How to deploy secure and convenient user authentication?

gattaca-valid1

When choosing between different authentication methods, businesses may have a myriad of choices, but striking the right balance between security, convenience and cost remains a fine art. As tempting as it may be to replace chunky passwords with a biometric option like fingerprints, it’s likely that this won’t provide the security and convenience expected.

Choosing an authentication method depends on the criticality of the information being protected and the expectations of users. As clunky as they are, passwords continue to remain  as the most feasible option when only single factor authentication is required. When this is not enough, hard tokens/biometrics offer additional layers of protection for businesses that require two-factor or multi-factor authentication.

The “Something you know” Factor: Passwords

Security: The security of the password can vary between different implementations. Businesses can enforce strong passwords that are securely stored as a hash with a random salt (e.g. BCRYPT/HMAC with random sha2 – 128 bit salt) or they can simply accept “admin123” stored with minimal/no hashing.
Convenience: The more complex the password requirement, the more this can cause user inconvenience. If it is too difficult, it may scare new/returning users away. If it is too lax, it may also scare users away. The trade-off may be worth it if it prevents a breach that costs more to fix. Whilst the choice depends on individual business requirements, if the information doesn’t require a strong password to protect, why bother with a password at all?
Cost: Cheapest to implement compared to other factors of authentication. Potential investment may include skills, platform updates (to support strong password hashing) and user security awareness education.

The “Something you are” factor: Biometric

Security: As biometric recognition e.g. fingerprint, iris, voice, face etc. relies upon something that you are, it is something you cannot change. If that information is lost, then the victim remains vulnerable for life. Security researchers have already discovered ways to lift fingerprints from touch screens (and even photos) to successfully authenticate as the victim. The security of biometrics decreases over time as it becomes more widely deployed.
Convenience: When it works, it is very convenient. However, this does not work all the time and can result in user frustration. Bad implementations or wet, dirty or damaged fingers may lock users out of systems relying on fingerprint authentication. Noise/disturbance may reduce the success of voice recognition.
Cost: Will require specialist security skills and experience to implement. May also require additional user experience testing to assess impact of privacy concerns/false positives.

The “Something you have” factor: Tokens (Hard/Soft)

Security: These rely on users having something (e.g. a dongle/client certificate) to authenticate. This can be something they carry or ingest. This is relatively secure as long as the user doesn’t lose the item or get it stolen.

Convenience: As users will need to carry the token to access the application, this can be rather inconvenient. This is why soft tokens on smartphones are increasing in popularity (which although are less secure than hard tokens, is better than nothing).

Cost: Tokens expire/get lost and will need to be frequently topped up/replaced. Therefore, token replacement is an ongoing investment for businesses. Let alone the set-up.

Advertisements

How hackable are you really?

defcon-cyfi

As long as we are online, we are vulnerable to malware, viruses etc. that can steal sensitive information, hijack web sessions/webcams or spy on our keystrokes. This is especially true in cases where individuals are specifically targeted by those who have the persistence, time and skills to profile and craft an attack.

There are some things you can do now to minimize your risk and reduce the impact, should you get hacked. This is by no means a comprehensive list but a good start. Please share any additional tips in the comment section below. This information is applicable for home personal use.

1. Backup personal/sensitive files frequently. Encrypt, store & backup personal/sensitive information in a detachable hardware device (e.g. USB/hard disk). Any sensitive information should at least be encrypted and stored separately from a network-attached device. VeraCrypt and CipherShed are two free open-source encryption software solutions that are readily available for download. Just make sure you store your private keys in a safe location.

2. Optimize your firewall. You can use a free utility like Shields UP to allow you to check if you have any open ports that can be exploited. The utility also provides detailed explanation for the results you see and some advice about how to proceed. While enabling a firewall is certainly better than having none, default firewall configurations are often not restrictive enough (e.g. allowing connections to never-used applications installed during setup). Although you can configure your firewall to disable most outbound traffic, this requires some knowledge of firewall rules to set-up without stuffing up your internet connection. This is why it is important to…

3. Invest in a good Anti-Virus solution and keep your OS patched. Don’t skimp on anti-virus. The paid ones are often better at keeping up-to-date with the newest virus signatures. It is also important to ensure that you keep up-to-date with OS updates too. With Microsoft, you can also turn on automatic updates so you get the latest patches. If your OS is too old to be patched (e.g. Windows XP) – time to upgrade!

4. Switch to using Chrome. Chrome is considered the safest browser while Microsoft Internet Explorer has been plagued by malware and security defects. Another great thing about Chrome is that you can download an extension to use HTTPS everywhere to encrypt non-encrypted http traffic for added security

5. Go Green. Before submitting login/password details or inputting any sensitive information online (e.g. credit card information), make sure you are connecting via an encrypted https session. Furthermore, you can also check the organization that owns the certificate. In Chrome, you can do this by clicking the green lock on the address bar and viewing the Security Certificate.

More tips: http://www.techrepublic.com/blog/10-things/10-ways-to-avoid-viruses-and-spyware/

Forget the hype, will Facebook Payments go bust?

friend

Facebook Payments might perform really well and I may end up red in the face… Nevertheless, this is a personal opinion about some challenges that Facebook may need to overcome before they take over the world – again.

It’s not simple enough. The ability to send and receive payments relies on both parties having a personal credit card or Visa/MasterCard branded debit card. For those who do not have a credit card or cannot guarantee they will have sufficient funds in the bank to pay friends, this is awkward. To avoid awkwardness, they may simply never join, even when their financial situation improves.

You also need to be friends with the person you are paying. This may be a great way to grow your friend list but this is not for everyone. There are plenty of times when friends bring plus ones (or multiples) to events that someone organises and pays for e.g. hens nights, birthdays, group outings etc. It’s not always appropriate to add plus ones as Facebook friends…but is it awkward to insist they send money the traditional way than to accept their friend request?

Cash still remains the simplest way to pay a friend back. They pay for something e.g. dinner/movie ticket/cinema and you pay them back or shout them the equivalent at your next outing/when you scramble enough cash. For friends based interstate or overseas, cash may not be an option but then with greater distance, people crave more security.

It’s not complicated enough. The idea of making a payment through a Social Network actually scares people. These are the folks who crave the security of logging into their bank system or using a bank issued card to access their money. The idea of trusting Facebook to make a payment is a bit scary. Even though Facebook claims they are PCI compliant and have a fraud department to review dodgy transactions, they just are not known for providing a secure enough platform to entrust them with your card details. The idea of Facebook being able to market products to you directly and give you an option to buy instantly may satisfy some but insult and scare away a lot of others.

It costs too much. For Facebook to do this, they will have to invest heavily in security to stay PCI compliant and may be liable to pay for any breaches. As they are not directly making money from this, will the costs outweigh the benefits?

http://techcrunch.com/2015/04/05/when-buying-is-as-easy-as-liking/

Who pays for card fraud? The results may shock you

Al-bundy-ed-oneill-animated-gif-10

Where fraud is decreasing…

Card fraud has significantly declined in countries that have rolled out EMV chip technology. Chip technology performs dynamic authentication of Card and PIN values. This is more secure than performing static authentication of card data printed on magnetic stripes, as data can be skimmed, PIN entry recorded and counterfeit cards produced without card owners knowing. Countries (e.g. USA) that haven’t adopted the EMV chip standard and continue to use static cards and signature based verification, are waking up. In late 2014, Barrack Obama signed an executive order to speed up the adoption of EMV technology via the BuySecure Initiative. By October 2015, it is expected that the US would have transitioned to Chip and PIN technology to reduce card fraud.

Where fraud is increasing…

In countries with the EMV Chip and PIN technology deployed, where fraud has declined at point-of-sales where the card needs to be present, fraud is increasing in transactions where the card is not present. Card not present transactions involve the use of card details printed on the card (account number, expiry date and CVV) to make a payment over the internet, mail or phone. These details may differ from the data stored on the magnetic stripe or chip, but can authenticate payments nevertheless. Card not present fraud actually has wider implications for businesses who process online transactions. While the cardholder’s bank (issuing bank) is liable to cover the costs of disputed payments where a card is present, businesses may be found to liable to where a card is not present and may not be able to retrieve any goods sent to the fraudster.

Combatting fraud..

3D Secure, an authentication protocol developed by Arcot Systems and rolled out to Visa (Verified by Visa), MasterCard (SecureCode) and American Express (SafeKey), is a way to reduce and combat card not present fraud. 3D Secure shifts the liability of fraud back onto issuing banks, making them responsible for authenticating the customer before making a purchase. Once the issuing bank has authenticated a customer, they send an authentication code to the card company (e.g. Visa) which is then verified and sent to the business’s bank (acquiring bank) for processing.

With the many advantages of 3D Secure, it’s not perfect. There are extra steps involved for the customer and it is not always the best user experience (if implemented badly). 3D Secure can also become a target for phishers if customers are redirected to a phishing site instead of the issuer banks website for registration or authentication.

More information 

http://cryptowiki.net/index.php?title=Secure_payment_systems

http://www.creditcards.com/credit-card-news/online-fraud-surge-emv-1273.php

http://arstechnica.com/business/2014/10/obama-signs-buysecure-initiative-to-speed-emv-adoption-in-the-us/