Category Archives: Authentication

Looking at the future of identity access management (IAM)

Here we are: at the beginning of a new year and the start of another decade. In many ways, technology is exceeding what we expected by 2020, and in other ways, well, it is lacking. Back to the Future made us think we would all be using hoverboards, wearing self-drying and fitting jackets, and getting to and from the grocery store in flying cars by Oct. 21, 2015. Hanna-Barbera promised us a cutting-edge, underwater research … More

The post Looking at the future of identity access management (IAM) appeared first on Help Net Security.

Hacking McDonald’s for Free Food

This hack was possible because the McDonald's app didn't authenticate the server, and just did whatever the server told it to do:

McDonald's receipts in Germany end with a link to a survey page. Once you take the survey, you receive a coupon code for a free small beverage, redeemable within a month. One day, David happened to be checking out how the website's coding was structured when he noticed that the information triggering the server to issue a new voucher was always the same. That meant he could build a programme replicating the code, as if someone was taking the survey again and again.

[...]

At the McDonald's in East Berlin, David began the demonstration by setting up an internet hotspot with his smartphone. Lenny connected with a second phone and a laptop, then turned the laptop into a proxy server connected to both phones. He opened the McDonald's app and entered a voucher code generated by David's programme. The next step was ordering the food for a total of €17. The bill on the app was transmitted to the laptop, which set all prices to zero through a programme created by Lenny, and sent the information back to the app. After tapping "Complete and pay 0.00 euros", we simply received our pick-up number. It had worked.

The flaw was fixed late last year.

Smartphone Election in Washington State

This year:

King County voters will be able to use their name and birthdate to log in to a Web portal through the Internet browser on their phones, says Bryan Finney, the CEO of Democracy Live, the Seattle-based voting company providing the technology.

Once voters have completed their ballots, they must verify their submissions and then submit a signature on the touch screen of their device.

Finney says election officials in Washington are adept at signature verification because the state votes entirely by mail. That will be the way people are caught if they log in to the system under false pretenses and try to vote as someone else.

The King County elections office plans to print out the ballots submitted electronically by voters whose signatures match and count the papers alongside the votes submitted through traditional routes.

While advocates say this creates an auditable paper trail, many security experts say that because the ballots cross the Internet before they are printed, any subsequent audits on them would be moot. If a cyberattack occurred, an audit could essentially require double-checking ballots that may already have been altered, says Buell.

Of course it's not an auditable paper trail. There's a reason why security experts use the phrase "voter-verifiable paper ballots." A centralized printout of a received Internet message is not voter verifiable.

Another news article.

More authentication and identity tech needed with fraud expected to increase

The proliferation of real-time payments platforms, including person-to-person (P2P) transfers and mobile payment platforms across Asia Pacific, has increased fraud losses for the majority of banks. FICO recently conducted a survey with banks in the region and found that 4 out of 5 (78 percent) have seen their fraud losses increase. Further to this, almost a quarter (22 percent) say that fraud will rise significantly in the next 12 months, with an additional 58 percent … More

The post More authentication and identity tech needed with fraud expected to increase appeared first on Help Net Security.

Zero Trust: Beyond access controls

As the Zero Trust approach to cybersecurity gains traction in the enterprise world, many people have come to recognize the term without fully understanding its meaning. One common misconception: Zero Trust is all about access controls and additional authentication, such as multi-factor authentication. While these two things help organizations get to a level of Zero Trust, there is more to it: a Zero Trust approach is really an organization-wide architecture. Things aren’t always as they … More

The post Zero Trust: Beyond access controls appeared first on Help Net Security.

SIM Hijacking

SIM hijacking -- or SIM swapping -- is an attack where a fraudster contacts your cell phone provider and convinces them to switch your account to a phone that they control. Since your smartphone often serves as a security measure or backup verification system, this allows the fraudster to take over other accounts of yours. Sometimes this involves people inside the phone companies.

Phone companies have added security measures since this attack became popular and public, but a new study (news article) shows that the measures aren't helping:

We examined the authentication procedures used by five pre-paid wireless carriers when a customer attempted to change their SIM card. These procedures are an important line of defense against attackers who seek to hijack victims' phone numbers by posing as the victim and calling the carrier to request that service be transferred to a SIM card the attacker possesses. We found that all five carriers used insecure authentication challenges that could be easily subverted by attackers.We also found that attackers generally only needed to target the most vulnerable authentication challenges, because the rest could be bypassed.

It's a classic security vs. usability trade-off. The phone companies want to provide easy customer service for their legitimate customers, and that system is what's being exploited by the SIM hijackers. Companies could make the fraud harder, but it would necessarily also make it harder for legitimate customers to modify their accounts.

Review: Enzoic for Active Directory

Seemingly every day news drops that a popular site with millions of users had been breached and its user database leaked online. Almost without fail, attackers try to use those leaked user credentials on other sites, making password stuffing one of the most common attacks today. Users often use the same username/email and password combination for multiple accounts and, unfortunately, enterprise accounts are no exception. Attackers can, therefore, successfully use leaked credentials to access specific … More

The post Review: Enzoic for Active Directory appeared first on Help Net Security.

Facebook users will be notified when their credentials are used for third-party app logins

Facebook will (finally!) explicitly tell users who use Facebook Login to log into third-party apps what information those apps are harvesting from their FB account. At the same time, users will be able to react quickly if someone managed to compromise their Facebook accounts and is using their credentials to access other apps and websites. Login Notifications The new feature, called Login Notifications, will deliver notifications to users via the Facebook app and user’s associated … More

The post Facebook users will be notified when their credentials are used for third-party app logins appeared first on Help Net Security.

Why should enterprises invest in Multifactor Authentication?

Estimated reading time: 2 minutes

Most users of Google’s services are familiar with the fact that the technology giant asks for a user’s recovery phone number as an additional layer of protection for authentication. Although have you really wondered if this additional layer is truly effective?

Google did a study and got definite answers — partnering with researchers from New York University and the University of California, San Diego, Google studied how effective their security measures were. The results showed that by only adding a recovery phone number to a Google account blocked up to 100% of automated bots, 99% of bulk phishing and 66% of targeted attacks.

The difference an additional layer of protection makes

The aforementioned is a perfect example of how adding an additional layer of authentication, can be scaled up to bolster enterprise cybersecurity.

Commonly known as Multifactor Authentication, the concept per se is simple — instead of providing a single instance of authentication for system access (i.e. a password), a user is required to submit two or more instances. These( instances) revolve around the following principles –

  • Unique information specific to the user
  • Exclusive device possessed solely by the user

For a more real-world example of Multifactor Authentication, consider withdrawing money through an ATM. A user can only withdraw money if they possess two items, a bank card and a PIN. Another example is logging in to a financial website – users must authenticate themselves using both their unique password along with their One Time Pin (OTP) which is generated at the time of log-in.

Global authentication

Multifactor Authentication provides an additional layer of security to user data making it very difficult for cybercriminals to penetrate an enterprise network. The Payment Card Industry Security Council’s Data Security Standards (PCI DSS) mandates Multifactor Authentication for certain types of card transactions while all electronic payments in the European Economic Zone require strong customer authentication as mandated by a directive from the European Union.

While it has been established that the biggest advantage of Multifactor Authentication is enhanced security, there are other advantages as well such as –

Damage Limitation

Thanks to Multifactor Authentication, the damage of a lost phone or a successful impersonation by an attacker can be mitigated. Multifactor Authentication means an attacker will be unable to access the data they want, giving IT teams more time to remedy the issue.

Better Productivity & Security

Multifactor Authentication enables enterprises to allow employees to be more flexible regarding using their own devices for work-related purposes. This can drive productivity and help overall efficiency.

Immediate Notifications

Multifactor Authentication can detect immediately if there has been a security breach (i.e. multiple incorrect OTPs being inputted) and can deliver immediate notifications to network administrators for rectification of the problem.

Prevent Data Breaches

Data breaches can prove costly; according to a recent study, the average total cost was $3.92 million. Multifactor Authentication can help prevent data breaches leading to substantial cost savings for the enterprise.

Recognizing its importance, Seqrite offers Multifactor Authentication across its products and services. The Endpoint Security solution offered by Seqrite evaluates and mitigates risks associated with any fraudulent transactions.

The post Why should enterprises invest in Multifactor Authentication? appeared first on Seqrite Blog.