Blog Feed
Out-of-Band Authentication
Out-of-band authentication (OOB) is one of the most popular types of two-factor authentication in the financial sector. It presupposes sending the one-time password to the user via a communication channel other than the main one, which is used for transactions on the Internet. Most often, during the OOB authentication, the OTP (One Time Password) is sent to the clients in the form of a text message via SMS or email and the company does not have to spend money to buy tokens or to require from users to install additional software on their smartphones. It must be noted that the Protectimus company also develops a new technology for out-of-band authentication – two-factor authentication with Push messages. This method is much cheaper than SMS authentication. Out-of-band authentication is widely used in financial, banking institutions, and other organizations with high security requirements for the transaction. This type of protection significantly complicates the process of hacking, since for a successful theft of money or data a hacker should compromise two separate independent channels. This method of protection from unauthorized access is quite widespread and easy to use, but its security is under a great doubt because there is always the threat of man-in-the-middle attack Man-in-the-middle attack According to the results of surveys of financial institutions staff, the man-in-the-middle attack is the most serious threat to online banking, e-business and payment gateways. Zeus, Sinowal, Carberp, and Clampi are the most widespread maleficent programs for this type of attack. The method of the man-in-the-middle attack involves compromising of the intermediary link, the penetration in data transfer protocol, the interception and substitution of correspondents’ messages, deletion or falsification of data while both sides are sure of the legality of the operations. Scenarios of such an attack can vary – the change in the connection parameters between the client and the server, the interception and substitution of public key exchange links between the client and server, the introduction of SQL-injection to grab an authorized session, data modification, Automated Transfer Systems, malware like banking trojans, but they are all aimed at gaining access to the customer’s account and conducting financial fraud behind his back. To protect transactions from some of these attacks, such as data modification and Automated Transfer System, the best solution is a function of transaction data signing called CWYS (Confirm What You See). In the tokens that support this function, while generating one-time passwords, not only the secret key and the parameters of time / event / challenge-response (depending on the algorithm) are used, but also some additional information – the currency, the recipient, the amount of the transfer, etc. Thus, an attacker cannot use the one-time password generated for a particular transaction, to initiate another transaction. This feature is supported in such tokens as Protectimus SMS, Protectimus Mail, and Protectimus Smart. It is worth noting that the weak link for the out-of-band authentication is the use of smartphones for making online payments. Making a payment with the same phone, which receives a message with an OTP password, the user literally ‘puts all his eggs in one basket’. Two-factor authentication, in this case, has no efficiency, because if the virus is already on your phone and the attacker conducts an illegal operation, penetrated to this smartphone, nothing will prevent him from intercepting the one-time password...
read moreMicrosoft Patents Hard-to-Mimic Gesture-Based Authentication
It’s hard to imagine the modern rhythm of everyday life without gadgets, to which we are so accustomed. The first computer could perform only a limited number of functions. Its length was about 17 meters, the height of more than 2.5 meters, it weighed 4.5 tons and covered an area of several dozen square meters. Half a century later multifunctional gadgets became a thousand times smaller in size and instantly perform tasks that the original creators of computers could not even imagine possible. Twenty years ago, mobile phones were introduced on store shelves for the first time, and now this device/gadget has become an inseparable part of everyday life. Recently, the era of smartphones began and turned mobile phones in the so-called mini-computers, the use of which makes possible to open the car, unlock the doors and carry out contactless payments without any additional devices. Smartphone – a gadget that replaced computers For example, branded smartphones authorized by MasterCard for NFC-payments MTS 965 give owners the opportunity to make payments by simply holding the phone to the payment terminal which supports the technology of wireless payments MasterCard PayPass. Only if one wants to buy expensive goods, a PIN code is required. Modern technologies allow the usage of smartphones for such important tasks as two-factor authentication, turning them into full-fledged tokens. A striking example is a free app for smartphones Protectimus SMART, which is available for iOS and Android platforms, and was created to protect accounts on the Internet websites. The app makes possible to select the algorithm for generating and creating multiple OTP tokens on one device and supports data signing function CWYS (Confirm What You See), which allows protecting the payments from the latest hacker attacks such as replacement, Automated Transfer System, data modification. However, while all the forces were thrown to the technological progress chase, little attention is paid to the critical issue of the universal mobile devices protection from unauthorized access. But if you do not take care of protecting your smartphone from unauthorized access, you can lose a lot – from the money in the bank account to personal photographs and correspondence. Authentication through fingers gestures In August 2015, Microsoft patented a new system for the authentication on electronic gadgets with touch screens through the gestures of four fingers (except the thumb) or, in other words, gesture-based authentication. To be more precise, the authorization of users would be hold with the help of secret gesture which is stored in the device memory. While making it, the system detects a number of different factors: duration of touching the screen, the force of pressing, the size of the contact area with a display, the length and arrangement of the fingers, the angles between them, and other biometric data of the person. During re-authorization, the system correlates the data with the stored user’s unique digital pattern of a gesture and allows or denies the access to the device. Microsoft claims that this technology can be used for any device, such as mobile phone, TV with the touch screen, etc. This authentication system can prove itself a reliable armor for touchscreen phones, and bundled with the app for smartphones Protectimus SMART – to minimize the risk of compromising your device to protect personal information and restrict access to your...
read moreInformation Security – the Aspect You Should Not Save On
Not so much time has passed since the meaning of the word «computer» was familiar only to employees of certain research laboratories and information security was a concern of special services. But those days are gone. Information technologies have drastically changed our lives. Using a computer, we have a rest, make friends, work, and do shopping. Very often the cost of convenience to do a lot of things, without getting up from a favorite chair, is a number of our secrets, which are available to anyone who wants to know them. Our credit card numbers, place of residence, friends and beloved ones, jobs, hobbies – all this information is available on the web. Definitely, you can simply not enter a part of the information, and thus protect it from prying eyes. But without another part which includes email addresses, card numbers, passwords we cannot even log in to many sites. Moreover, you will not be able to buy or sell things. The companies that are operating online get into an even more complicated situation: they have to keep the lists of employees and partners, and other official documents on servers that can be easily hacked. If such information is not there, the company is unable to operate properly. That is why information security has become a more important question now than ever before. Moreover, the experts on data protection are the most important employees of any modern company, along with accountants, web developers, and commercial directors. The famous idiom ‘forewarned – is forearmed’ is relevant to the field of data protection. As the threat of data loss can affect anyone, it would be beneficial to get familiar with risks and how they can be minimized. Information security threats In short, the information security threats are divided into four main groups: Violation of the integrity – information corruption. The simplest example: the virus that penetrated the computer deletes or alters important system files, which violates or completely stops the work of the operating system. Violation of authenticity – some experts often combine this group with the previous one, and some of them consider it as a separate species of threat (and rightly so). When a user enters the desired site but gets on a phishing one, there is a clear violation of the information authenticity. Violation of accessibility – this option generally relates to failure and damage of the equipment aimed at information exchange. Not so long ago all network public was concerned about temporal Skype disconnection. Although it did not last for a long, it caused a lot of unrest. Breach of confidentiality – this is a case when data becomes available for those for who shouldn’t see it at all. Publication of stars’ personal photos is a good example. How information security can be compromised There are three main sources through which information security can be violated: Targeted attacks from the outside – the machinations of the notorious hackers. Equipment failure (in some cases, also as a result of external attacks, for example, DDoS-attack). The human factor – the negligence or deliberate damage caused by the staff itself. Based on the sources of threat, information security system is built in order to work with such groups of risk. How to provide the reliable information security While...
read moreAutomotive Security Review Board Is Launched – First Steps to Protect the Car from Breaking Down
What seems perfectly thought out and reliable, often presents us with the most unexpected surprises. Such a sad discovery befell the creators of the car Jeep Cherokee model 2014 in July 2015, when the Internet stirred up the news about two professional hackers Chris Valasek and Charlie Miller who managed to gain remote access to the onboard computer of the seemingly “perfect” car and take the operation of its core systems under their control. During the experiment, “a victim of the hacker attack” was Andrew Greenberg, who was warned about what was happening, but, nevertheless, had an obvious discomfort and panic. The most vulnerable turned to be the Uconnect system. This system controls a network of the interactive features of the on-board computer which are not provided with the system for data protection. Therefore, in the case of the hacker attack, the attacker potentially has an advantage over the driver in driving a vehicle that could and most likely would have resulted in tragic consequences for the driver. To avoid such consequences, Chrysler brand was forced to recall 1.4 million cars, which caused enormous financial damage to the enterprise. This event disturbed the public because most drivers give their preference to modern cars with an interactive control system, which, as it turns out, can cause a great danger for them. Cars are equipped with hundreds of control units, which are vulnerable to errors or may be infected by malicious software hacking programs, which is why in the case of failure of the main control unit human lives are at stake. Intel Company – “Benefactor” in the Struggle for the Safety of Motor Vehicles Intel Company promptly responded to the shocking news by creating a supervisory Automotive Security Review Board. According to the latest reports, among the members of the Automotive Security Review Board will be the best experts in the field of data protection and cyber physics systems. Intel will provide them with innovative platforms for research in the field of cyber-security and advanced systems development for the better protection of vehicles from the new hacker attacks. The most successful developers will receive a valuable reward for their contributions: a car or its value in monetary terms. Today particularly acute is a problem of passenger transport, the safety of which largely depends on the usage of reliable two-factor authentication systems for drivers with a help of factor of ownership (key) and the factor of knowledge. As a secret “factor”, could be used a one-time password generated by a hardware token or a special mobile application created for a specific car manufacturer. For better protection when entering the application it would be better to enter the username and password. In this case, it is impossible to gain access to the systems of the car only with the help of a key, as the main condition for authorization of the driver is a one-time password that is requested by an onboard computer. Two-step authentication launching would be the optimal solution of the security problem of cars because according to the experts’ estimations until 2020 the number of cars with advanced network capabilities will grow to 150 million, the compromise of which we cannot...
read moreVirus CoreBot Turned into a Dangerous Banking Trojan
In late August, a new Trojan Virus CoreBot was discovered by IBM specialists. At first, it did not look particularly dangerous: its possibilities were limited to stealing local passwords and personal data of users in different browser and desktop applications. However, experts were seriously concerned about the modular structure of the new threat that promised great potential for its development. And they were right. In the first ten days of September CoreBot turned into a full-fledged banking Trojan. What makes new Trojan virus CoreBot so dangerous? The banking Trojans group, to which CoreBot can now be attributed, is dangerous primarily due to its ability to circumvent not only the protection of anti-virus programs but also the standard types of two-factor authentication. The most famous Trojan viruses, such as Zeus and SpyEye, belong to the category called “Automated Transfer Systems”. These malicious programs do not only steal passwords and numbers of payment cards but also transfer funds from the client’s account on the fake account by wedging between the user and the site to which it refers. Such viruses keep track of addresses visited by the infected computer. When an authorization on the service from the list of the Trojan takes place, at once the function for login and password interception is activated. After that, the Trojan displays to the user a fake (phishing) page, on which on the behalf of the bank asks to enter some additional information – as a rule, one-time password. When the unsuspecting victim does this operation, the “Automated Transfer System” contacts the bank under the guise of the user and transfers the funds from the customer’s account to a fake account. How to protect yourself from banking Trojans? In order not to become a victim of hackers, you should first and foremost be careful and do not download a Trojan virus on your computer or phone. The easiest way is to think about the most basic “hygiene” of the Internet surfing: do not click on suspicious links, refrain from downloading and installing on your computer illegal copies of software, update the antivirus in time. Although many of these simple rules seem naive, but nevertheless, their implementation can significantly reduce the risk. If there is no firm assurance that your computer is not infected by Trojan, and you do not know how to remove a Trojan virus, then you can be rescued with the same two-factor authentication. More precisely, one of its newest features – CWYS (Confirm What You See), which is implemented and maintained in the products of the Protectimus Company. When this function is enabled, the one-time password generation is held with the help of the key transaction data – such as the amount of the transfer, the currency which is used, addressee etc. Even if the one-time password is stolen by hackers, the system does not recognize its authenticity. An attacker can use it only for the specific signature of the original transaction. In case the transaction data are changed, it will be obligatory to replace the data during the OTP generation, which is impossible. No matter how ingenious creators of viruses are, usually all their tricks receive an adequate and quick response. Security technologies, including two-factor authentication, are becoming more reliable and convenient for...
read moreThe Most Popular Passwords of Ashley Madison Users – Overused, Predictable and Unreliable
Ashley Madison is a popular Canadian resource for users who do not mind to leave the line of a faithful husband and have some fun on the side. The basis for the creation of Ashley Madison was the idea of a dating site for the purpose of adultery, which is evident from the motto on its main page «Life is short. Have an affair ». August 19, 2015 was a “fateful day” for many users of the site, as well as for their spouses, as a group of hackers “The Impact Team” have successfully compromised 11.7 million user passwords and posted on the Internet the data of 36-million people who used the services of Ashley Madison. The list of popular Ashley Madison passwords The team of hackers CynoSure Prime have analyzed the data of the most popular Ashley Madison passwords and found out that more than 15 million of them have been cracked by the algorithm MD5, which makes the process of brute force much easier. The published statistics shows that among 11,716,208 users of the site only 4,867,246 people used a unique password to protect data, while the remaining users did not worry about the security of confidential information and used standard overused passwords. Moreover, in 630,000 cases the password and the username were completely the same. Most passwords were extremely simple: mostly lowercase letters, sometimes with numbers. Brute force probably began according to the list of most common passwords in keeping with the version of the list created in 2005, “500 worst passwords of all times”. And it has paid off. The ten most popular passwords in 2015 among the Ashley Madison cheaters are included in the top twenty of the easiest passwords in the world. Below is the list of the most frequently used passwords according to the hackers of Ashley Madison: 123456 12345 password DEFAULT 123456789 qwerty 12345678 abc123 pussy 1234567 As we can see, most of the passwords used by people are too simple and predictable, but due to human laziness, lack of wit, or the inability to remember complex combinations people continue using them. Thus, users keep making the same mistakes, which in inappropriate moments bring a lot of unexpected troubles, it’s painful and it hurts in the most vulnerable places. In the Ashley Madison users’ case, it can even destroy families. Two-factor authentication – a way out for the predictability of most commonly used passwords and the ideal solution for data protection Experts believe that the hacking of Ashley Madison was successful because of the carelessness of the developers of the resource, even though it is not known whose fault it was. But the result is obvious. Having started their work in 2001, the creators of the site used a one-step authentication, which means using only a username and password. One-factor authentication gave all the ‘trumps’ to the hackers, and they could easily compromise the accounts. This would not have happened if the login to the site was carried out by means of two-factor authentication, which means that after the entering of login and password a one-time password is sent to the user’s mobile phone, token, or email. This one time password might be the deterrent that would protect adulterers’ profiles from being compromised, and keep their unaware wives and husbands from...
read moreTwo-Factor Authentication in the PCI DSS Standard
The use of payment cards for the modern man has long been commonplace. But we do not always think about how extensive and complex is the work that was done by the companies which provide such services, how many diverse requirements they complied in order to give us the possibility simply to insert the card into the slot of the ATM and get our money or book the room in the internet before the vacation trip. Meanwhile, getting the right to conduct transactions with payment cards is not the easiest task. In order to do this, the company must obtain a special PCI DSS certificate. It was designed by the PCI SSC – Payment Card Industry Security Standards Council. And it is obligatory for the company that wants to be considered a serious player in the market. Reputable organizations and banks clearly refuse to cooperate with the company, which does not comply with the requirements of PCI DSS. Because it means that the company’s leadership does not properly care for data protection, and thus jeopardize the safety and reputation of their partners and customers. What is the PCI DSS standard? This document consists of twelve sections, each of which covers a specific requirement for the protection of information about card users. Among them there are rules for: development, use and support of the payment systems structure; creation of a legal documents database accompanying these systems; providing adequate information security management etc. However, the most vulnerable places in terms of the card transactions safety are secure network infrastructure and protection of user’s information stored by the company. After all, in the ‘client-server’ area there is the greatest risk that the transmitted data can be intercepted by fraudsters and used for their own selfish purposes. That is why it is not surprising that the PCI DSS requirements focus on such an issue as user authentication. The system should be organized in such a way that in case of the client’s request for performing any action, it is possible to determine that this is the real card holder. The fact that a single password is not enough has not been a secret for a long time. Therefore, a two-step authentication is used, which requires entering a specially created one-time code after the standard password. Typically, this code is sent with the text message to a user’s phone. But more convenient and reliable way for solving the problem of authentication is the usage of a token – a special device or program that generates one-time passwords, which may be provided by different providers of two-factor authentication. The Protectimus company is among them. This method of OTP password receiving eliminates the possibility of data interception during telephone connection, at the same time password generation algorithms can be further improved (CWYS), which makes the task of the attacker much more complicated. Usage of the tokens is possible and convenient on any device, from which the transactions with the help of payment cards can be carried out. Although adherence to PCI DSS standards requires quite significant efforts from the company, it will positively affect the company’s reputation and credibility. After all, even a long time ago the deal with the future partners was signed only after the investigations of each other based on the opinion of...
read moreThe Theft of The Century, or Why Do News Websites Need Two-Factor Authentication?
Why Is Two-Factor Authentication Necessary? Increasingly more companies are using two-factor authentication in their online operations. Sometimes, it surprises or even annoys their users. They may think: why waste my precious time on entering additional characters? Isn’t a password sufficient? With the widely spread advanced computer technologies, we have possibilities that our parents could only read about in science fiction novels. Thirty years ago, would anyone believe that it would be possible to order (and receive) a plane tickets or a ticket to a Paul McCartney concert without getting up from your favorite chair? Or chat with a friend in Australia as if he were in the room next to yours? Or read your favorite newspaper at breakfast without having to go out to buy it? However, there is always the flip side to every coin. Along with the incredible conveniences, the computer has brought with it an unpleasant vulnerability of our personal and business life. When performing various transactions online, we have to provide and transfer confidential information: bank card numbers, passport details, and passwords. Quite often, hackers intercept this information and use it for their mercenary purposes. Fortunately, there are ways to protect our data against intruder’s attacks. One of the most reliable and convenient methods is two-factor authentication. When it is used, entering the password is not sufficient to log into the system or perform any actions in the system. The user must also provide additional information: the code from an SMS message received or the number generated by special software. Two-factor authentication is the foundation for secure transactions in such business fields as online banking, online trading, and other routinely used services that require high levels of transmitted data security. Nowadays, information is essentially equivalent to money. Possessing the information allows making millions; failing to keep information secure leads to millions in losses. The levels of data security are relatively high in online banking and online trading; however, the importance of reliable user authentication is still not fully appreciated in the fields with no direct money circulation. What Can Ignoring Two-Factor Authentication Result in? In mid-August, one rather cautionary tale became the part of the public domain. The US law enforcement agencies uncovered a group of cybercriminals that had been hacking corporate news channels that published restricted press releases containing information on mergers, acquisitions, and financial statuses of various companies. The criminal group included current and former citizens of Russia and Ukraine, some of whom lived in the USA and some in the Ukraine. The hackers penetrated news channels of stock exchange agencies intended for restricted in-company use. The companies’ employees’ passwords were intercepted and used to obtain access to sensitive confidential information. It was possible because those companies did not use two-step authentication; the systems could be logged into with just one password. The hackers passed on the illegally obtained information to their accomplices in trading, who in turn used it to forecast stock prices and make transactions based on this information. According to the US Department of Justice, only based on the cases where the charges against these cybercriminals were proven, over the five years of their “operations”, they raked in 30 million dollars in profits. According to the US Securities and Exchange Commission experts’ assessment, the total damage amounted to a much higher...
read moreStrong Password
– Sorry, your password has been used for more than 30 days, you must choose a new one! – Roses. – Excuse me, your new password is too short! – Pink roses. – Excuse me, a strong password should contain at least one number! – 1 pink rose. – Sorry, you cannot use spaces in your password! – 1pinkrose. – Sorry, you must use at least 10 different characters in a password! – 1fadedpinkrose. – Sorry, you must use at least one capital letter in the password! – 1FADEDpinkrose. – Sorry, it is not allowed to use multiple capital letters, following a row! – 1FadedPinkRose. – Sorry, a strong password should consist of more than 20 characters! – 1FadedPinkRoseWillStickOutOfYourButtIfYouWillNotGiveMeAnAccessNow! – Sorry, but this password is already...
read moreSelfie Based Authentication in Banking System: “Latest Fad” or Increased Protection Reliability?
It is no secret that for a long time now MasterCard has been working on solving the problem of authentication in the banking system and testing an application that would use traditional two-factor authentication to authenticate customers and authorize online purchases based on the face recognition technology and not numerical codes. In other words, to be able to pay with a credit card online, the card holder would have to take a selfie instead of providing the PIN code. Let’s try to understand the roots and the source of this new trend called selfie based authentication. A selfie is a photographic self-portrait made by the person themselves with their arm outstretched, sometimes using a mirror or a very popular selfie stick. This type of photo became very popular after 2005, following the creation and widespread of social networks and websites for online communities where users readily share their latest life news and most recent photos. Phones with front facing cameras and the Instagram mobile application have allowed for a veritable explosion of millions of original and sometimes extreme selfies. Movie stars, show business celebrities, politicians, and even Pope Francis post their selfies on the Internet. Numerous website scream at you about the wild popularity of this trend in the photo industry; in 2013, the word ‘selfie’ was declared the most used word and included in the Oxford online dictionary of the English language. As we can see, selfies are insanely popular, but before this new authentication method based on selfies is implemented, we should consider and evaluate the reliability of such a method with all seriousness and a healthy degree of skepticism, especially when it is authentication for the purpose of gaining access to online banking transactions. There are several reasons to be doubtful as to this method’s reliability, and in this article we will carefully consider each one of them in detail. Biometric Data as Alternative User Authentication Method Before we move on to a detailed review of alternative two-step authentication methods, let us remind ourselves of what traditional two-factor authentication involves. The reason why this type of authentication is necessary is related to one of the key information security risks – weak passwords. According to the statistics available, 61% of users have the same password for all services and websites, and 44% of them change their password only once a year. This information reveals how easy it is to compromise a computer or any other device or gadget. That is why one needs to use two-level account protection against unauthorized access – two-factor authentication from Protectimus. This system includes two levels of user authentication: Login and password; Special code sent via an SMS message, via email, or generated with a token. For more reliable protection, users’ biometric data is used: authentication is performed using voice or face recognition, retina or fingerprint scans, and the heartbeat “print”. The whole selfie idea, by the way, is also from the realm of biometric authentication. Is Alternative Selfie Based Authentication Reliable? First of all, let us consider the advantages and strengths of selfie based authentication. The idea is that the banking application will create a ‘digital map’ of each customer’s face and transform it into a hash that will be stored on the server and used for comparison with a new...
read more