Twitter Logins and Passwords Exposed in Security Breach and How They Can Prevent Future Breaches

May 14, 2012   Adam Quart   No comments
twitter-password-exposed-two-factor-authentication-solution

It was announced recently that Twitter was hacked, and over 55,000 Twitter usernames and passwords were leaked and posted publicly on the internet for anyone to see.  Data from users appeared on Pastebin, a service used by hackers to brag about their achievements, but the social network pointed out that many of these profiles were spam bots and duplicates.  If you’re on Twitter, now would be a very good time to login and change your password.

Twitter spokesman Robert Weeks explained, “We are currently looking into the situation.  In the meantime, we have pushed out password resets to accounts that may have been affected.”  Twitter is investigating the security breach to find out the source of the attack.  Twitter is downplaying the incident stating that the accounts and passwords consist of more than 20,000 duplicates, spam accounts that have been suspended, and login credentials that do not be related to each other (passwords and logins do not match).

The social network claims to have over 140 million active users so the security breach would have affected about 0.02% of its user base.  Still, this is a reality check for Twitter because the security breach could have been much more widespread and could have tarnished the company’s reputation.  The question that Twitter must be asking themselves is who would have leaked the account credentials and why?  The Pastebin poster remains anonymous and no group is stepping forward to take credit for the attack, but that has yet to be concluded.

In 2009, Twitter was compromised twice and hackers had complete control over the social network.  In 2010, Twitter settled with the Federal Trade Commission (FTC) over the hacking because of customer privacy and information being at risk.  Part of the FTC settlement includes twice a year security audits, regular information security audits for 10 years, avoiding making any misleading statements about the effectiveness of their security or privacy practices for 20 years, and a dedicated person for security to be on staff at twitter to be accountable for and coordinate its information security and privacy concerns.  The FTC settlement details can be seen at http://www.ftc.gov/opa/2011/03/twitter.shtm.  The social network also agreed to put in place “reasonable safeguards” to mitigate any information security risks it identifies and also to store date securely.

Although Twitter had added almost all of the required security improvements by the time the FTC settlement was announced in 2010, they could have done more to prevent the current attack and future attacks.  Even with staff dedicated to improve security and be accountable for information security, they still got compromised.  If the staff at the social site were to incorporate new technology such as two factor authentication, the security breach might not have occurred.  For instance, two-factor authentication using a mobile device could have protected their users and the site from being accessed by authenticating users via their mobile devices when logging in.  This is technology that Google now embraces and what many major banks use to authenticate their users logging in to their services.  It’s an effective and cost effective way to implement an out-of-band authentication method while using a device that most users always have on them and own, a mobile phone.

To implement two-factor authentication, Twitter would just require users to opt-in to using their mobile phone as a security device and agree to receive a one-time password (OTP) through SMS on their mobile devices.  Once a user enters their login credentials on Twitter, an OTP is sent through an out-of-band network (their mobile carrier) and enters the password onto the site which authenticates them.  It is a cost efficient and effective way to authenticate their users because most people have mobile phones on them at all times, and it requires no additional hardware or tokens to deploy on Twitter’s end.  Two-factor authentication is a truly effective layered security solution that Twitter should be using to protect their users and maybe this current attack will make them rethink their security measures in place.  The FTC has already stepped in once to increase the social network’s security and that wasn’t enough, but maybe if they implement a two-factor authentication solution they be less susceptible to more security breaches.

Read More

Online Users Are Safer With Out-of-Band Authentication

May 03, 2012   Adam Quart   No comments
what-is-two-factor-authentication

Online banking continues to grow as more consumers are going paperless with their monthly billing statements, accessing their online accounts, paying bills, and making online purchases.  With the increase of the amount of users going online, financial institutions are looking to protect their customers from potential threats such as online fraud, hacking and malware.  In addition to making it safer for their users, FFIEC regulations are also recommending that financial institutions implement layered security measures and security such as multi factor user authentication.  According to recent studies, online banking fraud now accounts for more than double that is lost from bank robberies.    As banks implement new technologies to protect their users against fraud attacks, more sophisticated attacks are also being created.  With new technologies being countered with new threats, how are financial institutions going to protect their customers?  One of the ways is through authenticating their users with the use of out of band authentication.

Out of band authentication is a great way at authenticating users because most threats of online banking come from malware used to steal user credentials, man in the middle attacks (MITM), and through phishing attacks.  Malware is the greatest threat to online banking users today because it is so widespread.  Malware is becoming more advanced as hackers come up with new ways to infiltrate user’s computers.  Man in the middle attacks are the most common type of malware attacks and they work by mimicking a user’s online banking portal so that users enter their login credentials into the “fake” login site instead of their actual online portal.  Financial institutions are the most profitable to hackers so many of them focus on harvesting login credentials.

Users that don’t know that they have malware on their computer are fooled into entering their login credentials because man in the middle attacks mask the website used to look like the banking institutions.  Both the financial institution and the user are fooled because they think that the authenticated session is without interference.  Even if the institution allows authentication by giving out hardware tokens with one time passwords, the password is still used to authenticate the user and the hacker can freely roam the user’s account with fraudulent transactions such as wire and ACH transfers.

To prevent these types of online fraud attacks, additional security needs to be added such as out of band authentication for financial transactions.  For example, if a user was to use their debit card online or transfer money from one account to another, they would be alerted by a message being sent to their cell phone via SMS with a one-time password.  If they did make the said purchase or transfer, they would enter in their one time password in the OTP prompt within the allowed time frame to confirm it and authorize it.  Using this verification method, an unauthorized user attempting to make a wire transfer, purchase, or transaction they would not be able to authorize it because they would not have access to the user’s mobile device.  Not many security companies offer a product that verifies transactions, but DynaPass, located in Orange County, California does.  DynaPay by DynaPass.com is a two factor authentication solution for users to verify their online transactions and is the additional layer of security that users need to stay protected against hackers and online attacks.

Read More

Are Static Passwords Obsolete? The Rise of One Time Passwords

April 26, 2012   Adam Quart   No comments
static one time password

With the introduction of new ways of authenticating a user such as face recognition, fingerprint scanning, retina scans, and puzzle solving; regular static passwords are becoming less secure and cumbersome for users to remember.  When the internet first started, it was exciting to have a strong and hard to guess password for your emails, but now these same types of passwords can be easily guessed and hacked into.

More and more users are using online banking, making financial transactions, purchasing things online on their tablets, and putting sensitive information on the web.  Ordinary passwords just aren’t as secure enough to protect users against malware and hackers.  With all these sites and logins that we have, it gets harder and harder to remember all these usernames and passwords.  It’s not only the security that is of question, but also the costs associated with it.  We rarely think about how much it costs to reset a password if it’s lost, stolen, or forgotten, but someone or some company is always responsible to reset passwords and send users a new one.  Industry reports show that an average cost of resetting a password is $30.

One time passwords are a great way to protect users from fraud and malware, especially if combined with an out of band authentication method.  Banking and financial institutions use one time passwords to secure their user logins using an out of band authentication method.  How it works is a user enters in their login credentials and their mobile phone is sent a one-time password from an outside server.  Once the user receives the password on their mobile phone, they enter it into the website they are trying to gain access to and access is granted if the one time password is correct.  This is one of the best ways to authenticate a user because the password is sent to a user’s mobile phone.  This is type of authentication method doesn’t require a user to carry additional hardware or even install additional software on their cell phone to use which makes it more convenient than hardware tokens.  It’s also a great way to authenticate a user because most users have their cell phones on them all the time.

Google also uses one-time passwords and sends them to their users if a user is logging in from a separate IP address than the one usually used if the user requests for this service.  One time passwords aren’t just as secure as they used to be even though they’re still widely used and one time passwords are going to be the future of authentication and securing user’s sensitive data.

Read More

How to Remove Responsibility While Avoiding Data Breaches in Healthcare

February 28, 2012   Adam Quart   No comments
hhs data breach report infographic

If you are in the healthcare industry then you are familiar with privacy and how important it is to keep confidential data secure. Not only are you under the scrutiny of government regulatory compliance, you are also responsible for your patient’s personal data and ultimately their identity. In healthcare accountability has become an important part of compliance requiring data breaches affecting over 500 individuals to be reported and posted on the HHS.gov website. Now under pressure of hefty fines and being placed in the spotlight will we start to see the amount of breaches reduced or better yet higher security put in place?

Taking a look at information on the U.S. Department of Health & Human Services website we have put together some facts about healthcare data breaches. Although these are only the reported incidents it is alarming to find that the majority of the issue has to do with unsecure digital data. By removing the responsibility from physicians it would seem that hospitals and other healthcare facilities could have avoided many of the reported data breaches.

Loss and theft have played the largest role in healthcare data breaches with over 265 breaches involving 15,039,697 individuals’ records. That is over 67% of the total amount of reported breaches and an almost sickening, pardon my pun, 78% of the total stolen records. In the defense of lost and stolen information I would like to add that not all incidents involve a computer or digital form of data. However it is still extremely daunting that 92% of computer related data breaches are through theft or loss.

hhs data breach report infographic

Government regulatory compliance like the HIPAA Security Rule and HITECH Act require more security for healthcare data. However by still allowing physicians and other healthcare employees to transmit confidential patient data the problem will continue to be an issue. As the facts point out that although accountability is present and fines are hefty this cannot protect us against human nature. By losing computers or other portable devices, whether to theft or carelessness we put privacy at risk. However restricting healthcare from downloading and storing the confidential data relieves the situation.

If remote access of patient data can protect against 92% of computer related breaches then why is it not being implemented? By placing accountability on a single location and utilizing zero footprint technology data can be accessed through any device without information being left behind. Furthermore two-factor authentication allows for protection through an added layer of security that fights against fraudulent access.

The future is here now, there is no better time than present to remove trust from physicians and place it in the hands of IT security. By utilizing secure remote access through two-factor authentication and a one-time password we can improve privacy without hindering healthcare professional.

Read More

Verizon Reports Data Breach Count Rises While Records Breached Falls

February 16, 2012   Adam Quart   No comments
verizon data breach report

With the number of data breaches on the rise why are the amount of records stolen dropping?

Verizon recently released a report called the 2011 Data Breach Investigations Report (DBIR) in which it combines caseload information with the United States Secret Service. Although the number of records breached has dropped from a record high of 361 million in 2008 to 144 million in 2009 and even lower to only 4 million in 2010 the fact is that the total number of breaches occurring is rising. This could mean that smaller businesses are being targeted through different vulnerabilities than recent years.

Criminals Behind Bars Cause Others to Hide
Some would say that because many criminals were recently placed behind bars, including 1200 suspects arrested in ’10, we are much safer. While others, mainly those involved in security, are thinking the reduction in records stolen is a combination of higher security but mainly a greater desire to remain out of jail. Many large scale cyber criminals have recently been placed behind bars, including Albert Gonzalez and Maksym Yastremskiy who were responsible for the 2010 payment card data breaches. With these spectacles of the law being known by hackers everywhere it may be that criminals are laying low.

Rather than targeting the higher risk companies who have more security and investigative power, cyber criminals seem to be targeting low hanging fruit. The statistics from Verizon’s report show organizations with 11 to 100 employees have been breached more in 2010 than other company sizes. Approximately 436 breaches took place in this size bracket compared to the 323 breaches that took place in all other employee size brackets combined. This is most likely due to the fact that the level of security utilized by these institutions is much less extensive than that of larger corporations.

2011 verizon data breach protection

External Threats and Remote Access Security
It is great to know that employees and competitors are not the direct cause for data breaches. However with 98% of breaches originating from organized criminal groups and unaffiliated persons it is plain to see that remote access security is a dilemma. The top 4 types of attacks resulted from hacking and malware. Although mobile devices have been seen as the source of evil lately in essence it is the server that has been the target. This is not to say that mobile devices will not haunt our future security woes as they may soon become the target of cyber thieves.

In order to secure our privacy the problem lies in authenticating remote users. Anyone accessing the server should be an authorized user to prevent further deployment of malware. Furthermore with hackers creating programs for less skilled script kiddies to easily maneuver through security the need for remote access security will rise. These attacks that we have recently seen may just be groundwork that is being made for later attacks. By utilizing information from data breaches a hacker could create easy to use programs in which they can control many unskilled attackers from many locations to pull off a much larger breach of records.

By utilizing a two-factor authentication method to identify user’s many hacking attempts would be thwarted. However in order to completely secure remote access the need for out-of-band authentication from a one-time password is rising greatly. With over 50% of breaches resulting from malware an out-of-band solution allows for authentication to take place without chance of being breached malicious software.

With new reports by Verizon and other companies being released constantly we can view the change and evolution of attacks. More importantly we can see trends which may lead to future attacks and prevent data breaches through preventative security measures.

Read More