Are Password Failures at the Forefront of Data Privacy and Protection?

February 07, 2012   Adam Quart   1 Comment
password failure

As the battle between “good and evil” wages forth bills like SOPA and PIPA along with government regulations seem to be big news. Also on the frontier of data privacy and protection we are seeing hacktivism through malicious attacks exposing confidential information. At the forefront of this mess it is not hard to see that password failures along with an overall lack of security knowledge are what got us here.

Government Regulatory Compliance and Bills

With data breaches becoming more common, information technology security is starting to be seen as a necessity. Government regulatory compliance such as HIPAA, FFIEC and PCI DSS is already focusing on protection of confidential financial and healthcare data which is being transmitted or accessed through a network. In these cases strong authentication is required to identify a user requesting access to confidential networks.

Recently legislation has been trying to move more to data protection matters as well. SOPA and PIPA, 2 government bills which would allow the federal government to police the internet, were shot down by the public recently. The bills would make it possible for the FBI to shut down websites which may be dealing in pirated data. However there is a gray area that exists between what is and what is not “personal data or information”.  That is why many websites, including Google and Wikipedia, protested the bill in order to protect freedom of speech. Hactivist groups also took a stand against the new legistlation with a series of DDOS attacks and possibly data breaches for later attacks.

Hacktivist Groups

Leading the data breach headlines are groups like Anonymous who participate in hacktivism to take a stand. In recent news Anonymous has claimed responsibility for shutting down the FBI and Department of Justice websites in protest to SOPA and PIPA. In the past year Anonymous and other hactivist groups like Lulz Security have been responsible for shutting down websites through DDOS attacks but more importantly for data breaches which have a longer lasting effect.

Data breaches like the Stratfor hack lead by Anonymous have leaked confidential intelligence and personal data. Coordinated with Lulz Sec, Anonymous also breached private data of over 77 million Sony Playstation Network accounts. Many of these attacks spawn from the lack of strong passwords and network security.

Passwords and Authentication

It is clear to see that data is where the power lies in the future, government wages war against hackers who are not only fighting for privacy but are the same ones leaking it confidential data. It would seem that everyone believes creating stronger passwords will prevent future data breaches however the problem lies in accountability as well.

Passwords are too easy to forget, lose, crack, hack and just do not work. That is why password failure is at the forefront of data privacy and protection. All of this along with the fact that our personal passwords are being leaked through data breaches leads to the reality that passwords, no matter how strong, are old news and not considered secure anymore. Through strong authentication however, everyone can forget their passwords, relying on the added layer of protection along with notifications to fight accountability.

Two-Factor Authentication is Strong Authentication

In order to protect against password failure we have to get rid of passwords all together. How can we do that though? Two-factor authentication through an out-of-band one-time password allows users to use almost any password because the authentication process relies on “something you have” to identify a user. An OTP is sent to a separate network than the original point of access, usually through SMS text message since the network is out-of-band, cost effective and efficient. By utilizing a mobile phone you also gain notification whenever someone requests access to the account.

The new frontier of data privacy and protection relies on authenticated access for remote users. Not only does this prevent from data breach but it allows users to leave passwords behind. Placing accountability back into the hands of security.

Read More

Hackers Make Unauthorized Trades in Online Brokering Accounts

January 25, 2012   Adam Quart   No comments
hacked-online-trading

In recent news, some clients of online stockbrokers in Australia have had their accounts compromised and they have been advised to change their user passwords.  Investigations are currently being conducted by the Australian Securities and Investments Commission.  The ASIC believe that the hacking attacks were organized, but they haven’t determined how client passwords are being compromised as of yet.  Hacking attacks like these could have been prevented if proper security measures were in place for the broker’s clients and their systems.  Using layered security measures such as multi factor authentication dramatically reduces the likelihood of online user accounts being compromised.

According to the ASIC, the hackers used the accounts to engage in trades that lost the clients money.  About a dozen share-trading accounts have been hacked across several brokers and the ASIC is cooperating with international authorities to trace proceeds reaped by the other party in each transaction.  The ASIC has also said that the attacks are not believed to be associated with the attacks that shut down online brokers E*TRADE and Directshares.

Representatives at E*TRADE and Directshares have recommended that their users who have online brokerage accounts keep their anti-virus and anti-malware software up to date on their PC devices.  E*TRADE was targeted by hackers late in 2011 to access a small number of online broking accounts to make unauthorized trades.  E*TRADE has stated that their systems was not the source of their security systems, but rather the user’s accounts were compromised.  E*TRADE has recommended users to change their account passwords and also to check their computers to make sure there is no malicious software that logs their keystrokes.  Users that have online brokerage accounts should also check their transaction history for unusual trades and to report any unauthorized trades to the authorities and their broker.

The user accounts that were hacked could have been protected from unauthorized persons accessing their account if stronger authentication measures were used to authenticate the users accessing the account.  Layered security such as multi factor authentication identifies users using multiple methods.  Two factor authentication is a form of multi factor authentication and could have been used to thwart the hacking attacks.  If two factor authentication were used to authenticate the broker’s online clients, the chance of the hackers accessing the data would minimal.  A user’s login, or something they know, and a user’s mobile phone, or something they have, are two factors that can be used to authenticate them.  The most secure way of authenticating someone through their mobile phone is to send a one-time password to the mobile phone because the user has the phone on them and is able to enter the one time password along with the login credentials to verify them.  In the case of the broker’s client’s accounts being hacked, the hackers would only have the login credentials and the access would have been prevented because they wouldn’t be able to receive the one time password sent through the mobile phone.  This type of authentication is a standard in industries such as banking and healthcare.  The best way to prevent these type of hacking attacks is to scan your computer for viruses, malware, and to incorporate two factor authentication as an additional layer of security to protect against unauthorized access.

Read More

Amazon Protects Against Fraud with Multi-Factor Authentication

January 10, 2012   Adam Quart   No comments
amazon-multi-factor-authentication

Amazon.com has not only become the largest online bookstore, but is also a multinational ecommerce company. The company has been spreading its reach like branches of a river while supplying goods to countries across the world. Amazon.com started off by profiting from being an online book brokering system and later offering many products. Amazon.com grew its business through online associates in the form of users.

When scaling a company by having users contributing to both ends of business, buying and selling, fraudulent and malicious activities become inevitable. Amazon did not become one of the largest ecommerce websites in the world by lacking in security though. In 2009, Amazon started to offer multi-factor authentication to protect its users against fraud. They now offer free identification through any mobile device or computer which can run a Time-Based One-Time Password application. They also offer paid multi-factor authentication through a third party proprietary authentication token from Gemalto which is supposed to offer higher security.

Free Amazon Multi-Factor Authentication

If you are able to run a time-based one-time password application on your smart phone, tablet or computer you can utilize the free AWS MFA process. Using this method, when you log into your account with your traditional username and password, a token will be delivered to the application. The token is a one-time password that is generated from an out-of-band network separate from the user’s login network which reduces the chances of man in the middle attacks and makes the authentication process more secure.

Gemalto Multi-Factor Authentication

To increase security even further, Amazon’s users may pay for service through Gemalto which offers a keyfob device for authentication. Amazon states Gemalto’s third part proprietary token device offers better security than the free process. After the RSA hard token breaches, many people are skeptical about the proprietary OTP token’s security.

Secure Cloud Computing

Amazon, like many companies, is run on a cloud of servers which allows remote access of data to many users at once. Amazon.com and its cloud network offer financial information to its publishers so they can track their earnings. A publisher’s user account could display earnings and options for payment to the user. This is one of the reasons why the need for authentication security using a multi-factor process was necessary.

One of the most secure forms of protection for any company storing data on the cloud is by using an out-of-band, multi-factor authentication process which Amazon has implemented. This is especially true for ecommerce websites which may be storing financial data and personal information belonging to thousands of users. This added layer of security could be the very reason why the multinational electronic commerce corporation has not been present on recent data breach lists.

2011 was the year of data breaches and more companies are becoming like Amazon and are starting to utilize cloud computing. Will these companies follow suit to provide better protection and privacy to their users that are accessing information on the cloud or will there be a bigger data breach list containing more corporations in 2012? Companies utilizing the cloud to store and access information need to add additional layers of security to protect the information and the best way for them to do that is to utilize multi factor authentication.

Read More

Increasing Healthcare Data Breaches Due to Lack of Smartphone and Tablet Mobile Security

January 03, 2012   Adam Quart   No comments
healthcare-data-breach-security

In health care, the efficiency of a physician’s workflow can be a matter of life or death. Under certain circumstances, this statement could be quite true for the most part. Workflow is an integral part of a physician’s job however there is the concern of privacy and security. A survey conducted by QuantiaMD, with results from 3,798 physicians, states 1 in 5 doctors utilizes a tablet for work in their practice. This coupled with a report by Manhattan Research about smartphone usage among physicians increasing from 72% in 2010 to 81% in 2011 shows that mobile usage is on the rise in healthcare. These are alarming facts for mobile security since in many instances, security processes can hinder or halt work efforts so often it is overlooked.

Although physicians are governed by HIPAA compliance, more doctors are concerned with workflow than being compliant. With traditional forms of communication such as requesting a diagnosis or paperwork, a physician may have to wait an hour for a response from a colleague. If a physician utilizes text messaging, they can communicate with a colleague and receive responses rapidly. However, mobile security is not always used in healthcare because of the lack of security concerns. With so many physicians utilizing smartphones and tablets, this could mean the possibility of a data breach.

Recent research by the Ponemon Institute states that data breaches have risen by over 32% in 2011. There is no research pointing towards mobile devices being the culprit of these breaches. It could be a coincidence or maybe hackers and crackers are finding new ways of compromising data. Traditionally, hackers find weaknesses and vulnerabilities to exploit which is probably what caused the rise in data breaches. With more physicians utilizing devices without mobile security measures in place, hackers may have spotted weaknesses and exploited them to cause data breaches. Whether through interception of confidential data during transmissions or unauthorized access to servers, the concern is patient privacy.

Protecting patient privacy starts at the point of access. If only authorized users are allowed to access the confidential data, the chance of data breaches can be reduced. Two factor authentication provides government compliant security for HIPAA compliance. Two factor authentication solutions are also inexpensive while providing two layers of protection. By utilizing a one-time password sent through SMS text message, not only is an out-of-band authentication method utilized but there is no extra hardware or software needed since most users have mobile devices.

An out-of-band network provides the strongest mobile security because the chances of successfully intercepting two factors of authentication are extremely difficult. If a time limit is placed on the life of the one-time password and if a hacker were to intercept the password, chances are that they would not be able to input it fast enough to access the network before the user. With a one-time password, the password is unusable after being used once. This prevents the likelihood of a malicious user being able to fraudulently access data.

It may be easy to correlate that data breaches increased because of mobile device usage. The facts say it all. Smartphones are being used by almost every physician and with tablet applications becoming more available for healthcare, the chances for fraud increases. Advancing technology should be protected through advancing security. The two factor authentication process is advanced security that is HIPAA compliant, inexpensive and best of all requires no special software or additional hardware. This makes it able to be used by anyone with a smart phone or mobile device.

Read More

Strong Authentication Helps Doctors Monitor Patients through Remote Access

December 20, 2011   Adam Quart   No comments
remote-patient-monitoring

Doctors will be performing more house calls by computer or by phone as technology advances and as the demand for available doctors grow. This is good news if you are sick, don’t need urgent care and you don’t want to wait for an appointment just to speak with your doctor. With many doctors overbooked, patients in some metro areas such as Boston and New York often have to wait over 2 months to see a doctor of their choice. With remote access in health monitoring, speaking with a doctor will be much easier and more convenient for both the patient and the doctor.

For example, a patient with high blood pressure can use a remote device or a remote monitoring system that checks their blood pressure multiple times per week and then transmits the data to the patient’s secure electronic health record where the physician can access the medical record. The physician would access the electronic medical health record after identifying themselves using strong two factor authentication. This can be done using login credentials, such as a user name and password, as one factor of authentication and a dynamic one time password sent to their mobile device as the second factor of authentication. The physician can then have a consultation over the computer or phone with the patient who can monitor the blood pressure levels all while the physician is off site.

According to the American Association of Medical Colleges, it is projected that there will be a shortage of 124,000 doctors by the year 2025. With this shortage of doctors, waiting lists to see doctors will get longer and finding a doctor will be more difficult. The need for remote doctor visits will increase and strong two factor authentication will help doctors monitor patient health records securely while helping them care for their patients more efficiently.

Remote access for physicians also lets physicians communicate with other healthcare professionals regardless of their location. Remote access patient monitoring allows physicians to monitor a patient’s electronic health records and speak with them over telephone or computer and nurses can provide care for the patient based on what the doctor recommends. Physicians need timely and accurate data to make correct decisions and give the right diagnostics. Accessing electronic medical records remotely allows them to receive the critical data they need at any time and at any location. Strong authentication protects this data from being breached and allows only authorized users to access the information.

The future of healthcare will revolve around technology which will allow patients to receive care at home with remote health monitoring systems. With the advances in technology that allows physicians to speak with patients remotely, the need for healthcare security to protect electronic health records also grows. Without the proper safeguards against protecting electronic health records, physicians accessing medical health records risk data breaches and attacks. Strong two factor authentication is a safe and secure way to helps doctors monitor electronic health records by allowing only authorized users to view sensitive health information.

Read More