Blog Feed
Data Protection in Universities under GDPR
Educational institutions and their data protection departments handle and process a huge volume of personal data. Confidential information about employees, students, and applicants is often stored in databases with an extremely low level of data protection. Most institutions pay too little attention to potential dangers of a data breach. Along with that, the budgets for data protection in universities leave much to be desired. But unfortunately, an effective approach to data management and security is a rare find among educational establishments. The attention is mainly paid to the things that are more obvious but less risky. According to Breach Level Index Report, in 2015 nearly 100 breaches were recorded in education. This number is stunning if to take into account that the total number of breaches that year was around 970. More than 10% of all breaches occurred in universities. But it’s time to remember that in the digital era, information plays a vital role. It is the core of our entire lives, and lack of data protection has the potential to damage businesses, industries or even destroy human lives. The indifference to data breach issues is inevitably becoming obsolete. And when General Data Protection Regulation (GDPR) enters into force, this issue will be ignored no more. “We’re all going to have to change how we think about data protection.” – Elizabeth Denham – UK Information Commissioner Why Data Protection in Universities Matters? Why is the data protection in universities so important? It’s simple, the concentration of vital data in the educational institutions is so high, that possible breach would definitely lead to reputation damage and losing a lot of money. The list of sensitive data in educational establishments can vary depending on their specialization, size, and functions. But, first of all, university data protection systems have to take care of these three crucial aspects: Staff and students personal information. Names, addresses, emails, phone numbers, emergency contact details, dates of birth, academic qualifications, details of any disabilities and criminal convictions, etc. Payments data. Information about transactions, payments recipients and senders, etc. Scientific research data. Just think about it: how can intellectual leaders hold their positions if they lose the important data and scientific results? These people should take care of the mankind knowledge, not of potential fraud and cyber attacks. University data security systems face the same issues and risks as any other organization. For example, two most common sources of risks both for universities and any other organization are poor passwords and downloading files from unsafe websites. Consequently, data protection rules in universities are similar to those of any other organization. There is the data protection act that mainly regulates what is personal data and how to protect them. But also there are some specific considerable weaknesses that attract hackers’ interest in educational institutions and need to be solved as soon as possible. Here they are. | Read also: 10 Steps to Eliminate Digital Security Risks in Fintech Project 1. Inconsistent Regulation There is no approved set of official rules to regulate university data protection. It should be mentioned that there are some particular regulations, like academic records regulation, PII regulation and PCI rules, or medical records regulation, additionally, national laws have an impact on university data protection guidelines. But these pieces of legislation are not put together...
read moreGeneral Data Protection Regulation Summary
May, 25 will certainly be a key date for the history of the European Union. On this day, the new version of General Data Protection Regulation (GDPR) will take full force. It expands both Controllers and Processors’ commitments to the data privacy issues. According to the rules this document activates, all the companies and organizations across the EU will have to enhance their transparency and accountability measures. To put it simply, unless they are ready to receive a fine of up to 20 million euros in accordance with the new General Data Protection Regulation, they will need to revise their security policies and launch new data protection measures to reduce the risks of a data breach. As every business is unique and has its own system of protective measures, it is impossible to predict what you as an entrepreneur will have to do to be perfectly ready for the EU GDPR compliance. However, in this article, we will tell you more about the principles of General Data Protection Regulation 2018 and propose a short GDPR summary of changes so that you can understand what actions you should undertake. 10 facts your company needs to note about the GDPR GDPR concerns you, anyway. The most crucial fact about the General Data Protection Regulation of 2018 is that it applies to all organizations across the world processing any data of the citizens of the European Union. It is actually the first regulation of the European Union that will expand its legitimacy upon non-affiliated countries. Authors of the new law believe that it will change the way of dealing with personal information in the whole world. GDPR offers a new understanding of “personal data”. It has always been rather difficult to identify a piece of information as “private” or not. With new regulations coming into force, the notion of personal data will broaden even more. For example, the GDPR changes include expansion of its protective function on location data and online markers (such as IP address and cookie files, as it takes into regard the cloud-based nature of many modern organizations). Moreover, it identifies genetic and biometric data, such as gene sequences or fingerprints, as sensitive information. Valid consent is more important than ever. According to the GDPR of May 2018, companies will have to ensure the conditions of their agreements are written in very clear and precise terms. What is more, the client’s inactivity will not mean consent by default. The organizations must explain what kinds of personal data they will collect and why. Without clear personal consent, it will be impossible to use this information. Please welcome DPO – Data Protection Officer. In accordance with the European data privacy regulation a new person of authority called Data Protection Officer should be created in companies to deal with the personal data. The GDPR principles aren’t based on the number of the company’s employees working with the personal information, as it was widely accepted before. They concentrate on the processes of data usage instead. For that reason, definite specialists should be assigned to control them. Data Protection Impact Assessments. General Data Protection Regulation text also includes the issue of activating obligatory PIAs (privacy impact assessments) that can indicate the risks of collecting and processing sensitive data. PIAs will be required in situations...
read moreStrong Customer Authentication According To PSD2: Summary & Checklist
The changes that are guaranteed to transform the EU financial market have finally arrived. On January 13, 2018, the second Payment Services Directive (commonly known as PSD2) came into force in the European Union. In this article, we’ve gathered all the information on PSD2 security and strong customer authentication requirements to help the existing and future companies to get ready for these changes. So let’s get started with our comprehensive PSD2 summary! Note: in case you are afraid of getting lost in all the abbreviations and legal terms, check out our glossary for PSD2 in the knowledge base at the bottom and download PSD2 security requirements checklist here. How PSD2 Regulation Impacts Fintech PSD2 is going to influence every bank, consumer and fintech company based within the EU’s borders or even outside the EU (in case they make transactions with banks, companies or consumers that are located in the EU). Thus, if one party that takes part in a transaction is located in the EU, the transaction falls under PSD2 requirements. Before diving into the understanding of PSD2 impact on fintech industry, we need to be on the same page regarding the directive’s objectives. We can distinguish three main PSD2 objectives pursued by establishing a single standardized payments system: enforce equal opportunities to succeed in the market for all payment service providers; make the payments system more transparent and more secure against fraud; stimulate implementing innovative fintech solutions. Online payment will continue to play an ever-growing and significant role in the development of e-commerce as well as the stimulation of consumer demand. Lucy Peng, CEO, Ant Financial Services, Alibaba Group But how is PSD2 going to influence fintech industry? First and foremost, from now on, third parties that provide payments services are legally recognized as new players in the market and are regulated accordingly by PSD2. Named Third Party Providers (TPPs), they don’t hold any payment accounts or enter into possession of any funds being transferred. There are two types of Third Party Providers (TPPs), as stated in the PSD2 directive: Account Information Service Providers (AISPs): these are the companies that accumulate data regarding different consumer accounts in one or several different banks. Their primary task is to provide the users with visualized information about their accounts in a convenient way. A wide range of other features can be implemented here, mainly the ones concerning filtering and analyzing data. Payment Initiation Service Providers (PISPs): these are the companies that have a permission to initiate PSD2 payments between the consumer and the bank on the consumer’s behalf. This allows TPPs to facilitate online banking payments. Image source: wso2.com The Bright Side. The pros of PSD2 implications for TPPs are obvious: the traditional financial institutions (banks) are required to open their APIs to TPPs, which allows open competition between TPPs and banks on equal terms. Besides, it opens the floor to PSD2 blockchain solutions that can be revolutionary. All the barriers that could be an advantage for traditional financial institutions are now gone. TPPs are no more operating in the ‘gray area’ of the market, now they are protected by this piece of legislation and have certain rights. Besides, by accessing the banks’ APIs, TPPs can use the data produced by banks without having to acquire the needed infrastructure that banks...
read more10 Most Popular Two-Factor Authentication Apps Compared
This article discusses two-factor authentication apps, which feature different functionalities, are based on different principles but serve one purpose – reliable protection of access to sensitive information. Today, we will try to review some of the most popular applications for one-time passwords generation from the Google Play market and two hardware OTP tokens that can replace two-factor authentication apps. There are a lot of convenient or security-oriented features that the apps’ and OTP tokens’ authors offer. Let’s finally figure out some of the pros and cons of each. Turn on all security features like two-factor authentication. People who do that generally don’t get hacked. Don’t care? You will when you get hacked. Do the same for your email and other social services, too.Robert Scoble Test free 2FA authenticator with cloud backup Protectimus SMART OTP Top 3 Most Popular 2FA Applications 1. Google Authenticator Google two-factor authentication app is probably the most popular and best known among 2FA evangelists. It’s free, handy, and offered on many websites by default. Let’s have a look at its features: User-friendly. Google Authenticator has decisive, easy to use, clear UI (user interface) that even a child would find informative. Besides, it should be noted that the software works on almost all versions of Android and takes no more than 2 MB, which is significant for owners of phones with a small amount of RAM. TOTP and HOTP algorithms. Google Authenticator app supports both Time-based One-Time Password (TOTP) and HMAC-based one-time password (HOTP) OTP generation algorithms, which allows using it with more resources. TOTP is more widespread and reliable – this is an algorithm in which time is used as one of the parameters for one-time passwords generation. Though there are still websites using HOTP algorithm where the counter is used to compute the passwords. The lifetime of all OTP passwords generated according to TOTP or HOTP algorithms is 60 seconds, i.e. every minute a new password is created. No need for network connection.The use of such OTP generation algorithms allows Google Authenticator to work without the network connection. The same one-time passwords would be generated on your smartphone without access to the Internet or cellular network and on the authentication server (in client-server paradigm), if the one-time passwords match, you get access to your account. Many accounts in one place. You can use one app for all your accounts on different websites as well as for your multiple accounts on one website. This is very convenient when compared with SMS authentication, but mind that you may have a lot of troubles when losing or wiping a phone if you don’t take care of Google Authenticator backup. Are there any drawbacks in Google Authenticator? Here we have some black clouds above the app: There is no built-in possibility to backup your data. It means that the users must renew information each time they change the phone or account. They say it’s not quite convenient to use this app if you turn on 2-factor authentication for more than 4 websites. Four one-time passwords are enough to occupy the whole screen and if you have, for example, 12 accounts, you won’t see all passwords at a glance. Google two-factor authentication app could be the most known one, but let’s be honest – there are many other...
read moreThe Pros and Cons of Different Two-Factor Authentication Types and Methods
Along with the first digital devices rose a need to ensure the security of stored data and to differentiate access to various functions. A variety of methods for unambiguous authentication of users on which security is based are called authentication factors. These include codes, logins, passwords, certificates, hardware keys, and so on. The whole set of authentication factors can be divided into three groups: Factors of knowledge (something known to the user); Ownership factors (something that the user owns – documents or items characterized by some unique information (usually these factors boil down to “devices”, although this narrowing is not always justified)); Biometric factors (physical characteristics of the user). There is a huge variety of authentication factors, not all of which are equally convenient and safe. In order to raise the security level of the authentication process, multifactor authentication is used, in which several authentication factors of different types are used to verify access. The disadvantages of some factors can and should overlap by the merits of others. Despite the greater security, the more authentication stages are used, the more effort and time it takes to authorize. According to the combination of characteristics, two-factor authentication is considered the most optimal today by the combined security, convenience and applied effort characteristics. Two-Factor Authentication What is two-factor authentication? Two-factor authentication (2FA) is one of the most reliable types of the user authentication nowadays, used to obtain the rights to access any resource or data (from mailboxes to bank card payments). Two-step authentication is a much more reliable alternative to the traditional one-factor authentication (1FA) with the help of a login-password pair, the security of which is quite low currently. There are a huge number of methods for hacking and circumventing password authentication, from social engineering to distributed bruteforcing, based on pre-organized botnets. In addition, some users use the same password to log into all their accounts, which in turn further simplifies the access of scammers to protected information and transactions. The main advantage of two-factor authentication is the increased login security. As for the shortcomings, the main two being the increase in the time of entry into the system and the risk of losing the physical media serving to pass one of the authentication steps (mobile phone, U2F key, OTP-token). In this article, we reviewed several of the most convenient and secure second authentication factors for use in 2FA. | Read also: Social Engineering Against 2FA: New Tricks 1. SMS Codes SMS codes generated by special services are the most common kind of factors used in the mobile two-factor authentication. It is quite convenient (most modern users always keep their smartphones on them) and does not take much time. In addition, this check is in most cases effective, for example, to protect against automated attacks, phishing, password bruteforcing, viruses, and the like. But in case someone is intent on hacking you, bypassing SMS authentication is possible. After all, usually the phone number tied to the account is not a secret (as a rule, it is the same contact number that can be found from your friends, social network or business card). Having received personal information of the owner of the number, scammers make a fake identity card and use it at the nearest office of the mobile operator. Despite the fact...
read more10 Steps to Eliminate Digital Security Risks in Fintech Project
Any kind of project can be of potential interest to attackers, since the information stolen in an attack can be turned into cash. In the case of financial projects, though, an attack usually results in attackers transferring user or system funds to an unknown location. This eliminates the extra steps it would otherwise take them to reach their ultimate goal. Regardless of what stage your fintech project is at, it’s never a bad idea to make sure that everything has been done that can be to eliminate all possible digital security risks to ensure that clients and the business itself are adequately protected. “There are only two types of companies: Those that have been hacked and those that will be hacked.” – Robert S. Mueller, III, Director FBI In this article, we’ll go over the key financial cyber security concerns, as well as a list of ten components for putting together an effective system to protect the financial information of both users and the company itself. Note: In early 2018, PSD2, the amended Payment Services Directive for the European Union, enters into force. Later in this article, we’ll describe the main IT security requirements of this directive. If your company operates in or plans to operate in Europe, we recommend that you familiarize yourself with it and download our checklist. The main financial cyber security concerns We’ll begin by looking over the main traditional digital security risks facing personal data protection in IT systems for fintech companies. SQL injection SQL injection is the kind of digital security threat that involves the introduction of altered SQL queries. Using vulnerabilities in the system’s software implementation, an attacker can execute arbitrary database queries. Brute force attacks Brute force attacks attempt to recover a password by automatically guessing from a pool of possible passwords. Using a database of likely passwords (like a dictionary), this process becomes much more efficient. Zero-day vulnerabilities Zero-days are unknown vulnerabilities used by hackers before software developers have fixed them. In addition, system administrators don’t always update software in a timely manner causing additional digital security risks. Man-in-the-middle (MITM) attacks In a MITM attack, messages being exchanged between the ends of a communication channel are intercepted and spoofed using an unauthorized connection. Phishing Phishing is a kind of the greatest financial cyber security concerns nowadays that involves the theft of a user’s information with the help of fake websites and web applications that mimic legitimate resources. Through nefarious means (often a link in an email or another message), users end up at these fake resources and voluntarily enter their login details into forms that look identical to the real ones. Banking Trojans This type of malware is aimed at compromising specifically banking cyber security. It gathers account details, collecting stored information about users’ accounts and sending this data to an admin panel. The admin panel, either by automatic rules or manual intervention, chooses a target and displays a fake page to the user. Ransomware Ransomware is typically spread through phishing messages. When run, the user is locked out of the system by the malware, which demands a ransom payment. For 2017, the Open Web Application Security Project (OWASP) identified the following as the most critical web application security risks: SQL injection Cross-site scripting Broken authentication Broken access control Sensitive data...
read moreTop 7 Tips How to Protect Yourself from Phishing Scams
What phishing is has been well-known for some time now. The first phishing attacks were noted shortly after the World Wide Web appeared. But despite the efforts of IT security specialists to create more effective ways of anti phishing protection, new phishing sites continue to appear every day. According to the data from several studies, there were about 5000 new phishing sites created every day in 2016. In 2017, this figure will be even greater. The secret to the resilience of this type of fraud lies in how it is based not on “holes” in software, but on a vulnerability in human beings themselves, particularly those with access to important data. That’s why we’re going to remind you once more what phishing is, what the most common phishing attacks examples are, and what you can do to counter them. “Phishing is a real threat, which is relatively easy to implement and difficult to identify and counteract.” ― Max Oliinyk, Chief Executive Officer, Protectimus Solutions LLP Basic phishing examples 2017 Phishing is a kind of internet fraud that’s based on social engineering principles. The main purpose of phishing scams is to gain access to critically important data (passport data, for example), accounts, banking details, secret company information, and so on; so that it can be used to steal funds at a later date. Phishing works by redirecting users to fake network resources that function as complete imitations of a real site. | Read also: Social Engineering Against 2FA: New Tricks Deceptive phishing examples The majority of phishing attacks fall under this category. Attackers send out emails pretending to be from a real company, in order to receive users’ account data and thus gain control over their personal or official accounts. You could receive a phishing email claiming to be from a payment processor, a bank, a courier service, an online store, a social network, a revenue service, and so on. Phishing emails are created very exactingly. They can be practically indistinguishable from the emails a user would normally receive from the company. The only difference may be in the request to follow a link in order to perform some kind of action. This transition, however, leads to the scammers’ site, which acts as a doppelgänger of the entity’s real website. To get you to click on these links, the emails may dangle a proverbial carrot in front of you: “Take 70% off our services if you sign up within 24 hours!” They may also try to scare you: “Your account has been locked due to suspicious activity. To confirm that you are the account owner, click on the link.” Here’s a list of some of the scammers’ favorite phishing examples: “Your account has been/is going to be locked/disabled.” Scare tactics can be quite effective. The threat of having your account locked if you don’t immediately log in can cause users to let their guard down, follow the link in the email, and enter their username and password. “Suspicious/fraudulent activity has been detected on your account. You must update your security settings.” These kinds of emails urgently ask you to log into your account and update your security settings. They work on the same principle as the previous attack. The user panics and lets their guard down. “You have received an...
read moreHow to Program Protectimus Slim NFC Token
If you have an NFC-enabled smartphone running Android, download and run the Protectimus TOTP Burner app. Initiate the software token setup on the system where you require enhanced security. Program Protectimus Slim NFC OTP token: Run the Protectimus TOTP Burner application. Tap the button “Burn the seed”. Tap “Scan the QR code” and scan the QR with the secret key you see on your account. You can also input the secret key manually, but we recommend the automatic method. If you enter the seed manually, set the required OTP password lifetime. Activate the Protectimus Slim NFC OTP token and place it near your phone’s NFC antenna. While holding Protectimus Slim NFC near the NFC antenna, tap “Continue”, and wait for a message confirming that the 2FA token was programmed successfully....
read moreHow to Set Up Two-Factor Authentication on Dropbox with Protectimus Slim NFC
Learn more about Protectimus Slim NFC token or order one here: Protectimus Slim NFC The best 2FA token to protect your Dropbox account! How to enable Dropbox two-factor authentication with hardware OTP token Protectimus Slim NFC. Make sure that your Android smartphone supports NFC technology and download the Protectimus TOTP Burner application. Log in your Dropbox account and initiate the enrolment of the software token: Go to the “Setting” section through the navigation menu -> Choose “Security” section -> Enable two-step verification by turning on the trigger -> Consider important information regarding two-factor authentication before getting started and click the “Get starter” button-> Choose the “Use a mobile app” option and click “Next”-> You will see the QR code with the secret key (seed). Use it to program the Protectimus Slim NFC token. Program the Protectimus Slim NFC token by scanning the QR code. Learn how to program Protectimus Slim NFC token here. To finish the token enrollment click the button “Next” Enter the one-time password from Protectimus Slim NFC token in the...
read moreHow to Set Up Two-Factor Authentication on Kickstarter with Protectimus Slim NFC
Learn more about Protectimus Slim NFC token or order one here: Protectimus Slim NFC The best 2FA token to protect your Kickstarter account! How to enable Kickstarter two-factor authentication with programmable hardware OTP token Protectimus Slim NFC. Make sure that your Android smartphone supports NFC technology and download the Protectimus TOTP Burner application. Log in your Kickstarter account and initiate the enrolment of the software token: Go to the “Account” section in navigation menu -> Turn on two-factor authentication -> Consider important information regarding two-factor authentication before getting started -> Choose “Generate codes with a mobile app” and click “Continue”-> You will see the QR code with the secret key (seed). Use it to program the Protectimus Slim NFC token. Program the Protectimus Slim NFC token by scanning the QR code. Learn how to program Protectimus Slim NFC token here. To finish the token enrollment enter the one-time password from Protectimus Slim NFC token in the field “Enter the verification code generated by the...
read more