Multi-Factor Guru

UFC.COM’S SECURITY BREACH, HACKERS RELEASE PERSONAL INFORMATION OF UFC’S PRESIDENT DANA WHITE

Wed, 09 May 2012 21:28:12 -0400

On Sunday, January 22^nd, UFC.com was hacked. UFC.com was rerouted to the site UGnazi.com several times. Dana White, the UFC’s president, called the site’s organizers terrorists at the “UFC on Fox 2” press conference. The hacking of UFC.com is said to be the result of Dana White and the company’s support of SOPA and PIPA. The SOPA and PIPA bills are aimed at stopping online piracy.

The attack was also reported to be because of retaliation for the shutdown of the file sharing website Megaupload.com.

Dana White did not tweet about the incident as he usually does about any incident related to UFC.com. Dana White taunted the hackers to attack the site again saying reportedly, “Keep hacking our site, do it again. Do it tonight.” The hacker that took credit for the hacking didn’t hack the site again, but posted Dana White’s personal information, including social security number, residential addresses, a vehicle identification number and personal phone number in reaction to the taunt.

The hacker is now reportedly targeting Dana White. Dana White responded by saying that he’s not afraid of the internet and that it’s where the cowards live.

The hacking attacks might have been prevented if the UFC’s servers were protected by layered security such as two factor authentication. If the servers were protected with two factor authentication, the network administrator could have been alerted that the site was being hacked and the hacker would have a much harder time gaining access to the site and redirecting it to another site.

Big organizations such as the UFC.com aren’t immune to attacks and they should take precautionary measures to protect themselves against these types of attacks. Two factor authentication is relatively cheap to implement compared to other security solutions, easy to use, and is a very effective way to thwart hacking attacks. If the UFC can incorporate layered security into their servers and access controls, they have a better chance at protecting against future attacks and securing their servers. If the UFC were as aggressive on implementing security methods on their site as they are with their marketing, they would be a much more secure company with a much more secure website.

The hacking of UFC.com should have been addressed more seriously because a hacking incident like this should not be taken lightly. Dana White and the UFC should acknowledge the hacking incident and also ensure fans of the website and organization that the site is easy to use since there are users that login to the site for updates and news. Tickets are also purchased through UFC.com for events and users need to feel safe that their payment information and personal information will not be hacked and that the UFC.com is a secure site. We will find out if the UFC will address the issue more seriously and if they will be hacked again. Mixed Martial Arts is a popular sport and the UFC has a strong hold on the sport so fans will probably continue to log onto the site, but the UFC needs to be doing a better job at securing their website and servers so that hacking incidents don’t occur again and so that sensitive data of their users will be safe.

Verizon Reports Data Breach Count Rises While Records Breached Falls

Wed, 25 Apr 2012 18:26:00 -0400

With the number of data breaches on the rise why are the amount of records stolen dropping?

Verizon recently released a report called the 2011 Data Breach Investigations Report (DBIR) in which it combines caseload information with the United States Secret Service. Although the number of records breached has dropped from a record high of 361 million in 2008 to 144 million in 2009 and even lower to only 4 million in 2010 the fact is that the total number of breaches occurring is rising. This could mean that smaller businesses are being targeted through different vulnerabilities than recent years.

Criminals Behind Bars Cause Others to Hide

Some would say that because many criminals were recently placed behind bars, including 1200 suspects arrested in ’10, we are much safer. While others, mainly those involved in security, are thinking the reduction in records stolen is a combination of higher security but mainly a greater desire to remain out of jail. Many large scale cyber criminals have recently been placed behind bars, including Albert Gonzalez and Maksym Yastremskiy who were responsible for the 2010 payment card data breaches. With these spectacles of the law being known by hackers everywhere it may be that criminals are laying low.

Rather than targeting the higher risk companies who have more security and investigative power, cyber criminals seem to be targeting low hanging fruit. The statistics from Verizon’s report show organizations with 11 to 100 employees have been breached more in 2010 than other company sizes. Approximately 436 breaches took place in this size bracket compared to the 323 breaches that took place in all other employee size brackets combined. This is most likely due to the fact that the level of security utilized by these institutions is much less extensive than that of larger corporations.

External Threats and Remote Access Security

It is great to know that employees and competitors are not the direct cause for data breaches. However with 98% of breaches originating from organized criminal groups and unaffiliated persons it is plain to see that remote access security is a dilemma. The top 4 types of attacks resulted from hacking and malware. Although mobile devices have been seen as the source of evil lately in essence it is the server that has been the target. This is not to say that mobile devices will not haunt our future security woes as they may soon become the target of cyber thieves.

In order to secure our privacy the problem lies in authenticating remote users. Anyone accessing the server should be an authorized user to prevent further deployment of malware. Furthermore with hackers creating programs for less skilled script kiddies to easily maneuver through security the need for remote access security will rise. These attacks that we have recently seen may just be groundwork that is being made for later attacks. By utilizing information from data breaches a hacker could create easy to use programs in which they can control many unskilled attackers from many locations to pull off a much larger breach of records.

By utilizing a two-factor authentication method to identify user’s many hacking attempts would be thwarted. However in order to completely secure remote access the need for out-of-band authentication from a OTP is rising greatly. With over 50% of breaches resulting from malware an out-of-band solution allows for authentication to take place without chance of being breached malicious software.

With new reports by Verizon and other companies being released constantly we can view the change and evolution of attacks. More importantly we can see trends which may lead to future attacks and prevent data breaches through preventative security measures.

How to Prevent Fraud Using Out Of Band Authentication

Thu, 22 Mar 2012 17:25:00 -0400

Over the past few decades, fraud has increased dramatically with the use and advance of technology. Hackers fraudulently access confidential data, steal the information and sell it online. Hackers can also sometimes utilize that information to gain access to other information sources to cause even more damage. In some cases, thieves fraudulently identify themselves as the hacked users and use their billing information to order products or services online. Whichever way the data is used, this type of fraud can be prevented by utilizing an out-of-band authentication method.

Fraud spawns from malware which are malicious programs hidden on a victim’s computer siphoning pieces of confidential data. Once an attacker has their trojan, virus, key logger or one of many malicious applications they can start to gain pieces of information that could potentially be used for a data breach. By gaining information such as usernames, passwords and sometimes an OTP, a hacker can fraudulently identify themselves as an authentic user and steal information from private networks.

In some cases a fraud victim’s information can be stolen through a phishing site which looks identical to the website that the user is trying to access online. This phished information could then be used to access sensitive data online and it can also be used to access other websites where the logins may be the same. Out of band authentication methods protect against unauthorized access of personal information by using a dynamic one time password which can safely be received through a separate channel than the primary one.

Online banking attacks can be prevented utilizing out of band authentication methods. An attacker may try to make an online purchase, transfer money or withdrawal funds by fraudulently accessing a user’s account. Out of band authentication can prevent unauthorized transactions by sending a one-time password to the user’s mobile phone or any other device which can utilize a separate network of communication than the access point to confirm transactions. If the user receives a one-time password when they did not initiate a transaction, they can decline it and can report it to their financial institution for further investigation.

Out-of-band authentication provides an added layer of protection while accessing information or making transactions. By utilizing the separate network of communication, a one-time password is kept hidden from attackers as well as verifying the user through ownership of a token generating device. If an attacker were to compromise login credentials or install malware on a computer used for authentication, they still would not be able to gain access to the one-time password which is sent either to the mobile device or something else the authorized user has that can receive and communicate some form of out of band authentication. Out of band authentication can be used to secure and prevent some of the most commonly known and most sensitive data breaches.

Data breaches are covered by the media these days often, but it is for good reasons. With information gained from a data breaches like the RSA data breach, an attacker can fraudulently access accounts to obtain more information for more serious attacks. This is why prevention of fraud should start at the access level. Once access is granted and compromised, vital information can be used and attackers can access the victim’s sensitive data.

Strong Authentication Helps Doctors Monitor Patients Through Remote Acccess

Mon, 19 Mar 2012 13:37:00 -0400

Doctors will be performing more house calls by computer or by phone as technology advances and as the demand for available doctors grow. This is good news if you are sick, don’t need urgent care and you don’t want to wait for an appointment just to speak with your doctor. With many doctors overbooked, patients in some metro areas such as Boston and New York often have to wait over 2 months to see a doctor of their choice. With remote access in health monitoring, speaking with a doctor will be much easier and more convenient for both the patient and the doctor.

For example, a patient with high blood pressure can use a remote device or a remote monitoring system that checks their blood pressure multiple times per week and then transmits the data to the patient’s secure electronic health record where the physician can access the medical record. The physician would access the electronic medical health record after identifying themselves using strong two factor authentication. This can be done using login credentials, such as a user name and password, as one factor of authentication and a dynamic one time password sent to their mobile device as the second factor of authentication. The physician can then have a consultation over the computer or phone with the patient who can monitor the blood pressure levels all while the physician is off site.

According to the American Association of Medical Colleges, it is projected that there will be a shortage of 124,000 doctors by the year 2025. With this shortage of doctors, waiting lists to see doctors will get longer and finding a doctor will be more difficult. The need for remote doctor visits will increase and strong two factor authentication will help doctors monitor patient health records securely while helping them care for their patients more efficiently.

Remote access for physicians also lets physicians communicate with other healthcare professionals regardless of their location. Remote access patient monitoring allows physicians to monitor a patient’s electronic health records and speak with them over telephone or computer and nurses can provide care for the patient based on what the doctor recommends. Physicians need timely and accurate data to make correct decisions and give the right diagnostics. Accessing electronic medical records remotely allows them to receive the critical data they need at any time and at any location. Strong authentication protects this data from being breached and allows only authorized users to access the information.

The future of healthcare will revolve around technology which will allow patients to receive care at home with remote health monitoring systems. With the advances in technology that allows physicians to speak with patients remotely, the need for healthcare security to protect electronic health records also grows. Without the proper safeguards against protecting electronic health records, physicians accessing medical health records risk data breaches and attacks. Strong two factor authentication is a safe and secure way to helps doctors monitor electronic health records by allowing only authorized users to view sensitive health information.

How to Relieve Healthcare Breaches Through Authentication Security

Wed, 14 Mar 2012 16:58:00 -0400

Over 385 healthcare data breaches have been reported since September of 2009 on the HHS.gov website. Reported by the Secretary of Health and Human Services, any breach of over 500 individual’s records is required by the HITECH Act to be posted on their website. Although this data alone is astonishing by taking a closer look we can easily see how a more secure method of data protection can be achieved.

The most common form of data breach is through lost or stolen devices containing unencrypted confidential data. With over half of healthcare breaches coming from this route alone it would seem like a no brainer to keep all data stored on a central server that can be accessed remotely. This would eliminate half of the problem by not allowing data to be stored on devices.

Encryption Can Be Cracked

Although encryption may seem like the easy answer it would only solve part of the problem. Encryption can be cracked… if given enough time with an encrypted file a not so savvy criminal could gain access to confidential information. Also when it comes to data, 3 years down the line when the level of encryption is far less than its current state the confidential information is still just as valuable. Although the information would be encrypted, the old security would allow modern programs to crack that security more easily.

Server Security and the Cloud

At one time server security would not have been an option however advancements in not only IT security but authentication allow servers including cloud computing to be one of the most secure forms of data protection. By not allowing the data to be transmitted or stored it would not be floating around on unsecure devices. Also only authorized individuals would have access to the server which would eliminate data from being seen by restricted users.

Cloud computing is becoming widely adopted by corporations because security and accountability can be handled by 3rd party companies with more experience. So arguably, it can be safer to store data out in the open on a cloud than your very own server since the cloud security would be stronger.

Out-of-Band Authentication Security

Everyone has a mobile phone which they carry with them constantly. There are very few times when an individual does not have their mobile phone with them. This makes it a very effective and efficient form of authentication security. By sending an OTP through SMS text message, a user can be identified through an out-of-band authentication method. Furthermore by keeping the process out-of-band the process prevents malware from stealing information for authentication. It is an added layer of protection which creates a secure form of identifying users.

Over 19 million individuals have been affected by healthcare data breaches according to the HHS.gov archive. Through out-of-band authentication security almost 10 million patients and physicians personal information would be safe since over half the problem comes from unsecure devices. Encryption may seem like a secure answer but in the end keeping the data off of devices is where true security lies.

Zappos.com Hacked: How Data Breaches Affect Us

Tue, 06 Mar 2012 15:05:00 -0500

The latest big ecommerce site to be victim of a cyber attack was Zappos.com by a hacker who accessed a part of the company’s internet network through one of its servers in Kentucky, CEO Tony Hsieh said in an email to employees January 15, 2012. The data breach compromised customer account information such as billing addresses, names, email addresses, phone numbers, passwords in encrypted form, and the last four digits of credit card numbers. CEO Tony Hsieh said the security problem did not affect “critical credit card and other payment data” and that they were “cooperating with law enforcement to undergo an exhaustive investigation.”

Zappos.com was acquired by Amazon.com in July, 2009 for $1.2 billion and operates as an independent unit of Amazon.com. Amazon.com is known for having security measures, such as two factor authentication, in place to protect its customer’s personal data. The company will be notifying 24 million customers to change their passwords as a protective measure and to also reset their passwords anywhere else where their passwords may be the same. A menu has been added to Zappos.com pages to “create a new password” to encourage customers to change their passwords as soon as possible. The company is known for their stellar customer service and due to the high volume of customer calls, they will be switching their phones off and direct customers to contact them via email for assistance.

Even though security measures such as stronger passwords can be in place to protect customers, ecommerce companies like Zappos.com can be attacked by hackers and data can still be compromised. There’s not enough information that is released on the attack yet, but customers know that they need to change their passwords to protect themselves. Zappos.com, on the other hand, knows now that they need to have better security measures in place to protect their servers and to better detect threats against hackers in the future.

The scariest part of the data breach is that customer’s passwords in encrypted form were stolen which can be cracked by programming software that can encode it. This would allow hackers access to their logins across other sites if they use the same email and password logins. Zappos.com customers that have been breached should be careful to use different passwords on different ecommerce sites to reduce the chances of their information being compromised since their account information so that if one site gets attacked, their information won’t be able to be used on other sites. Users that utilize stronger passwords using a combination of letters, numbers and symbols reduce the chance of hackers “guessing” their passwords. Unfortunately, Zappos.com servers were hacked which users cannot control, but using stronger passwords across different sites that their personal information is stored on decreases the chances of their passwords being hacked or stolen.

Some users who have Gmail accounts were also compromised recently. Users were notified that suspicious activity occurred on their accounts and were advised to change their passwords. Some users were compromised by hackers in other countries such as India, Germany and Russia for example. Gmail users that utilize stronger passwords with a combination of letters, numbers and symbols will be safer than users that utilize only letters and numbers. With Zappos.com accounts and Gmail accounts being compromised recently, users are reminded that stronger passwords should be used on any accounts that store their information online and also to use separate passwords across different accounts to protect their sensitive information.

Gmail offers two factor authentication options if you enable them, but this feature is not activated by default. Amazon offers multi factor authentication for their web services, but Zappos.com is run independently and does not yet incorporate multi factor authentication for their users. The added layer of security from the two-factor authentication process allows for a safer user experience online in situations where sensitive information is stored and shared. It makes one wonder if a two-factor authentication solution could have prevented the Zappos.com Data Breach not only with their users, but also in protecting access to their servers. For instance, if a Zappos.com employee was alerted using their mobile phone that a server was being accessed, they could receive a one-time password and use their login credentials to authorize access or reject access which could have prevented the attack.

Strong passwords along with better password policies can make for stronger security. Strong two-factor authentication can enhance security and potentially keep companies like Zappos.com alert and on guard against attacks, for example, if servers are being accessed by unauthorized individuals.

Amazon Protects Against Fraud with Multi Factor Authentication

Tue, 28 Feb 2012 17:14:00 -0500

Amazon.com has not only become the largest online bookstore, but is also a multinational ecommerce company. The company has been spreading its reach like branches of a river while supplying goods to countries across the world. Amazon.com started off by profiting from being an online book brokering system and later offering many products. Amazon.com grew its business through online associates in the form of users.

When scaling a company by having users contributing to both ends of business, buying and selling, fraudulent and malicious activities become inevitable. Amazon did not become one of the largest ecommerce websites in the world by lacking in security though. In 2009, Amazon started to offer multi-factor authentication to protect its users against fraud. They now offer free identification through any mobile device or computer which can run a Time-Based One-Time Password application. They also offer paid multi-factor authentication through a third party proprietary authentication token from Gemalto which is supposed to offer higher security.

Free Amazon Multi-Factor Authentication

If you are able to run a time-based one-time password application on your smart phone, tablet or computer you can utilize the free AWS MFA process. Using this method, when you log into your account with your traditional username and password, a token will be delivered to the application. The token is a one-time password that is generated from an out-of-band network separate from the user’s login network which reduces the chances of man in the middle attacks and makes the authentication process more secure.

Gemalto Multi-Factor Authentication

To increase security even further, Amazon’s users may pay for service through Gemalto which offers a keyfob device for authentication. Amazon states Gemalto’s third part proprietary token device offers better security than the free process. After the RSA hard token breaches, many people are skeptical about the proprietary OTP token’s security.

Secure Cloud Computing

Amazon, like many companies, is run on a cloud of servers which allows remote access of data to many users at once. Amazon.com and its cloud network offer financial information to its publishers so they can track their earnings. A publisher’s user account could display earnings and options for payment to the user. This is one of the reasons why the need for authentication security using a multi-factor process was necessary.

One of the most secure forms of protection for any company storing data on the cloud is by using an out-of-band, multi-factor authentication process which Amazon has implemented. This is especially true for ecommerce websites which may be storing financial data and personal information belonging to thousands of users. This added layer of security could be the very reason why the multinational electronic commerce corporation has not been present on recent data breach lists.

2011 was the year of data breaches and more companies are becoming like Amazon and are starting to utilize cloud computing. Will these companies follow suit to provide better protection and privacy to their users that are accessing information on the cloud or will there be a bigger data breach list containing more corporations in 2012? Companies utilizing the cloud to store and access information need to add additional layers of security to protect the information and the best way for them to do that is to utilize multi factor authentication.

What is the Future of Security with Two-Factor Authentication?

Fri, 17 Feb 2012 14:11:00 -0500

Although the Health Insurance Portability and Accountability Act was created in 1996 it was not always meant to secure the privacy of electronic health records. Originally HIPAA was created for paper health record privacy, before HIPAA there was no security standard implemented to protect patient privacy. As time moves forward so does technology and in the past decade recent advances in healthcare industry technology created a need for a more secure way of handling medical records.

With electronic health records becoming more readily available at cost efficient rates healthcare facilities made the move to these types of documents. Also with government regulation mandating electronic health records the Security Standards for the Protection of Electronic Protected Health Information also known as “the Security Rule” was created and enforced. This new set of regulations was created to ensure privacy of patient medical information while being stored or transmitted in their electronic form.

Two factor authentication, a process in which two separate factors of authenticating are used to identify a user, was not originally a necessary part of the security process stated in the HIPAA Security Rule. Throughout the years this form of authentication has grown to be a required piece of compliance for HIPAA.

Mentioned back in October 2003 in a PDF released by the National Institute of Standards and Technology where multi factor authentication was mentioned. The document titled “Guide to Selecting Information Technology Security Products” stated what authentication was but did not necessarily require the implementation of this type of security. Obviously with electronic medical records being so new and not used across all facilities the need for specific authentication was not created or enforced.

Then in April 2006 a new document was released by the NIST called “Electronic Authentication Guideline” which stated 4 levels of security in which some required a strong authentication process. The use of two factor authentication was mentioned in the 3rd level which states the need for a token to be required. This token can either be a soft/hard token or a one-time password. With more hospitals accepting EHRs the need for stronger security guidelines arose.

Although there were now regulations in place that stated the requirement for two factor authentication they were unclear and did not state the need for specific IT security controls. After an audit by the Office of Inspector General found the need for these IT security controls the old NIST document was revised. The “Electronic Authentication Guideline” drafted in June 2011 is a revision of the publication which states more clearly the need for specific two factor authentication including acceptable token types.

We can see the increasing need for security in the healthcare industry although the need for regulating compliance was not always necessary, however with everything changing and government mandates put in place compliance guidelines have been improving. It does not seem to be over either, in a recent draft by the NIST created May 2011 titled “Cloud Computing Recommendations” which talks loosely about multi factor authentication to access the cloud. This goes to show as technology moves forward and more ways of storing/accessing data are created the need for regulation arises. This is especially true when healthcare facilities are accepting and utilizing this new technology more and more.

FFIEC Authentication Guidance Update: The Need for Out Of Band Authentication

Thu, 16 Feb 2012 18:13:21 -0500

The Federal Financial Institutions Examinations Council’s (FFIEC) guidance for financial institutions, which was first issued in 2005, supports the use of strong authentication processes to protect the identities of customer identities and information during transactions that occurred online.

The FFIEC revisited these guidelines and addresses several areas because of the increasing number of identity fraud cases, phishing attacks, malware and man in the middle attacks. The FFIEC authentication guidance update addresses evaluating better risk assessment, adopting stronger authentication standards, using layered security, advanced authentication techniques and providing technology guidance for compliance.

Much of the focus of the FFIEC guidance update is regarding adoption of strong authentication for consumers and commercial banking. Financial institutions need to provide solutions and offer advice to the customers they service in addition to enhancing their online security measures.

The most effective strategy for detecting and preventing banking fraud schemes is to implement the use of layered security. “Layered security,” as defined by the FFIEC is “the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.” Multiple layers of security have been proven to prevent identity attacks. If one security layer fails, the other layer of security is in place to prevent fraud attacks. Layered security options include out of band authentication and advanced transaction verification.

As financial institutions analyze online risks, they need to consider mobile devices as an effective layer for out of band authentication. Financial institutions aren’t doing enough when it comes to using mobile devices as an out of band layers for additional authentication. Most financial institutions are not flexible enough to respond to fraudulent attacks because they have the fraud detection technologies, but they can’t respond to these attacks fast enough to stop them.

The majority of financial institutions rely on risk controls and fraudulent detection technologies that don’t prevent or stop the new kind of attacks. Their security programs are not strong enough to combat these fraud attacks and they need to be building risk and security programs that aid fraud departments. These financial institutions also need to be dedicating budgets to quickly respond to these new kinds of attacks when they’re detected to minimize their losses. It’s not so much that the technology is a problem, but rather the minimal budgeting financial institutions have to combat these attacks.

Many of today’s financial institutions are relying on weak multi factor authentication such as a combination of usernames/passwords and some form of knowledge based authentication such as a question and answer or using a pin number. The FFIEC guidance has a stance on single factor authentication and many online fraud and identity attacks are the result of single factor authentication or weak multi factor authentication.

The FFEIC guidance and recommendations addresses better risk assessments, adopting stronger authentication standards, pushing towards multiple layers of security, exploring advanced authentication techniques and providing technology guidance for compliance.

Driving better risk assessments for financial institutions requires a better understanding of the new attacks and how to respond to them in a timely matter. This includes guidance for regular reviews of the internal systems of banks and the ability of these systems to detect and deal with fraudulent attacks.

Adopting stronger authentication standards is a must with the new types of attacks. User names and passwords aren’t enough to protect customers and neither are weak forms of multi factor authentication. Today’s attacks require stronger means of authentication especially for the high risk transactions such as wire transfers and ACH transactions. A way to adopt stronger authentication is to implement out of band authentication with a mobile device to prevent fraud attacks.

Multiple layers of security are a proven way to prevent fraud attacks which include malware. If one security layer fails, another layer can prevent the fraudulent attack. Security such as out of band authentication and advanced transaction verification can be very effective forms of multiple security layers.

Authentication technology needs to evolve and stay innovative as fraudulent attacks increase in sophistication. Financial institutions can implement mobile devices with out of band authentication and use stronger challenge questions as an example.

Providing technology guidance is a focus of the FFEIC and they provide instruction on technology and solutions such as fraud detection platforms. Other solutions also include fraud transaction monitoring and/or anomaly detection software.

Financial institutions can increase their security and at the same time keep their costs low by implementing out of band authentication solutions. Out of band authentication can be cost effective and a user friendly option since existing devices are already owned by users. This eliminates the high costs of implementing or deploying additional devices. By using a different medium such as a mobile device, smart phone, tablet, email, or SMS, an independent authentication can be delivered to users.

In using an out of band authentication, a customer can enter a one time password when prompted during an online session and the password can be sent through a mobile device. Without using the out of band authentication network (customer’s mobile phone), a transaction cannot be completed and a message can be sent to the customer that an attempt to access an online session was not complete. Out of band authentication is a highly effective technology and can prevent fraud attacks.

Most authentication methods can be comprised by phishing attacks and the focusing needs to be on authenticating transactions to prevent fraud attacks. Financial institutions need to have filters in place for any and all transactions. There is always a risk for fraud, but managing the risk by implanting out of band authentication can help lower these risks dramatically.

Many financial institutions consider out of band authentication a crucial part of preventing fraud, but some institutions find that customers may find using out of band authentication too difficult to implement with their users. The effectiveness of out of band authentication must be balanced with usability so that integration is not an issue for institutions or their customers. When the risk is higher than the cost to implement a security measure, it’s worth it for a financial institution to implement security like out of band authentication to prevent attacks and to protect their customers.

Dont Give Attackers a Chance By Leveraging Strong Authentication to Combat Data Breaches

Mon, 13 Feb 2012 16:18:04 -0500

Evolution and adaptation are the topics of discussion when it comes to data breaches, but why is it that we are growing or changing for incidents that have already happened? Is it really easier to react than it is to be proactive in enhancing an organization’s security? After a company loses confidential documents, whether to data breaches or careless efforts, most organizations only start to change their information technology security when responding to the data breaches or attacks.

When it comes to confidential customer information a more proactive approach is better if you want to keep you customers happy and safe. Utilizing electronic documents combined with two-factor authentication, or also called strong authentication, offers both the portability and privacy an organization needs. Privacy concerns can ruin a relationship between an organization and consumers if the proper care is not taken to ensure a person’s privacy. Not only does a consumer lose confidence in their security with an organization, an organization can also be fined for not having the proper security measures in place. So why would an organization ever take the chance of exposing confidential data by not properly securing it?

In recent news, a doctor at an established hospital in Boston lost an external hard drive which contained 638 files of confidential patient information. This is not your typical data breach because a hacker never tried to plan an attack. However, information on the physician’s device could potentially be harmful to the privacy of patients. Technically, the doctor did put his patients at risk, however, the amount of risk was minimal, but that is not to say preventative measures could not have been taken. Had the doctor utilized electronic medical records stored on a server that is protected by two-factor authentication there would have less likely been a chance of a data breach.

A common need for medical physicians is to access medical records at any given time is why the doctor had the documents on a portable storage device. Encryption is the usual defense for hardware security however there are many chances of something happening to a device, it being hacked or even damage to the information on it. Beyond that, encryption will never change or grow in the amount of security it offers unless you constantly update your encryption software. Eventually, confidential data could be accessed even if it had been encrypted.

Storing information on a secure server using strong authentication could be the most effective way of accessing confidential data remotely and securely. Not only does using a secure server with strong authentication offer a higher level of protection, but it is more cost effective than many approaches that do not even offer the same level of security. You would never have to worry about losing a portable device and the chances of a hacker based data breach would be almost nonexistent. Also, all the information stored on the server is always up-to-date because even though one person is not in the office, the servers are often maintained and running.

Using a secure server using two factor authentication to store sensitive information drastically lowers the chance of losing, damaging or misplacing containing confidential data compared to storing it on a device like an external hard drive. Two-factor authentication reduces the risk of an organization losing sensitive health information and it minimizes the chance of a patient’s health information being compromised. If there were a data breach or information was lost it would only reflect poorly on the organization and the hardware used to create and secure the data. Using two factor authentication, there would not be an instance of an individual losing a device in the first place, but more importantly it would eliminate possible malware that could record and transmit confidential data.

Preventing an attack does not always depend on technology although it does prevent some forms of data loss. Never let attackers take a chance with your encrypted files by storing confidential data on storage devices. By utilizing secure services and by utilizing two-factor authentication, you can access your electronic information securely all while staying compliant with industry rules and regulations such as HIPAA and FFIEC which require forms of strong authentication.

What is the Future of Security with Two-Factor Authentication?

Thu, 09 Feb 2012 14:24:09 -0500

What is the future of security and how are we protected from the advancing technologies of hackers and man in the middle attacks? There are believers that think two factor authentications is the future of security measures and there are also people that think that the technology behind two factor authentication has been proven to be vulnerable and that it will become obsolete and give away to a newer and more comprehensive security technology.

Many people believe that it is the best type of security we currently have available today. Two factor authentication technology, when used properly online can help make important sites such as financial sites more secure than previously where when only a password was required. Companies like Microsoft, Google and Bank of America have implemented various type of two factor authentication into various parts of their business. Companies like PayPal have made use of this technology and have incorporated into their web services. This has added additional security to their services and has increased the security for their users.

With these companies adopting two factor authentications and with the technology behind it continuing to advance, there are many who still say that the technology is obsolete because of the fact that it’s not perfect and it can still be compromised. There are skeptics, but what security programs haven’t been breached in some way or fashion? As more security breaches occur, the technology behind security advances to combat these breaches. Regular passwords are an outdated solution and are vulnerable to security breaches, man in the middle attacks and many websites don’t require anything more than just the regular password.

Many vendors tout two factor authentications as the ultimate security technology which makes it easy for skeptics to downplay the importance and benefits of two factor authentication. Two factor authentication technology isn’t perfect, but it’s a growing technology that will advance and many businesses have found success in adopting this technology in their businesses. It is a security solution that has been working for many businesses and it’s not hard to understand why many people think it’s the best type of security we currently have.

Two factor authentication is a solution that has set the bar for security and is an industry standard. As we adopt biometric technology and incorporate it into the mix, it’s only a matter of time before other businesses start using it and more businesses will be following suit.

Why You Need Two Factor Authentication Security

Tue, 07 Feb 2012 17:37:39 -0500

Major institutions in almost every industry vertical are updating their data storage and record management systems to provide access to information over a network or across the internet. Although security is present it is not always as effective as it seems, even over a secure network.

Usernames and passwords are no longer enough and have not been considered a high form of security for quite some time. Industry standards for access to secure information have risen and will continue to grow as more confidential data becomes available to users over the internet and ways of intercepting or accessing that data become more readily available. That is why two factor authentication solutions are highly feasible for accessing data securely.

With identity theft, phishing and online fraud occurring more often usernames and passwords are easy to obtain. Even if you change your credentials often that still does not stop hijackers from using your personal information they have already intercepted once to gain access over and over again. With two factor authentication not only do you need your traditional login information but also some other form of indentifying yourself such as a one-time password.

Highly secure 2 factor solutions will even offer an out-of-ban solution for the second factor while authenticating. This means the data is coming from a separate network than the traditional login panel, making it less susceptible to being hacked or hijacked. With multiple networks to access and intercept it is not a completely bulletproof solution but more of an added layer of protection which is becoming necessary.

Two factor authentications are some of the most efficient forms of security for internet or network based data communications. Mainly because there is no hardware to pay for and integration is usually seamless, quick and easy. Also there are many ways to connect the software whether you need a server, cloud, hardware or software based solution they are all readily available.
Hardware and software key loggers are readily available and have been for a while, they are hard to detect and there is not much you can add to your system for protection from this form of hijacking. Two factor authentication solutions relieve the worry of getting your username and password siphoned from your system because the thief would need your second form of identification which is held on a completely separate system or network.

With almost everything becoming available online and more access being thrown around from device to device a higher level of security is a necessity. In order to provide confidentiality and peace of mind to clients it is a company’s obligation to have a highly secure way of transferring their records and information. Two factor authentication solutions are that form of security and it can also be very cost effective.

Securing your future with Out of Band Two Factor Authentication

Mon, 30 Jan 2012 15:17:32 -0500

For decades two-factor authentication has been lurking in the shadows. Most people never even realized they were performing the process of authenticating with two factors to access almost any secure information over the web. Although as 2012 approaches, we are starting to see this technology adopted by many businesses and it is more people understand the security behind two factor authentications and the importance of the technology. This could possibly be because there are so many attacks performed every day on every one.

It seems as though as time goes on more people and their information are being breached. Some of you may even know of friends or family that have fallen victim to identity theft attacks. Many people have had their emails and passwords to sites compromised and not even know it. There are also many instances where there are more advanced security breaches such as credit and banking fraud. As we become more accustomed to these scenarios we also become more educated and solutions against these types of attacks become more advanced.

Of course remedying the easier attacks comes down to keeping your computer cleaned of malicious software as well as changing your password regularly. However combating the latter involves utilizing security solutions such as two-factor authentication. Although this form of authentication is more secure than using only a single factor there are certain parts of the process that can be more secure based on the solution vendor.

Out-of-band two factor authentication solutions offer an added layer of security when authenticating. They require the user to receive a one-time password or pin on a separate network than the one they are trying to access. If a bank account holder were trying to access their online banking account from a different IP address than they usually do the bank may require this type of authentication by sending a pin to the client’s mobile phone through SMS text message. This would be considered an out-of-band two factor authentication.

Although during out-of-band authentication there is still a chance for attackers to steal information. Zero footprint authentication allows for a safe and secure experience while authentication through an out-of-band device. Zero footprint security refers to the information that is left behind on the device used to relay the one time password. During the authentication process the client receives their OTP but all traces of the process are hidden with no data left behind.

We will start to see changes to the most basic of two-factor authentications such as an ATM card and pin code. The future of computerized banking authentication will probably rely on an out-of-band solution since attackers are becoming so savvy to security. Scanners that can be placed within an ATM can easily steal your ATM card information as well as capture your pin code making this older two-factor authentication process less secure.

The future of two-factor authentication is promising as it can be applied to many security applications. With more secure forms of authenticating being implemented, it is becoming much safer to prevent fraudulent identity attacks. Even though we can never truly be 100% safe from identity theft and fraudulent activity we can become more secure making it harder for hackers to siphon information and steal personal records.

Hackers, Mobile Technology and Social Media Site and Multi Factor Authentication

Thu, 26 Jan 2012 17:54:52 -0500

Many organizations are responding to the increased popularity of mobile devices and social media with increases in security staffing. Security professionals are most concerned about targeted attacks, external hackers and insider threats. Mobile computing, social media and internet technologies make the security professional’s jobs much more challenging.

According to reports, nearly 50 percent of IT security professionals say that external threats pose moderate to significant risks to their organizations, compared to 46 percent for accidental breaches by insiders and 44 percent for malicious insiders, according to the survey conducted by Symantec called the 2011 state of security survey, released August 31. Many organizations rank cyber attacks as bigger risks to their businesses than other forms of criminal activity or natural disasters.

Mobile computing, social media and internet technologies were the top trends in the industry making enterprise security more challenging. Many organizations also think that securing platforms and data was significantly more important than it was 12 months ago. According to the report, 29 percent of organizations see attacks on a regular basis and 71 percent had been attacked at least once in the previous 12 months. The top kinds of attacks were malicious code, social engineering and other external attacks.

About 46 percent of businesses reported increasing networking and web security staff, 41 percent of businesses planned to increase the budget for security and 38 percent of businesses plan to increase their budget for security systems management. As organizations are increasing their security to improve protection, the treats will continue to evolve and continue.

Businesses can protect themselves from these type threats by integrating multi factor authenticationsolutions to help combat these attacks. Multi-factor authentication is a security system in which more than one form of authentication is implemented to verify the legitimacy of a transaction. In contrast, single factor authentication involves only a user ID and password. In solutions that use two factor authentications, the user provides dual means of identification, one of which is something like a physical token, such as a card, and the other of which is typically something memorized, such as a security code.

As more organizations use mobile technologies and social media on these mobile devices, the threats will continue and solutions such as multi factor authentications will be the key to reducing these security threats. Additional authentication methods that can be used in MFA include biometric verification such as finger scanning, iris recognition, facial recognition and voice ID. Smart cards and other electronic devices can be used along with the traditional ID and password.

When discussing security, layers are always necessary. Multi factor authentication is a great solution to prevent intruders, but other measures need to be taken against malicious code. All systems need to be protected against various types of penetration. Organizations will still need firewalls, intrusion prevention systems and other types of security measures.

Two-Factor Authentication in our Daily Lives – Something You Have and Something You Know

Wed, 25 Jan 2012 19:19:35 -0500

Most people never even realize they have used two-factor authentication almost every day of their lives. In actuality everyone has used the process for identifying themselves and continue to use it day in and day out. You may be asking yourself, “How could I have used two-factor authentication everyday without being aware of it”? Maybe not realizing it but every time you access the ATM you are using two-factor authentication.

A single factor for identifying yourself such as a username/password combination is not secure even in the slightest these days. That is, unless you do not care about the information or network you are trying to access utilizing traditional methods of identification. It does not take much effort even by a novice hacker to implement malicious software used to steal your usernames and passwords. Key logging software is available across the web and can be found as easily as typing in “key logging software” in Google.

Two-factor authentication increases security by requiring a second form of identification beyond your traditional username and password combo. Something you have would be the second factor in the authentication process. Little did you know you have been using two-factor authentication anytime you pull out your ATM card, this would be something you have. Then you would enter your pin which is something you know. Two separate factors used together to securely identify you as the account holder.

Although an ATM card and pin combination is a very widely used two-factor authentication system the process is also used for identifying users in many other situations. Accessing online banking records requires a two-factor process many times, as well as creating a Google account. Have you ever forgotten your password to an account and had to receive an email with a code which you would then use along with your username to access account again? This would even count as a two-factor authentication since the email would contain a one-time password in which you would use alongside your username to identify yourself.

It seems something you have and something you know have been a part of our lives for quite some time. Most people never realize how much they use the process daily or how utilizing the process for other types of identification could prevent many malicious attacks. That is, until they are hacked and have their identity stolen or customer information siphoned from their network.

Were you aware of how much security plays a part in your everyday life and how two-factor authentication is utilized so much to authenticate someone’s identity? If you did not know about something you have and something you know, the two-factor authentication process, you may start to see it in action more during everyday transactions.

Tokenless Two Factor Authentication – More Secure and More Cost Effective than Using Tokens

Thu, 19 Jan 2012 17:35:00 -0500

Are you or your organization re-evaluating its use of SecurID tokens following the RSA breach? After the March attack on RSA, where hackers stole information later used in an attack on U.S. defense contractor Lockheed Marin, RSA was forced to offer replacement SecurID keys to all its tens of millions of customers. The recent data breach at RSA security is encouraging IT professionals to re-evaluate alternative authentication methods and to reconsider the safety of token based authentication.

A tokenless solution eliminates the need to carry a separate piece of hardware, such as a keyfob, and reduces the costs and time associated with provisioning new and replacement tokens. Tokens remain the most used solution for frequent users who rely on getting secure remote access to systems and information from any computer at any time.

Two factor authentication has become an IT security necessity for many reasons. Threats are increasing in frequency and sophistication. Industry regulators like PCI DSS, FFIEC, HIPAA and Sarbanes-Oxley require it. Your employees, customers and shareholders expect you to protect the sensitive data you are storing and transmitting on their behalf.

Security tokens and many other forms of two factor authentication have proven to be inconvenient for your users, troublesome for your IT department, and expensive to implement and support. Phone based authentication provides strong two factor security with the easy and convenience your users and your IT department demand at a fraction of the cost.

Tokens and other similar devices don’t protect against emerging threats, such as man-in-the-middle-attacks. Out of band authentication, which utilizes a separate channel for the second factor of the authentication, is widely recognized as a best practice for two factor authentication. Any device, such as a security token, keyfob, usb token and soft token, which requires an OTP to be keyed into the original login interface, don’t meet the criteria for out of band authentication and are vulnerable to attack.

Token based systems require training and requires users to change their behavior. Sometimes users have a difficult time remembering which order the PIN and token digits are entered. Some systems require administrators to modify applications before they will work.

Since some security tokens must be mailed, provisioned, inventoried and replaced, they require IT resources to deploy and support. An IT department can become a material part of the total cost of ownership for a token solution because of lost security tokens, expiring tokens that must be re-provisioned every 2-5 years and tokens can get out of sync, meaning the one time password that is generated is not the same one the login application is expecting.

Tokenless two factor authentication doesn’t require security tokens or other devices to deploy or manage and no software or certificates for end users to install so it requires very little effort to implement and virtually no ongoing support. Tokenless two factor authentication is much more cost effective to implement because there are no needs for a huge IT department, security tokens or other devices and require minimal training to use. Most tokenless two factor authentication solutions have a low annual fee per user or per authorization, no hardware to purchase or install, no security tokens or devices to manage and users replace their own lost or damaged phones. A very good tokenless two factor authentication solution is a company called DynaPass Inc. They provide mobile based two factor authentication solutions that offer a greater level of security and a better user experience than security tokens, like RSA SecurID, security fobs and other authentication tokens. It is significantly less expensive to deploy and maintain. For more information on tokenless two factor authentication, try visiting www.DynaPass.com.

Tokenless Two Factor Authentication – More Secure and More Cost Effective than Using Tokens

Wed, 18 Jan 2012 19:58:04 -0500

Dedicated tokens, like the ones produced by RSA, provide a onetime password typically every 60 seconds and have been the traditional approach to two factor authentication for many years. More recently, tokenless solutions have been the talk of two facto authentication mainly for their ability to deliver one time passwords on demand to a standard mobile phone or smart phone. Most people carry one of these devices with them all the time.
A tokenless solution eliminates the need to carry a separate piece of hardware, such as a keyfob, and reduces the costs and time associated with provisioning new and replacement tokens. Tokens remain the most used solution for frequent users who rely on getting secure remote access to systems and information from any computer at any time.

What is the Future of Security with Two-Factor Authentication?

Wed, 14 Dec 2011 14:55:00 -0500

Two factor authentication solutions have set the bar for security and is an industry standard. As we adopt biometric technology and incorporate it into the mix, it’s only a matter of time before other businesses start using it and more businesses will be following suit.

Government Regulations Demand Higher Authentication Security

Thu, 08 Dec 2011 14:20:28 -0500

As we start to settle into this new decade government regulations are demanding higher forms of authentication security for many industries. Many businesses in the financial, medical and educational industries are not using properly secured solutions for identifying users. Data breaches have become regular news in technology and security media for a long time, recently the national media has started to report on security breaches that have resulted in a major consumer information losses. However with even slightly stronger forms of authenticating such as out-of-band two-factor authentication these breaches would not be possibly.

Reports like the RSA and PSN data breaches are big news that displays nationwide impact on consumers who have personal information stored on company servers. Although these breaches have been reported the resulting criminal intent has still not yet come forth. Using information stolen from data breaches hackers can gain access to more crucial and confidential information such as financial, medical or education records.

It may be that the trend is pointing towards more and more attacks like the data breaches we have been hearing about in the news lately, prompting the government to step in with regulations to protect consumers, employees and anyone storing personal information on business databases. Also it could be the fact that better forms of authenticating exist such as out-of-band two-factor authentication.

With technology growing rapidly and security being implemented only after the fact, society is left with vulnerable gaps in secure online interaction. With smartphones, tablet PCs and other devices that are constantly connected to the internet becoming a norm in every household this increases the number of victims and points of entry for attackers.

The need for security is at our doorsteps and the government understands society’s grief. Enforced by the Office of Civil Rights, the Health Insurance Portability and Accountability Act or HIPAA provides protection for patient’s personal information and this will not be the last we see of government regulations put in place to protect our confidential data. With more and more of our data being placed online or on networks which can be accessed over the internet, regulations will start to be put in place for almost all industries. Industry regulations will require stronger security when authenticating a user to protect against fraudulent access.

Industries Requiring Stronger Authentication
Healthcare Industry
Educational Industry
Financial Industry
Ecommerce Industry

These industries already have authentication processes and regulations for identifying a customer in person. As technology grows and more industries move online, these authentication processes will receive even stricter with regulations due to the wide accessibility of data. Ecommerce will be an industry seeing many changes soon due to the high amount of fraud that is taking place amongst the ecommerce community.

Although many companies do have security measures put in place for identifying users the fact is that only a required government regulation will push business owners to spend the extra investment. A stronger and more secure system such as out of band two factor authentication processes would be the proper investment for protecting your client’s confidential information.

HIPAA Security Rule Requires Strong Authentication in the Healthcare Industry

Wed, 07 Dec 2011 14:41:32 -0500

Privacy of confidential data starts with the authentication process for accessing protected information. With industries such as healthcare there are government regulations put in place to protect a patient’s privacy. The Health Insurance Portability and Accountability Act known as HIPAA for short was put in place in 1996 and provides privacy and security rules as a standard for security in the healthcare industry. The act requires companies in the healthcare industry to utilize a two-factor authentication process also known as strong authentication.

Regulation History

Less than a decade ago the ONC, Office of the National Coordinator, was given executive order to develop and implement a nationwide interoperable health information technology infrastructure now known as HIT. The infrastructure was created for many reasons such as nationwide use of electronic health records, reduction of medical errors and ensuring patient’s privacy of health information.

However, the IT security controls put into place for HIT were not in compliance with HIPAA Security Rule. Not until the Office of Inspector General or OIG audited the information technology security of some healthcare facilities and found their IT security controls provided inadequate protection. The HIPAA Security Rule is now utilized by the ONC to appropriately identify whether the proper IT security controls are in place and is enforced for compliance by OCR, the Office for Civil Rights. Without this regulation Health Information Technology systems can be left exposed to vulnerabilities.

Strong Authentication

It is required by the ONC for healthcare facilities to provide confidential records with the proper security, differing to the HIPAA Security Rule for compliance. A part of compliance requires the use of strong authentication such as two-factor authentication to identify a user accessing confidential data. Furthermore the process should not utilize email passwords or any password delivery system which transmits the password in plain text to ensure proper security.

Part of the two-factor authentication process for strong authentication is a one-time password. In order to provide adequate security the OTP must be sent through a secure delivery system including an authentication token device or sometimes a mobile phone if the process is utilizing zero footprint technology. Although tokens can provide the security level needed for strong authentication the solution is expensive and the user could potentially misplace the token.

The Future of Healthcare Industry Security and Regulation

Healthcare facilities are becoming paperless and moving to electronic health records, that teamed up with mobile devices such as smartphones and tablet PCs puts confidential data at risk if the data is not properly secured during access. This means stronger authentication and encryption to protect against hackers. Malware and malicious apps created specifically for smartphones like iPhones and Droids provide attackers with leverage for siphoning data during access unless the information is properly encrypted.

Encryption is recommended by the Office of Management and Budget in the OMB Memorandum M-06-16, “Protection of Sensitive Agency Information.” Also any remote access from these types of devices also requires a two-factor authentication process in which one factor is transmitted through a device separate from the one used for gaining access.

As per regulation put into place by the Office of the National Coordinator healthcare facilities are required to utilize a strong authentication during access of confidential data. Providing privacy to patients through higher security standards as stated in the HIPAA Security Rule. Although this was not always the case, patients can rest assure that audits by the Office of Civil Rights will provide adequate representation of their confidentiality needs and continuing to do so in the future with mobile device security.