the interception and substitution of correspondents’ messages, deletion or falsification of data while both sides are sure of the legality of the operations. Scenarios of such an attack can vary – the change in the connection parameters between the client and the server, the interception and substitution of public key exchange links between the client and server, the introduction of SQL-injection to grab an authorized session, data modification, Automated Transfer Systems, malware like banking trojans, but they are all aimed at gaining access to the customer’s account and conducting financial fraud behind his back. To protect transactions from some of these attacks, such as data modification and Automated Transfer System, the best solution is a function of transaction data signing called CWYS (Confirm What You See). In the tokens that support this function, while generating one-time passwords, not only the secret key and the parameters of time / event / challenge-response (depending on the algorithm) are used, but also some additional information – the currency, the recipient, the amount of the transfer, etc. Thus, an attacker cannot use the one-time password generated for a particular transaction, to initiate another transaction. This feature is supported in such tokens as Protectimus SMS, Protectimus Mail, and Protectimus Smart. It is worth noting that the weak link for the out-of-band authentication is the use of smartphones for making online payments. Making a payment with the same phone, which receives a message with an OTP password, the user literally ‘puts all his eggs in one basket’. Two-factor authentication, in this case, has no efficiency, because if the virus is already on your phone and the attacker conducts an illegal operation, penetrated to this smartphone, nothing will prevent him from intercepting the one-time password...
read moreMicrosoft Patents Hard-to-Mimic Gesture-Based Authentication
It’s hard to imagine the modern rhythm of everyday life without gadgets, to which we are so accustomed. The first computer could perform only a limited number of functions. Its length was about 17 meters, the height of more than 2.5 meters, it weighed 4.5 tons and covered an area of several dozen square meters. Half a century later multifunctional gadgets became a thousand times smaller in size and instantly perform tasks that the original creators of computers could not even imagine possible. Twenty years ago, mobile phones were introduced on store shelves for the first time, and now this device/gadget has become an inseparable part of everyday life. Recently, the era of smartphones began and turned mobile phones in the so-called mini-computers, the use of which makes possible to open the car, unlock the doors and carry out contactless payments without any additional devices. Smartphone – a gadget that replaced computers For example, branded smartphones authorized by MasterCard for NFC-payments MTS 965 give owners the opportunity to make payments by simply holding the phone to the payment terminal which supports the technology of wireless payments MasterCard PayPass. Only if one wants to buy expensive goods, a PIN code is required. Modern technologies allow the usage of smartphones for such important tasks as two-factor authentication, turning them into full-fledged tokens. A striking example is a free app for smartphones Protectimus SMART, which is available for iOS and Android platforms, and was created to protect accounts on the Internet websites. The app makes possible to select the algorithm for generating and creating multiple OTP tokens on one device and supports data signing function CWYS (Confirm What You See), which allows protecting the payments from the latest hacker attacks such as replacement, Automated Transfer System, data modification. However, while all the forces were thrown to the technological progress chase, little attention is paid to the critical issue of the universal mobile devices protection from unauthorized access. But if you do not take care of protecting your smartphone from unauthorized access, you can lose a lot – from the money in the bank account to personal photographs and correspondence. Authentication through fingers gestures In August 2015, Microsoft patented a new system for the authentication on electronic gadgets with touch screens through the gestures of four fingers (except the thumb) or, in other words, gesture-based authentication. To be more precise, the authorization of users would be hold with the help of secret gesture which is stored in the device memory. While making it, the system detects a number of different factors: duration of touching the screen, the force of pressing, the size of the contact area with a display, the length and arrangement of the fingers, the angles between them, and other biometric data of the person. During re-authorization, the system correlates the data with the stored user’s unique digital pattern of a gesture and allows or denies the access to the device. Microsoft claims that this technology can be used for any device, such as mobile phone, TV with the touch screen, etc. This authentication system can prove itself a reliable armor for touchscreen phones, and bundled with the app for smartphones Protectimus SMART – to minimize the risk of compromising your device to protect personal information and restrict access to your...
read moreInformation Security – the Aspect You Should Not Save On
Not so much time has passed since the meaning of the word «computer» was familiar only to employees of certain research laboratories and information security was a concern of special services. But those days are gone. Information technologies have drastically changed our lives. Using a computer, we have a rest, make friends, work, and do shopping. Very often the cost of convenience to do a lot of things, without getting up from a favorite chair, is a number of our secrets, which are available to anyone who wants to know them. Our credit card numbers, place of residence, friends and beloved ones, jobs, hobbies – all this information is available on the web. Definitely, you can simply not enter a part of the information, and thus protect it from prying eyes. But without another part which includes email addresses, card numbers, passwords we cannot even log in to many sites. Moreover, you will not be able to buy or sell things. The companies that are operating online get into an even more complicated situation: they have to keep the lists of employees and partners, and other official documents on servers that can be easily hacked. If such information is not there, the company is unable to operate properly. That is why information security has become a more important question now than ever before. Moreover, the experts on data protection are the most important employees of any modern company, along with accountants, web developers, and commercial directors. The famous idiom ‘forewarned – is forearmed’ is relevant to the field of data protection. As the threat of data loss can affect anyone, it would be beneficial to get familiar with risks and how they can be minimized. Information security threats In short, the information security threats are divided into four main groups: Violation of the integrity – information corruption. The simplest example: the virus that penetrated the computer deletes or alters important system files, which violates or completely stops the work of the operating system. Violation of authenticity – some experts often combine this group with the previous one, and some of them consider it as a separate species of threat (and rightly so). When a user enters the desired site but gets on a phishing one, there is a clear violation of the information authenticity. Violation of accessibility – this option generally relates to failure and damage of the equipment aimed at information exchange. Not so long ago all network public was concerned about temporal Skype disconnection. Although it did not last for a long, it caused a lot of unrest. Breach of confidentiality – this is a case when data becomes available for those for who shouldn’t see it at all. Publication of stars’ personal photos is a good example. How information security can be compromised There are three main sources through which information security can be violated: Targeted attacks from the outside – the machinations of the notorious hackers. Equipment failure (in some cases, also as a result of external attacks, for example, DDoS-attack). The human factor – the negligence or deliberate damage caused by the staff itself. Based on the sources of threat, information security system is built in order to work with such groups of risk. How to provide the reliable information security While...
read moreAutomotive Security Review Board Is Launched – First Steps to Protect the Car from Breaking Down
What seems perfectly thought out and reliable, often presents us with the most unexpected surprises. Such a sad discovery befell the creators of the car Jeep Cherokee model 2014 in July 2015, when the Internet stirred up the news about two professional hackers Chris Valasek and Charlie Miller who managed to gain remote access to the onboard computer of the seemingly “perfect” car and take the operation of its core systems under their control. During the experiment, “a victim of the hacker attack” was Andrew Greenberg, who was warned about what was happening, but, nevertheless, had an obvious discomfort and panic. The most vulnerable turned to be the Uconnect system. This system controls a network of the interactive features of the on-board computer which are not provided with the system for data protection. Therefore, in the case of the hacker attack, the attacker potentially has an advantage over the driver in driving a vehicle that could and most likely would have resulted in tragic consequences for the driver. To avoid such consequences, Chrysler brand was forced to recall 1.4 million cars, which caused enormous financial damage to the enterprise. This event disturbed the public because most drivers give their preference to modern cars with an interactive control system, which, as it turns out, can cause a great danger for them. Cars are equipped with hundreds of control units, which are vulnerable to errors or may be infected by malicious software hacking programs, which is why in the case of failure of the main control unit human lives are at stake. Intel Company – “Benefactor” in the Struggle for the Safety of Motor Vehicles Intel Company promptly responded to the shocking news by creating a supervisory Automotive Security Review Board. According to the latest reports, among the members of the Automotive Security Review Board will be the best experts in the field of data protection and cyber physics systems. Intel will provide them with innovative platforms for research in the field of cyber-security and advanced systems development for the better protection of vehicles from the new hacker attacks. The most successful developers will receive a valuable reward for their contributions: a car or its value in monetary terms. Today particularly acute is a problem of passenger transport, the safety of which largely depends on the usage of reliable two-factor authentication systems for drivers with a help of factor of ownership (key) and the factor of knowledge. As a secret “factor”, could be used a one-time password generated by a hardware token or a special mobile application created for a specific car manufacturer. For better protection when entering the application it would be better to enter the username and password. In this case, it is impossible to gain access to the systems of the car only with the help of a key, as the main condition for authorization of the driver is a one-time password that is requested by an onboard computer. Two-step authentication launching would be the optimal solution of the security problem of cars because according to the experts’ estimations until 2020 the number of cars with advanced network capabilities will grow to 150 million, the compromise of which we cannot...
read moreVirus CoreBot Turned into a Dangerous Banking Trojan
In late August, a new Trojan Virus CoreBot was discovered by IBM specialists. At first, it did not look particularly dangerous: its possibilities were limited to stealing local passwords and personal data of users in different browser and desktop applications. However, experts were seriously concerned about the modular structure of the new threat that promised great potential for its development. And they were right. In the first ten days of September CoreBot turned into a full-fledged banking Trojan. What makes new Trojan virus CoreBot so dangerous? The banking Trojans group, to which CoreBot can now be attributed, is dangerous primarily due to its ability to circumvent not only the protection of anti-virus programs but also the standard types of two-factor authentication. The most famous Trojan viruses, such as Zeus and SpyEye, belong to the category called “Automated Transfer Systems”. These malicious programs do not only steal passwords and numbers of payment cards but also transfer funds from the client’s account on the fake account by wedging between the user and the site to which it refers. Such viruses keep track of addresses visited by the infected computer. When an authorization on the service from the list of the Trojan takes place, at once the function for login and password interception is activated. After that, the Trojan displays to the user a fake (phishing) page, on which on the behalf of the bank asks to enter some additional information – as a rule, one-time password. When the unsuspecting victim does this operation, the “Automated Transfer System” contacts the bank under the guise of the user and transfers the funds from the customer’s account to a fake account. How to protect yourself from banking Trojans? In order not to become a victim of hackers, you should first and foremost be careful and do not download a Trojan virus on your computer or phone. The easiest way is to think about the most basic “hygiene” of the Internet surfing: do not click on suspicious links, refrain from downloading and installing on your computer illegal copies of software, update the antivirus in time. Although many of these simple rules seem naive, but nevertheless, their implementation can significantly reduce the risk. If there is no firm assurance that your computer is not infected by Trojan, and you do not know how to remove a Trojan virus, then you can be rescued with the same two-factor authentication. More precisely, one of its newest features – CWYS (Confirm What You See), which is implemented and maintained in the products of the Protectimus Company. When this function is enabled, the one-time password generation is held with the help of the key transaction data – such as the amount of the transfer, the currency which is used, addressee etc. Even if the one-time password is stolen by hackers, the system does not recognize its authenticity. An attacker can use it only for the specific signature of the original transaction. In case the transaction data are changed, it will be obligatory to replace the data during the OTP generation, which is impossible. No matter how ingenious creators of viruses are, usually all their tricks receive an adequate and quick response. Security technologies, including two-factor authentication, are becoming more reliable and convenient for...
read moreThe Most Popular Passwords of Ashley Madison Users – Overused, Predictable and Unreliable
Ashley Madison is a popular Canadian resource for users who do not mind to leave the line of a faithful husband and have some fun on the side. The basis for the creation of Ashley Madison was the idea of a dating site for the purpose of adultery, which is evident from the motto on its main page «Life is short. Have an affair ». August 19, 2015 was a “fateful day” for many users of the site, as well as for their spouses, as a group of hackers “The Impact Team” have successfully compromised 11.7 million user passwords and posted on the Internet the data of 36-million people who used the services of Ashley Madison. The list of popular Ashley Madison passwords The team of hackers CynoSure Prime have analyzed the data of the most popular Ashley Madison passwords and found out that more than 15 million of them have been cracked by the algorithm MD5, which makes the process of brute force much easier. The published statistics shows that among 11,716,208 users of the site only 4,867,246 people used a unique password to protect data, while the remaining users did not worry about the security of confidential information and used standard overused passwords. Moreover, in 630,000 cases the password and the username were completely the same. Most passwords were extremely simple: mostly lowercase letters, sometimes with numbers. Brute force probably began according to the list of most common passwords in keeping with the version of the list created in 2005, “500 worst passwords of all times”. And it has paid off. The ten most popular passwords in 2015 among the Ashley Madison cheaters are included in the top twenty of the easiest passwords in the world. Below is the list of the most frequently used passwords according to the hackers of Ashley Madison: 123456 12345 password DEFAULT 123456789 qwerty 12345678 abc123 pussy 1234567 As we can see, most of the passwords used by people are too simple and predictable, but due to human laziness, lack of wit, or the inability to remember complex combinations people continue using them. Thus, users keep making the same mistakes, which in inappropriate moments bring a lot of unexpected troubles, it’s painful and it hurts in the most vulnerable places. In the Ashley Madison users’ case, it can even destroy families. Two-factor authentication – a way out for the predictability of most commonly used passwords and the ideal solution for data protection Experts believe that the hacking of Ashley Madison was successful because of the carelessness of the developers of the resource, even though it is not known whose fault it was. But the result is obvious. Having started their work in 2001, the creators of the site used a one-step authentication, which means using only a username and password. One-factor authentication gave all the ‘trumps’ to the hackers, and they could easily compromise the accounts. This would not have happened if the login to the site was carried out by means of two-factor authentication, which means that after the entering of login and password a one-time password is sent to the user’s mobile phone, token, or email. This one time password might be the deterrent that would protect adulterers’ profiles from being compromised, and keep their unaware wives and husbands from...
read moreTwo-Factor Authentication in the PCI DSS Standard
The use of payment cards for the modern man has long been commonplace. But we do not always think about how extensive and complex is the work that was done by the companies which provide such services, how many diverse requirements they complied in order to give us the possibility simply to insert the card into the slot of the ATM and get our money or book the room in the internet before the vacation trip. Meanwhile, getting the right to conduct transactions with payment cards is not the easiest task. In order to do this, the company must obtain a special PCI DSS certificate. It was designed by the PCI SSC – Payment Card Industry Security Standards Council. And it is obligatory for the company that wants to be considered a serious player in the market. Reputable organizations and banks clearly refuse to cooperate with the company, which does not comply with the requirements of PCI DSS. Because it means that the company’s leadership does not properly care for data protection, and thus jeopardize the safety and reputation of their partners and customers. What is the PCI DSS standard? This document consists of twelve sections, each of which covers a specific requirement for the protection of information about card users. Among them there are rules for: development, use and support of the payment systems structure; creation of a legal documents database accompanying these systems; providing adequate information security management etc. However, the most vulnerable places in terms of the card transactions safety are secure network infrastructure and protection of user’s information stored by the company. After all, in the ‘client-server’ area there is the greatest risk that the transmitted data can be intercepted by fraudsters and used for their own selfish purposes. That is why it is not surprising that the PCI DSS requirements focus on such an issue as user authentication. The system should be organized in such a way that in case of the client’s request for performing any action, it is possible to determine that this is the real card holder. The fact that a single password is not enough has not been a secret for a long time. Therefore, a two-step authentication is used, which requires entering a specially created one-time code after the standard password. Typically, this code is sent with the text message to a user’s phone. But more convenient and reliable way for solving the problem of authentication is the usage of a token – a special device or program that generates one-time passwords, which may be provided by different providers of two-factor authentication. The Protectimus company is among them. This method of OTP password receiving eliminates the possibility of data interception during telephone connection, at the same time password generation algorithms can be further improved (CWYS), which makes the task of the attacker much more complicated. Usage of the tokens is possible and convenient on any device, from which the transactions with the help of payment cards can be carried out. Although adherence to PCI DSS standards requires quite significant efforts from the company, it will positively affect the company’s reputation and credibility. After all, even a long time ago the deal with the future partners was signed only after the investigations of each other based on the opinion of...
read moreThe Theft of The Century, or Why Do News Websites Need Two-Factor Authentication?
Why Is Two-Factor Authentication Necessary? Increasingly more companies are using two-factor authentication in their online operations. Sometimes, it surprises or even annoys their users. They may think: why waste my precious time on entering additional characters? Isn’t a password sufficient? With the widely spread advanced computer technologies, we have possibilities that our parents could only read about in science fiction novels. Thirty years ago, would anyone believe that it would be possible to order (and receive) a plane tickets or a ticket to a Paul McCartney concert without getting up from your favorite chair? Or chat with a friend in Australia as if he were in the room next to yours? Or read your favorite newspaper at breakfast without having to go out to buy it? However, there is always the flip side to every coin. Along with the incredible conveniences, the computer has brought with it an unpleasant vulnerability of our personal and business life. When performing various transactions online, we have to provide and transfer confidential information: bank card numbers, passport details, and passwords. Quite often, hackers intercept this information and use it for their mercenary purposes. Fortunately, there are ways to protect our data against intruder’s attacks. One of the most reliable and convenient methods is two-factor authentication. When it is used, entering the password is not sufficient to log into the system or perform any actions in the system. The user must also provide additional information: the code from an SMS message received or the number generated by special software. Two-factor authentication is the foundation for secure transactions in such business fields as online banking, online trading, and other routinely used services that require high levels of transmitted data security. Nowadays, information is essentially equivalent to money. Possessing the information allows making millions; failing to keep information secure leads to millions in losses. The levels of data security are relatively high in online banking and online trading; however, the importance of reliable user authentication is still not fully appreciated in the fields with no direct money circulation. What Can Ignoring Two-Factor Authentication Result in? In mid-August, one rather cautionary tale became the part of the public domain. The US law enforcement agencies uncovered a group of cybercriminals that had been hacking corporate news channels that published restricted press releases containing information on mergers, acquisitions, and financial statuses of various companies. The criminal group included current and former citizens of Russia and Ukraine, some of whom lived in the USA and some in the Ukraine. The hackers penetrated news channels of stock exchange agencies intended for restricted in-company use. The companies’ employees’ passwords were intercepted and used to obtain access to sensitive confidential information. It was possible because those companies did not use two-step authentication; the systems could be logged into with just one password. The hackers passed on the illegally obtained information to their accomplices in trading, who in turn used it to forecast stock prices and make transactions based on this information. According to the US Department of Justice, only based on the cases where the charges against these cybercriminals were proven, over the five years of their “operations”, they raked in 30 million dollars in profits. According to the US Securities and Exchange Commission experts’ assessment, the total damage amounted to a much higher...
read more