Data Breach | Multi Factor Authentication

Blizzard’s Diablo 3 Accounts Hacked and Blizzard’s Authenticator’s Vulnerabilities

June 01, 2012 Adam Quart No comments

Last week, on May 21st, Blizzard Entertainment was hacked. Diablo 3, their new MMORPG released last week, was the target of user accounts being hacked. Diablo 3 had a rough launch with multiple launch errors, server downtime, and now some customers have said that their accounts were hacked. Customers are saying that their accounts were breached, and hackers got away with in game gold and their hard earned gear. This may not sound like a valuable commodity since it’s a game, but in a game where gold and gear can only be earned in online play, players are at a loss because they must invest their time to get this gold and gear. Hackers often steal online currency and items like this because they can transfer them to other servers, characters, and even sell them the black market or even online where users will pay a premium for these items. Users have access to an optional Blizzard Authenticator, but it is flawed.

Blizzard offers an authenticator for their users, the Battlet.net Authenticator or Battle.net Mobile Authenticator app, but not all users opt to use it. Blizzard has stated, “in all of the individual Diablo III related compromise cases we’ve investigated, none have occurred after a physical battle.net authenticator or battle.net mobile authenticator app was attached to the player’s account, and we have yet to find any situation where a Diablo III player’s account.” Some gamers have claimed that their account got hacked even when they used Blizzard’s authenticator, but Blizzard stated that this is not the case. Blizzard’s authenticator is considered a form of two factor authentication, but it isn’t the strongest type of two factor authentication available to users.

Blizzard’s two factor authentication works by using a user’s login credentials and an authenticator to verify their identity. One factor of the authentication is a user’s login credentials and the second factor would be the password on the physical battle.net authenticator or mobile authenticator app which verifies the user and authorizes them to access their online account. The authenticator verifies users by asking the users to provide a unique code once a week.

With already 10 million copies of Diablo III sold since its launch, it is the most successful PC game launch ever. Diablo III has generated revenues of over $500 million in revenue for Blizzard just in its first month of being launched, but some users are weary or purchasing the game after the recent attack. Blizzard has a system of restoring accounts and helping users who were hacked by restoring a character to an earlier point in time so users can get items and gold back, but this hasn’t happened for all users requesting it yet. Many users didn’t hear about the authenticator service until the hacking happened.

Although Blizzard claims that users who used the Authenticator weren’t hacked, many users on online forums are stating that they were still hacked even though they used the authenticator. Blizzard’s authenticator is flawed in a couple of ways. The Authenticator generates a password every 30 seconds, but there is a window where you can enter in old passwords anywhere from 2-5 minutes and they will still work. This is a problem because “man in the middle” attacks can easily steal a user’s login and also the unique password to steal a user’s data, gear and gold. The second flaw is that the passwords aren’t true one time passwords. The passwords generated by the Blizzard authenticator are time based meaning they follow an algorithm that creates a password at intervals rather than issuing a unique password when requested. This is a flaw because if hackers were to figure out the algorithm, they would be able to figure out every single one of the passwords generated by the authenticator. The third, and the biggest flaw, is that the passwords aren’t being sent from an out of band authentication network. This means that a separate network isn’t being used to send out the mobile password which reduces the chance of the password being compromised. This is important to have because if a hacker were able to gain access to the app on the phone, install malware on the phone, or gain access the algorithm on the authenticator they would be able to compromise the password. With an out of band authentication network such as a cell phone network, a true one time password can be generated and sent to a user’s cell phone using the cellular network (separate network) on command which is a safer way to receive the password and authenticate a user.

Blizzard is a company with many users and they need to re-evaluate their security measures to keep their users safe from fraud and hackers. Blizzard’s expected revenue for 2012 is $4.5 billion and with that much revenue coming in, they need to allocate some of it to a preventive security to protect its users and also the company from future hacking attacks. Blizzard also needs to use their funds to incorporate a more effective two factor authentication solution using an out of band authentication channel to effectively verify their users.

Google’s Responsibility and 2 Step Verification

April 24, 2012 Adam Quart No comments

Google’s Larry Page has stepped up security measures as Google’s new CEO ever since Eric Schmidt stepped down in 2011. Google, the most widely used search engine in the world, is popular among users because it is valuable for their users by showing them the most relevant search results when users are looking for something. By offering such a great user experience, they have a very direct relationship with their users. When a user wants to search an image or product, Google’s search algorithm “magically” compiles relevant search results. In a swiftly changing industry, Google has managed to stay innovative. Users don’t always like the changes, but some grow to love them. When Google releases a product that isn’t up to par to user’s expectations or doesn’t work, they know that it’s easy for users to go to their competition which is a click away. User’s have a lot of trust in Google with their searches and especially with their data in emails, documents, pictures, and accounts.

To retain the trust and ensure that user’s information is safe, Google invests in security and tools for users such as 2-step verification (also called two factor authentication) and encryption. Their security efforts help thwart unauthorized access to user’s information and also increases trust with Google and their users. Google also recently changed their privacy policies, which gained a lot of interest from users, but ultimately changes were made so that Google can create a more intuitive experience across their products and create a better user experience for its users. Larry Page’s update within Google’s privacy policy was to create a more seamless experience across its services and products. A way to create a more seamless experience is for users to stay logged in while using Google products such as Google Chrome, Google Docs, Gmail, Youtube.com, Google+, and Google Play.

Google’s implementation of security features like two factor authentication help improve the user experience by decreasing the likelihood of information and accounts being compromised. One way a user can be verified using two factor authentication is by logging into their account using their login credentials and at the same time a one-time password is be sent to their mobile phone to be entered into the website where access is being granted to verify them. This is a powerful way to authenticate users because not only do they use their login credentials to login (using a login and password), they are sent a one-time password to their mobile device which let’s Google know that they are who they say they are. The great thing about this two factor authentication method is that most users always have their cell phone on them so verifying them doesn’t require the users to carry any additional hardware or software to install. Users just need to be able to receive text messages through their mobile devices and they can receive a one-time password that hackers and intruders won’t even be able to access even if their logins are compromised. With over 100 million users active on Google+ and over 3 billion searches on Google’s search engine per day, security is a concern for users and implementing 2 step verification is a great way to ensure that user’s information remains safe and Google can continue improving the experience for us all with all their products and services.

NASA Faces Security Scrutiny

March 14, 2012 Absolute Software Blog

The big news in data breaches this week comes from NASA. According to a report just presented [PDF] to the US House of Representatives, hackers were able to successfully access mission systems at NASA on numerous occasions in 2011. In addition to this, it has been revealed that a laptop stolen from NASA contained algorithms used to command and control the International Space Station (ISS).

NASA Plagued by APTs

According to the report, hackers using Chinese IP addresses gained access to the IT systems of the Jet Propulsion Laboratory where they were able to steal information and manipulate high-profile user accounts.

Statistically speaking, NASA was hit with 47 advanced persistent threat (APT) attacks; 13 were successful, a 28% success rate. These successes were possible despite NASA spending $58 million on IT security for 2011.

The report by NASA’s inspector general, Paul Martin, concluded that a number of issues contributed to these attacks. The CIO role is not clearly defined, lacking authority over some IT assets; encryption isn’t widely used (only by 1% of devices); the transition to cloud computing was not done securely; cyber attacks continue to become more sophisticated.

Lost & Stolen Computers at NASA

In addition to the APT threats, the NASA report reveals that 48 devices were lost or stolen between April 2009 and April 2011. The missing laptops contained personally identifiable information, third-party intellectual property, Social Security Numbers (SSNs), and sensitive NASA data. The most notable of the breaches includes information about the command and control of the International Space Station (ISS).

According to the report, NASA has no way to accurately determine the exact data on the missing devices, instead relying on employee memory.

Given the increase in the use of laptops and other mobile devices, it’s clear that NASA is lagging in terms of agency-wide data protection policies and solutions.

Consumers Fighting Identity Theft Need To Demand Data Breach Protection

March 13, 2012 Adam Quart 2 Comments

Are you one of the millions affected by identity theft? Even if you are not, 2011 was the year of the data breach with over 36 million affected by breaches. Javelin Strategy and Research says that people whose information was stolen in a data breach are almost 10 times more at risk of identity theft or fraud. If your information has been stolen or compromised, you very well could be the next victim of identity theft or fraud.

Data breach protection can provide a solution for lowering the risk of identity theft. In 2010, 8.6 million households were involved in identity theft incidents as reported by the U.S. Bureau of Justice. With the 36 million breaches occurring in 2011, the number of identity theft incidents last year must be through the roof however they are still being accounted for.

It is plain to see that identity theft is one of the biggest problems we are facing today because it can destroy credit score ratings and cause financial ruin for victims. Recently, Schield Family Brands employees have become victims of tax fraud which was an identity theft based attack. Over a hundred employees of the window and door manufacturing company were left without a tax return, were charged fees, and their credit scores could have been affected as well by fraudulent activity. By using the victim’s identities, thieves were able to receive false tax returns through the victim’s social security numbers. To make things even worse, the victims did not know about the fraud until they were notified that their returns had already been filed.

Although data breach protection is perceived to be the responsibility of corporations, there are precautions that can be take on the consumer end to ensure better safety. In a recent report by Javelin, some shocking information was published about online social network behaviors. It was found that 68% of public profiles contained birth date information while 63% contained high school information. This type of confidential data could be used in a social network engineering attack for identity fraud. It is important to keep personal information like this private in order to prevent from these types of attacks.

Forbes recently posted info about 6 mistakes most people are already making online which can lead to becoming a victim of cyber crime:
1. Displaying a full birth date on a Facebook profile
2. Participating in online quizzes
3. Mobile devices without password protection
4. Tweeting plans including destinations and vacations
5. Leaving geotagging on which displays location
6. Using weak email passwords and never changing them

By avoiding these mistakes online people can do their part in protecting their identities, but it is also the responsibility of the organizations to keep user’s information secure. This is why consumers, employees and even the government should fight for remote access security which defends against hackers utilizing data breach information to commit fraud. Utilizing a two-factor authentication solution could add a layer of protection that removes a piece of the identification process from the criminals and places power back in the hands of the individual, literally.

By utilizing an SMS text message for transmission of a one-time password, not only is access more protected, but the user receives notice of authentication and access of information. Even if an attacker were to gain information from data breaches or they used social engineering to try and gain access, this added layer of security could prevent the attack. It is both an effective and efficient solution which does not take much time to put into place.

Steps to Take Before Throwing Away Your Old PC

February 29, 2012 TechnologyBloggers.org

In 2010, the FTC recorded over 250,000 complaints of identity theft in the United States. While many identity thieves still get their information from your paper mail, a stolen purse or wallet, or hacked files online, more and more are starting to glean sensitive information from the hard drives of old computers. If you’re getting ready to toss out your desktop or laptop in favor of a newer model, take these steps to protect yourself from identity theft.

What information might be stored?

Not sure it’s worth all that work to wipe your hard drive? After all, you don’t keep a ton of important information on your computer, so what could a hacker possibly find anyway; and if you’re just donating your computer or selling it for cheap, what are the odds that an identity thief is going to get his hands on it? The problem with this line of thinking is that often times, your computer has stored information that you don’t even know it has stored. Common information stored on computers includes account numbers, credit card numbers, passwords, registration keys for software programs that you use, medical information, addresses, and even tax returns – which contain pretty much all the personal information necessary for a someone to apply for a credit card or bank loan in your name! Keep in mind that many identity thieves will actually buy a used computer – or even steal a donated one – in the hope of gleaning such personal information. This information can be worth thousands of dollars to them and can create a huge headache – and financial problems – for you.

How to get rid of the data

So, before you sell your computer or donate it to your local school system, take these steps to get rid of the data for good: 1. Don’t count of just deleting the files. While you’ll want to delete the files from your computer, this is just the first step to take. Identity thieves are often experts at getting deleted information from hard drives by using specialized software. 2. Save any files you want to keep. Before you wipe your hard drive, you will, of course, want to save any files you want to keep. You can transfer your data to a new computer, burn it to a CD, put it on a USB drive, or put it on an external hard drive – a particularly good option if you need to store a ton of files or information. 3. Use a utility program specifically meant to wipe your hard drive. Local tech stores will sell utility programs meant for this purpose that match up with your specific operating system. The best idea is to get a program that will overwrite or wipe the hard drive several times instead of just once, and you’ll definitely want a program that wipes the entire drive. If you know your computer has particularly sensitive information on it and you don’t trust a utility program to get rid of the information, you can always destroy the hard drive physically. Businesses in particular, often use hard drive shredding services, as their computers tend to have lots of personal information on both employees and customers of the business. Once you shred the hard drive, you can simply sell or donate the rest of the computer without it, and the new owner can then completely replace the hard drive.

Watching for identity theft

Even if you are careful to destroy information on your computer before you sell or donate it, it’s a good idea to be wary of potential identity theft. Check your credit reports regularly to ensure that everything is accurate. Credit reports are normally the first place you’ll see evidence of identity theft when new accounts pop up that you didn’t open. If you do think you’ve been a victim of identity theft, get identity theft assistance as soon as possible. Report the problem to the credit reporting bureaus, who will place a fraud alert on your account. Then close the new, fraudulent accounts. Finally, report the fraud to the Federal Trade Commission and your local police department. If you’ve taken steps to protect your personal information from being stolen, you may never have to deal with the problem of identity theft, but it’s always a good idea to be aware of what you should do if your identity should be stolen.