PR Move or Not, The 1.2 Billion Russian Hack Focuses Attention on Multi-factor Authentication

Security experts around the globe were asking a lot of questions when the biggest hack in the history of planet Earth was announced by the New York Times. How could anyone amass so many email credentials without being discovered? Okay, it was later found that more than half of these were duplicates, but that still left a hack of 500 million credentials. But who was compromised? Hold Security, the discoverer of the attack, wasn’t talking. They said they had non-disclosure agreements with some of these companies. But wait. If you personally want to know if you were breached, all you had to do is give them $120 and they will give you a yes/no answer. I’ll tell you what, if you want to know whether your house has been visited by aliens, just send me $120 and I’ll let you know. Yes, it sounded an awful lot like some sort of scam, like the ones you see when you cruise the web and get a message that a problem has been found on your computer. The odd part is that you can get the desired information from Hold by subscribing to their Consumer Hold Protection Service (CHIPS). You get 30 days of protection for free, all you have to do is give them your email address and an encrypted password, and… Well, you get the picture. The fact that the disclosure came while the media was covering the Black Hat Conference and interest in data breaches was high made this story even more suspicious.

But it really doesn’t matter to the average computer user or business that learned about the breach. Upon hearing the news, many users around the globe just threw up their hands. A feeling of powerlessness seemed to set in. They may have already taken all the proper steps to protect their data, change their passwords, use different passwords for different sites, complicate the passwords, and, yet, they may have still been hacked. The big questions for most users is, “can I be sure any of my online transactions are really safe?” Security experts have pointed out that this, plus other recent and publicized breaches, have led to a spike of interest in something referred to as multi-factor authentication. So what is it? How safe is it? Who provides it?

First of all, a password is just the start of multi-factor authentication. It answers the question, “what does the user know that no one else knows?” It is the first of two or, possibly, three layers of defense. The next question that must be answered is “what device does the user have that no one else has?” This could be a mobile device or credit card that requires some sort of PIN number to use. These two factors alone vastly increase security, but some companies will go a step further and place another layer on top of this. This layer answers the question, “Who are you?” It requires some sort of biometric authentication, like a fingerprint. But, even if you use all of these layers, are you completely safe? Well, unfortunately, no. You can still be susceptible to a number of attacks, chief among which is the man-in-the-middle attack where all of your information is intercepted before it gets to the target. Phishing attacks and device tampering must also be considered. Multi-factor authentication vastly increases your safety, but we’re looking for as close to 100% safety as we can get here. Any company that offers multi-factor authentication is really hoping to give its clients 100% trust; 100% peace of mind. Is it possible?

Probably not, but you can get quite close if you throw encryption into the mix. You can use other methods as well. For example, if companies have a lot of remote users, they can use hardware tokens such as USB sticks and smart cards that must be used before a user can do anything else. In other words, the deeper you get into the architecture, the more layers you can build to secure your network and your transactions.

As mentioned previously, there is something of a boom in multi-factor authentication and a growing number of companies are offering it. Some of these products are better than others. Now, I’m not sure how much Hold Security will benefit from this recent breach, but it is quite likely most security companies will get a boost. One company, however, got its timing perfectly right. Just after the announcement of the Russian hacking incident, Dutch security firm, Gemalto, announced that it had acquired U.S. security firm, Safenet for a whopping $890 million. Both companies have a proven track record of high quality security solutions and both have put a lot of effort into improving multi-factor authentication and increasing user trust. According to the Wall Street Journal, “SafeNet’s technology protects 80% of the world’s intra-bank fund transfers and the company has 25,000 customers including governments and corporations such as Bank of America, Cisco, Dell and Hewlett-Packard.” As for Gemalto, they can trace their roots back to the invention of the smart card itself. Together this pairing should be a powerful step forward in adding a layer of trust to internet transaction security.

However, at some point, the companies will have to deal with an even bigger problem: careless users. No matter how good a company’s multi-factor authentication may be, nothing will prevent a user from downloading a bad app with a trojan that will piggyback on all internet transactions, by-passing all authentication in the process. So we’re back to the old BYOD dilemma. Do you completely control your employees’ mobile devices and incur their ire or do you give them freedom and then risk that their behavior could lead to a security breach? In other words, we’re still one big step away from completely securing the internet.

A few days ago was the 20th anniversary of the first internet transaction. Back then, experts said the idea of doing financial transactions over the internet would never work unless people felt secure. The recent Russian breach may make people feel unsure about their internet transactions, but it won’t stop them from making them. Multi-factor authentication will make it real difficult for hackers to get your money, but it won’t stop them entirely. If there is money to be made, someone will find a way to make it. If you want to find out all the ways your transaction can be hacked, just send me $120 and…

______________________________________________________

There is, in fact, one more layer of security that is possible. InZero Systems has found a way to make any mobile device into two separate devices. That’s right, your single smartphone can be made into two smartphones, each with its own separate operating system. The benefit of this is that one side, one of these phones, can be completely dedicated to transactions, thereby meeting ABA, American Banking Association, recommendations for dedicating a device for only online transactions. The other side of the device can be used by the employee in whatever way they want. Since it is impossible for any malware on the personal side to cross over and contaminate the business side, your transactions and company information are kept safe while your employees are happy to have the freedom to use the phone in whatever way they see fit. For more information, contact InZero Systems at: info@workplaytablet.com

 

About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technology. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator. I also do some work as a test developer for Michigan State University.
This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s