Multi-Factor Guru

RSS

Posts tagged with "one time password"

May 9

UFC.COM’S SECURITY BREACH, HACKERS RELEASE PERSONAL INFORMATION OF UFC’S PRESIDENT DANA WHITE

On Sunday, January 22nd, UFC.com was hacked.  UFC.com was rerouted to the site UGnazi.com several times.  Dana White, the UFC’s president, called the site’s organizers terrorists at the “UFC on Fox 2” press conference.  The hacking of UFC.com is said to be the result of Dana White and the company’s support of SOPA and PIPA.  The SOPA and PIPA bills are aimed at stopping online piracy.

The attack was also reported to be because of retaliation for the shutdown of the file sharing website Megaupload.com.

Dana White did not tweet about the incident as he usually does about any incident related to UFC.com.  Dana White taunted the hackers to attack the site again saying reportedly, “Keep hacking our site, do it again. Do it tonight.”  The hacker that took credit for the hacking didn’t hack the site again, but posted Dana White’s personal information, including social security number, residential addresses, a vehicle identification number and personal phone number in reaction to the taunt.

The hacker is now reportedly targeting Dana White.  Dana White responded by saying that he’s not afraid of the internet and that it’s where the cowards live.

The hacking attacks might have been prevented if the UFC’s servers were protected by layered security such as two factor authentication.  If the servers were protected with two factor authentication, the network administrator could have been alerted that the site was being hacked and the hacker would have a much harder time gaining access to the site and redirecting it to another site.

Big organizations such as the UFC.com aren’t immune to attacks and they should take precautionary measures to protect themselves against these types of attacks.  Two factor authentication is relatively cheap to implement compared to other security solutions, easy to use, and is a very effective way to thwart hacking attacks.  If the UFC can incorporate layered security into their servers and access controls, they have a better chance at protecting against future attacks and securing their servers.  If the UFC were as aggressive on implementing security methods on their site as they are with their marketing, they would be a much more secure company with a much more secure website.

The hacking of UFC.com should have been addressed more seriously because a hacking incident like this should not be taken lightly.  Dana White and the UFC should acknowledge the hacking incident and also ensure fans of the website and organization that the site is easy to use since there are users that login to the site for updates and news.  Tickets are also purchased through UFC.com for events and users need to feel safe that their payment information and personal information will not be hacked and that the UFC.com is a secure site.  We will find out if the UFC will address the issue more seriously and if they will be hacked again.  Mixed Martial Arts is a popular sport and the UFC has a strong hold on the sport so fans will probably continue to log onto the site, but the UFC needs to be doing a better job at securing their website and servers so that hacking incidents don’t occur again and so that sensitive data of their users will be safe.

Verizon Reports Data Breach Count Rises While Records Breached Falls

With the number of data breaches on the rise why are the amount of records stolen dropping?

Verizon recently released a report called the 2011 Data Breach Investigations Report (DBIR) in which it combines caseload information with the United States Secret Service. Although the number of records breached has dropped from a record high of 361 million in 2008 to 144 million in 2009 and even lower to only 4 million in 2010 the fact is that the total number of breaches occurring is rising. This could mean that smaller businesses are being targeted through different vulnerabilities than recent years.

Criminals Behind Bars Cause Others to Hide

Some would say that because many criminals were recently placed behind bars, including 1200 suspects arrested in ’10, we are much safer. While others, mainly those involved in security, are thinking the reduction in records stolen is a combination of higher security but mainly a greater desire to remain out of jail. Many large scale cyber criminals have recently been placed behind bars, including Albert Gonzalez and Maksym Yastremskiy who were responsible for the 2010 payment card data breaches. With these spectacles of the law being known by hackers everywhere it may be that criminals are laying low.

Rather than targeting the higher risk companies who have more security and investigative power, cyber criminals seem to be targeting low hanging fruit. The statistics from Verizon’s report show organizations with 11 to 100 employees have been breached more in 2010 than other company sizes. Approximately 436 breaches took place in this size bracket compared to the 323 breaches that took place in all other employee size brackets combined. This is most likely due to the fact that the level of security utilized by these institutions is much less extensive than that of larger corporations.

External Threats and Remote Access Security

It is great to know that employees and competitors are not the direct cause for data breaches. However with 98% of breaches originating from organized criminal groups and unaffiliated persons it is plain to see that remote access security is a dilemma. The top 4 types of attacks resulted from hacking and malware. Although mobile devices have been seen as the source of evil lately in essence it is the server that has been the target. This is not to say that mobile devices will not haunt our future security woes as they may soon become the target of cyber thieves.

In order to secure our privacy the problem lies in authenticating remote users. Anyone accessing the server should be an authorized user to prevent further deployment of malware. Furthermore with hackers creating programs for less skilled script kiddies to easily maneuver through security the need for remote access security will rise. These attacks that we have recently seen may just be groundwork that is being made for later attacks. By utilizing information from data breaches a hacker could create easy to use programs in which they can control many unskilled attackers from many locations to pull off a much larger breach of records.

By utilizing a two-factor authentication method to identify user’s many hacking attempts would be thwarted. However in order to completely secure remote access the need for out-of-band authentication from a OTP is rising greatly. With over 50% of breaches resulting from malware an out-of-band solution allows for authentication to take place without chance of being breached malicious software.

With new reports by Verizon and other companies being released constantly we can view the change and evolution of attacks. More importantly we can see trends which may lead to future attacks and prevent data breaches through preventative security measures.

How to Prevent Fraud Using Out Of Band Authentication

Over the past few decades, fraud has increased dramatically with the use and advance of technology. Hackers fraudulently access confidential data, steal the information and sell it online. Hackers can also sometimes utilize that information to gain access to other information sources to cause even more damage. In some cases, thieves fraudulently identify themselves as the hacked users and use their billing information to order products or services online. Whichever way the data is used, this type of fraud can be prevented by utilizing an out-of-band authentication method.

Fraud spawns from malware which are malicious programs hidden on a victim’s computer siphoning pieces of confidential data. Once an attacker has their trojan, virus, key logger or one of many malicious applications they can start to gain pieces of information that could potentially be used for a data breach. By gaining information such as usernames, passwords and sometimes an OTP, a hacker can fraudulently identify themselves as an authentic user and steal information from private networks.

In some cases a fraud victim’s information can be stolen through a phishing site which looks identical to the website that the user is trying to access online. This phished information could then be used to access sensitive data online and it can also be used to access other websites where the logins may be the same. Out of band authentication methods protect against unauthorized access of personal information by using a dynamic one time password which can safely be received through a separate channel than the primary one.

Online banking attacks can be prevented utilizing out of band authentication methods. An attacker may try to make an online purchase, transfer money or withdrawal funds by fraudulently accessing a user’s account. Out of band authentication can prevent unauthorized transactions by sending a one-time password to the user’s mobile phone or any other device which can utilize a separate network of communication than the access point to confirm transactions. If the user receives a one-time password when they did not initiate a transaction, they can decline it and can report it to their financial institution for further investigation.

Out-of-band authentication provides an added layer of protection while accessing information or making transactions. By utilizing the separate network of communication, a one-time password is kept hidden from attackers as well as verifying the user through ownership of a token generating device. If an attacker were to compromise login credentials or install malware on a computer used for authentication, they still would not be able to gain access to the one-time password which is sent either to the mobile device or something else the authorized user has that can receive and communicate some form of out of band authentication. Out of band authentication can be used to secure and prevent some of the most commonly known and most sensitive data breaches.

Data breaches are covered by the media these days often, but it is for good reasons. With information gained from a data breaches like the RSA data breach, an attacker can fraudulently access accounts to obtain more information for more serious attacks. This is why prevention of fraud should start at the access level. Once access is granted and compromised, vital information can be used and attackers can access the victim’s sensitive data.

(Source: outofbandverification.com)

Mar 6

Zappos.com Hacked: How Data Breaches Affect Us

The latest big ecommerce site to be victim of a cyber attack was Zappos.com by a hacker who accessed a part of the company’s internet network through one of its servers in Kentucky, CEO Tony Hsieh said in an email to employees January 15, 2012. The data breach compromised customer account information such as billing addresses, names, email addresses, phone numbers, passwords in encrypted form, and the last four digits of credit card numbers. CEO Tony Hsieh said the security problem did not affect “critical credit card and other payment data” and that they were “cooperating with law enforcement to undergo an exhaustive investigation.”

Zappos.com was acquired by Amazon.com in July, 2009 for $1.2 billion and operates as an independent unit of Amazon.com. Amazon.com is known for having security measures, such as two factor authentication, in place to protect its customer’s personal data. The company will be notifying 24 million customers to change their passwords as a protective measure and to also reset their passwords anywhere else where their passwords may be the same. A menu has been added to Zappos.com pages to “create a new password” to encourage customers to change their passwords as soon as possible. The company is known for their stellar customer service and due to the high volume of customer calls, they will be switching their phones off and direct customers to contact them via email for assistance.

Even though security measures such as stronger passwords can be in place to protect customers, ecommerce companies like Zappos.com can be attacked by hackers and data can still be compromised. There’s not enough information that is released on the attack yet, but customers know that they need to change their passwords to protect themselves. Zappos.com, on the other hand, knows now that they need to have better security measures in place to protect their servers and to better detect threats against hackers in the future.

The scariest part of the data breach is that customer’s passwords in encrypted form were stolen which can be cracked by programming software that can encode it. This would allow hackers access to their logins across other sites if they use the same email and password logins. Zappos.com customers that have been breached should be careful to use different passwords on different ecommerce sites to reduce the chances of their information being compromised since their account information so that if one site gets attacked, their information won’t be able to be used on other sites. Users that utilize stronger passwords using a combination of letters, numbers and symbols reduce the chance of hackers “guessing” their passwords. Unfortunately, Zappos.com servers were hacked which users cannot control, but using stronger passwords across different sites that their personal information is stored on decreases the chances of their passwords being hacked or stolen.

Some users who have Gmail accounts were also compromised recently. Users were notified that suspicious activity occurred on their accounts and were advised to change their passwords. Some users were compromised by hackers in other countries such as India, Germany and Russia for example. Gmail users that utilize stronger passwords with a combination of letters, numbers and symbols will be safer than users that utilize only letters and numbers. With Zappos.com accounts and Gmail accounts being compromised recently, users are reminded that stronger passwords should be used on any accounts that store their information online and also to use separate passwords across different accounts to protect their sensitive information.

Gmail offers two factor authentication options if you enable them, but this feature is not activated by default. Amazon offers multi factor authentication for their web services, but Zappos.com is run independently and does not yet incorporate multi factor authentication for their users. The added layer of security from the two-factor authentication process allows for a safer user experience online in situations where sensitive information is stored and shared. It makes one wonder if a two-factor authentication solution could have prevented the Zappos.com Data Breach not only with their users, but also in protecting access to their servers. For instance, if a Zappos.com employee was alerted using their mobile phone that a server was being accessed, they could receive a one-time password and use their login credentials to authorize access or reject access which could have prevented the attack.

Strong passwords along with better password policies can make for stronger security. Strong two-factor authentication can enhance security and potentially keep companies like Zappos.com alert and on guard against attacks, for example, if servers are being accessed by unauthorized individuals.

Amazon Protects Against Fraud with Multi Factor Authentication

Amazon.com has not only become the largest online bookstore, but is also a multinational ecommerce company. The company has been spreading its reach like branches of a river while supplying goods to countries across the world. Amazon.com started off by profiting from being an online book brokering system and later offering many products. Amazon.com grew its business through online associates in the form of users.

When scaling a company by having users contributing to both ends of business, buying and selling, fraudulent and malicious activities become inevitable. Amazon did not become one of the largest ecommerce websites in the world by lacking in security though. In 2009, Amazon started to offer multi-factor authentication to protect its users against fraud. They now offer free identification through any mobile device or computer which can run a Time-Based One-Time Password application. They also offer paid multi-factor authentication through a third party proprietary authentication token from Gemalto which is supposed to offer higher security.

Free Amazon Multi-Factor Authentication

If you are able to run a time-based one-time password application on your smart phone, tablet or computer you can utilize the free AWS MFA process. Using this method, when you log into your account with your traditional username and password, a token will be delivered to the application. The token is a one-time password that is generated from an out-of-band network separate from the user’s login network which reduces the chances of man in the middle attacks and makes the authentication process more secure.

Gemalto Multi-Factor Authentication

To increase security even further, Amazon’s users may pay for service through Gemalto which offers a keyfob device for authentication. Amazon states Gemalto’s third part proprietary token device offers better security than the free process. After the RSA hard token breaches, many people are skeptical about the proprietary OTP token’s security.

Secure Cloud Computing

Amazon, like many companies, is run on a cloud of servers which allows remote access of data to many users at once. Amazon.com and its cloud network offer financial information to its publishers so they can track their earnings. A publisher’s user account could display earnings and options for payment to the user. This is one of the reasons why the need for authentication security using a multi-factor process was necessary.

One of the most secure forms of protection for any company storing data on the cloud is by using an out-of-band, multi-factor authentication process which Amazon has implemented. This is especially true for ecommerce websites which may be storing financial data and personal information belonging to thousands of users. This added layer of security could be the very reason why the multinational electronic commerce corporation has not been present on recent data breach lists.

2011 was the year of data breaches and more companies are becoming like Amazon and are starting to utilize cloud computing. Will these companies follow suit to provide better protection and privacy to their users that are accessing information on the cloud or will there be a bigger data breach list containing more corporations in 2012? Companies utilizing the cloud to store and access information need to add additional layers of security to protect the information and the best way for them to do that is to utilize multi factor authentication.