Multi-Factor Guru

May 9


On Sunday, January 22nd, was hacked. was rerouted to the site several times.  Dana White, the UFC’s president, called the site’s organizers terrorists at the “UFC on Fox 2” press conference.  The hacking of is said to be the result of Dana White and the company’s support of SOPA and PIPA.  The SOPA and PIPA bills are aimed at stopping online piracy.

The attack was also reported to be because of retaliation for the shutdown of the file sharing website

Dana White did not tweet about the incident as he usually does about any incident related to  Dana White taunted the hackers to attack the site again saying reportedly, “Keep hacking our site, do it again. Do it tonight.”  The hacker that took credit for the hacking didn’t hack the site again, but posted Dana White’s personal information, including social security number, residential addresses, a vehicle identification number and personal phone number in reaction to the taunt.

The hacker is now reportedly targeting Dana White.  Dana White responded by saying that he’s not afraid of the internet and that it’s where the cowards live.

The hacking attacks might have been prevented if the UFC’s servers were protected by layered security such as two factor authentication.  If the servers were protected with two factor authentication, the network administrator could have been alerted that the site was being hacked and the hacker would have a much harder time gaining access to the site and redirecting it to another site.

Big organizations such as the aren’t immune to attacks and they should take precautionary measures to protect themselves against these types of attacks.  Two factor authentication is relatively cheap to implement compared to other security solutions, easy to use, and is a very effective way to thwart hacking attacks.  If the UFC can incorporate layered security into their servers and access controls, they have a better chance at protecting against future attacks and securing their servers.  If the UFC were as aggressive on implementing security methods on their site as they are with their marketing, they would be a much more secure company with a much more secure website.

The hacking of should have been addressed more seriously because a hacking incident like this should not be taken lightly.  Dana White and the UFC should acknowledge the hacking incident and also ensure fans of the website and organization that the site is easy to use since there are users that login to the site for updates and news.  Tickets are also purchased through for events and users need to feel safe that their payment information and personal information will not be hacked and that the is a secure site.  We will find out if the UFC will address the issue more seriously and if they will be hacked again.  Mixed Martial Arts is a popular sport and the UFC has a strong hold on the sport so fans will probably continue to log onto the site, but the UFC needs to be doing a better job at securing their website and servers so that hacking incidents don’t occur again and so that sensitive data of their users will be safe.

Verizon Reports Data Breach Count Rises While Records Breached Falls

With the number of data breaches on the rise why are the amount of records stolen dropping?

Verizon recently released a report called the 2011 Data Breach Investigations Report (DBIR) in which it combines caseload information with the United States Secret Service. Although the number of records breached has dropped from a record high of 361 million in 2008 to 144 million in 2009 and even lower to only 4 million in 2010 the fact is that the total number of breaches occurring is rising. This could mean that smaller businesses are being targeted through different vulnerabilities than recent years.

Criminals Behind Bars Cause Others to Hide

Some would say that because many criminals were recently placed behind bars, including 1200 suspects arrested in ’10, we are much safer. While others, mainly those involved in security, are thinking the reduction in records stolen is a combination of higher security but mainly a greater desire to remain out of jail. Many large scale cyber criminals have recently been placed behind bars, including Albert Gonzalez and Maksym Yastremskiy who were responsible for the 2010 payment card data breaches. With these spectacles of the law being known by hackers everywhere it may be that criminals are laying low.

Rather than targeting the higher risk companies who have more security and investigative power, cyber criminals seem to be targeting low hanging fruit. The statistics from Verizon’s report show organizations with 11 to 100 employees have been breached more in 2010 than other company sizes. Approximately 436 breaches took place in this size bracket compared to the 323 breaches that took place in all other employee size brackets combined. This is most likely due to the fact that the level of security utilized by these institutions is much less extensive than that of larger corporations.

External Threats and Remote Access Security

It is great to know that employees and competitors are not the direct cause for data breaches. However with 98% of breaches originating from organized criminal groups and unaffiliated persons it is plain to see that remote access security is a dilemma. The top 4 types of attacks resulted from hacking and malware. Although mobile devices have been seen as the source of evil lately in essence it is the server that has been the target. This is not to say that mobile devices will not haunt our future security woes as they may soon become the target of cyber thieves.

In order to secure our privacy the problem lies in authenticating remote users. Anyone accessing the server should be an authorized user to prevent further deployment of malware. Furthermore with hackers creating programs for less skilled script kiddies to easily maneuver through security the need for remote access security will rise. These attacks that we have recently seen may just be groundwork that is being made for later attacks. By utilizing information from data breaches a hacker could create easy to use programs in which they can control many unskilled attackers from many locations to pull off a much larger breach of records.

By utilizing a two-factor authentication method to identify user’s many hacking attempts would be thwarted. However in order to completely secure remote access the need for out-of-band authentication from a OTP is rising greatly. With over 50% of breaches resulting from malware an out-of-band solution allows for authentication to take place without chance of being breached malicious software.

With new reports by Verizon and other companies being released constantly we can view the change and evolution of attacks. More importantly we can see trends which may lead to future attacks and prevent data breaches through preventative security measures.

How to Prevent Fraud Using Out Of Band Authentication

Over the past few decades, fraud has increased dramatically with the use and advance of technology. Hackers fraudulently access confidential data, steal the information and sell it online. Hackers can also sometimes utilize that information to gain access to other information sources to cause even more damage. In some cases, thieves fraudulently identify themselves as the hacked users and use their billing information to order products or services online. Whichever way the data is used, this type of fraud can be prevented by utilizing an out-of-band authentication method.

Fraud spawns from malware which are malicious programs hidden on a victim’s computer siphoning pieces of confidential data. Once an attacker has their trojan, virus, key logger or one of many malicious applications they can start to gain pieces of information that could potentially be used for a data breach. By gaining information such as usernames, passwords and sometimes an OTP, a hacker can fraudulently identify themselves as an authentic user and steal information from private networks.

In some cases a fraud victim’s information can be stolen through a phishing site which looks identical to the website that the user is trying to access online. This phished information could then be used to access sensitive data online and it can also be used to access other websites where the logins may be the same. Out of band authentication methods protect against unauthorized access of personal information by using a dynamic one time password which can safely be received through a separate channel than the primary one.

Online banking attacks can be prevented utilizing out of band authentication methods. An attacker may try to make an online purchase, transfer money or withdrawal funds by fraudulently accessing a user’s account. Out of band authentication can prevent unauthorized transactions by sending a one-time password to the user’s mobile phone or any other device which can utilize a separate network of communication than the access point to confirm transactions. If the user receives a one-time password when they did not initiate a transaction, they can decline it and can report it to their financial institution for further investigation.

Out-of-band authentication provides an added layer of protection while accessing information or making transactions. By utilizing the separate network of communication, a one-time password is kept hidden from attackers as well as verifying the user through ownership of a token generating device. If an attacker were to compromise login credentials or install malware on a computer used for authentication, they still would not be able to gain access to the one-time password which is sent either to the mobile device or something else the authorized user has that can receive and communicate some form of out of band authentication. Out of band authentication can be used to secure and prevent some of the most commonly known and most sensitive data breaches.

Data breaches are covered by the media these days often, but it is for good reasons. With information gained from a data breaches like the RSA data breach, an attacker can fraudulently access accounts to obtain more information for more serious attacks. This is why prevention of fraud should start at the access level. Once access is granted and compromised, vital information can be used and attackers can access the victim’s sensitive data.


Strong Authentication Helps Doctors Monitor Patients Through Remote Acccess

Doctors will be performing more house calls by computer or by phone as technology advances and as the demand for available doctors grow. This is good news if you are sick, don’t need urgent care and you don’t want to wait for an appointment just to speak with your doctor. With many doctors overbooked, patients in some metro areas such as Boston and New York often have to wait over 2 months to see a doctor of their choice. With remote access in health monitoring, speaking with a doctor will be much easier and more convenient for both the patient and the doctor.

For example, a patient with high blood pressure can use a remote device or a remote monitoring system that checks their blood pressure multiple times per week and then transmits the data to the patient’s secure electronic health record where the physician can access the medical record. The physician would access the electronic medical health record after identifying themselves using strong two factor authentication. This can be done using login credentials, such as a user name and password, as one factor of authentication and a dynamic one time password sent to their mobile device as the second factor of authentication. The physician can then have a consultation over the computer or phone with the patient who can monitor the blood pressure levels all while the physician is off site.

According to the American Association of Medical Colleges, it is projected that there will be a shortage of 124,000 doctors by the year 2025. With this shortage of doctors, waiting lists to see doctors will get longer and finding a doctor will be more difficult. The need for remote doctor visits will increase and strong two factor authentication will help doctors monitor patient health records securely while helping them care for their patients more efficiently.

Remote access for physicians also lets physicians communicate with other healthcare professionals regardless of their location. Remote access patient monitoring allows physicians to monitor a patient’s electronic health records and speak with them over telephone or computer and nurses can provide care for the patient based on what the doctor recommends. Physicians need timely and accurate data to make correct decisions and give the right diagnostics. Accessing electronic medical records remotely allows them to receive the critical data they need at any time and at any location. Strong authentication protects this data from being breached and allows only authorized users to access the information.

The future of healthcare will revolve around technology which will allow patients to receive care at home with remote health monitoring systems. With the advances in technology that allows physicians to speak with patients remotely, the need for healthcare security to protect electronic health records also grows. Without the proper safeguards against protecting electronic health records, physicians accessing medical health records risk data breaches and attacks. Strong two factor authentication is a safe and secure way to helps doctors monitor electronic health records by allowing only authorized users to view sensitive health information.

How to Relieve Healthcare Breaches Through Authentication Security

Healthcare Data Breaches

Over 385 healthcare data breaches have been reported since September of 2009 on the website. Reported by the Secretary of Health and Human Services, any breach of over 500 individual’s records is required by the HITECH Act to be posted on their website. Although this data alone is astonishing by taking a closer look we can easily see how a more secure method of data protection can be achieved.

The most common form of data breach is through lost or stolen devices containing unencrypted confidential data. With over half of healthcare breaches coming from this route alone it would seem like a no brainer to keep all data stored on a central server that can be accessed remotely. This would eliminate half of the problem by not allowing data to be stored on devices.

Encryption Can Be Cracked

Although encryption may seem like the easy answer it would only solve part of the problem. Encryption can be cracked… if given enough time with an encrypted file a not so savvy criminal could gain access to confidential information. Also when it comes to data, 3 years down the line when the level of encryption is far less than its current state the confidential information is still just as valuable. Although the information would be encrypted, the old security would allow modern programs to crack that security more easily.

Server Security and the Cloud

At one time server security would not have been an option however advancements in not only IT security but authentication allow servers including cloud computing to be one of the most secure forms of data protection. By not allowing the data to be transmitted or stored it would not be floating around on unsecure devices. Also only authorized individuals would have access to the server which would eliminate data from being seen by restricted users.

Cloud computing is becoming widely adopted by corporations because security and accountability can be handled by 3rd party companies with more experience. So arguably, it can be safer to store data out in the open on a cloud than your very own server since the cloud security would be stronger.

Out-of-Band Authentication Security

Everyone has a mobile phone which they carry with them constantly. There are very few times when an individual does not have their mobile phone with them. This makes it a very effective and efficient form of authentication security. By sending an OTP through SMS text message, a user can be identified through an out-of-band authentication method. Furthermore by keeping the process out-of-band the process prevents malware from stealing information for authentication. It is an added layer of protection which creates a secure form of identifying users.

Over 19 million individuals have been affected by healthcare data breaches according to the archive. Through out-of-band authentication security almost 10 million patients and physicians personal information would be safe since over half the problem comes from unsecure devices. Encryption may seem like a secure answer but in the end keeping the data off of devices is where true security lies.