Twitter Logins and Passwords Exposed in Security Breach and How They Can Prevent Future Breaches

May 14, 2012   Adam Quart   No comments
twitter-password-exposed-two-factor-authentication-solution

It was announced recently that Twitter was hacked, and over 55,000 Twitter usernames and passwords were leaked and posted publicly on the internet for anyone to see.  Data from users appeared on Pastebin, a service used by hackers to brag about their achievements, but the social network pointed out that many of these profiles were spam bots and duplicates.  If you’re on Twitter, now would be a very good time to login and change your password.

Twitter spokesman Robert Weeks explained, “We are currently looking into the situation.  In the meantime, we have pushed out password resets to accounts that may have been affected.”  Twitter is investigating the security breach to find out the source of the attack.  Twitter is downplaying the incident stating that the accounts and passwords consist of more than 20,000 duplicates, spam accounts that have been suspended, and login credentials that do not be related to each other (passwords and logins do not match).

The social network claims to have over 140 million active users so the security breach would have affected about 0.02% of its user base.  Still, this is a reality check for Twitter because the security breach could have been much more widespread and could have tarnished the company’s reputation.  The question that Twitter must be asking themselves is who would have leaked the account credentials and why?  The Pastebin poster remains anonymous and no group is stepping forward to take credit for the attack, but that has yet to be concluded.

In 2009, Twitter was compromised twice and hackers had complete control over the social network.  In 2010, Twitter settled with the Federal Trade Commission (FTC) over the hacking because of customer privacy and information being at risk.  Part of the FTC settlement includes twice a year security audits, regular information security audits for 10 years, avoiding making any misleading statements about the effectiveness of their security or privacy practices for 20 years, and a dedicated person for security to be on staff at twitter to be accountable for and coordinate its information security and privacy concerns.  The FTC settlement details can be seen at http://www.ftc.gov/opa/2011/03/twitter.shtm.  The social network also agreed to put in place “reasonable safeguards” to mitigate any information security risks it identifies and also to store date securely.

Although Twitter had added almost all of the required security improvements by the time the FTC settlement was announced in 2010, they could have done more to prevent the current attack and future attacks.  Even with staff dedicated to improve security and be accountable for information security, they still got compromised.  If the staff at the social site were to incorporate new technology such as two factor authentication, the security breach might not have occurred.  For instance, two-factor authentication using a mobile device could have protected their users and the site from being accessed by authenticating users via their mobile devices when logging in.  This is technology that Google now embraces and what many major banks use to authenticate their users logging in to their services.  It’s an effective and cost effective way to implement an out-of-band authentication method while using a device that most users always have on them and own, a mobile phone.

To implement two-factor authentication, Twitter would just require users to opt-in to using their mobile phone as a security device and agree to receive a one-time password (OTP) through SMS on their mobile devices.  Once a user enters their login credentials on Twitter, an OTP is sent through an out-of-band network (their mobile carrier) and enters the password onto the site which authenticates them.  It is a cost efficient and effective way to authenticate their users because most people have mobile phones on them at all times, and it requires no additional hardware or tokens to deploy on Twitter’s end.  Two-factor authentication is a truly effective layered security solution that Twitter should be using to protect their users and maybe this current attack will make them rethink their security measures in place.  The FTC has already stepped in once to increase the social network’s security and that wasn’t enough, but maybe if they implement a two-factor authentication solution they be less susceptible to more security breaches.

Read More

Online Users Are Safer With Out-of-Band Authentication

May 03, 2012   Adam Quart   No comments
what-is-two-factor-authentication

Online banking continues to grow as more consumers are going paperless with their monthly billing statements, accessing their online accounts, paying bills, and making online purchases.  With the increase of the amount of users going online, financial institutions are looking to protect their customers from potential threats such as online fraud, hacking and malware.  In addition to making it safer for their users, FFIEC regulations are also recommending that financial institutions implement layered security measures and security such as multi factor user authentication.  According to recent studies, online banking fraud now accounts for more than double that is lost from bank robberies.    As banks implement new technologies to protect their users against fraud attacks, more sophisticated attacks are also being created.  With new technologies being countered with new threats, how are financial institutions going to protect their customers?  One of the ways is through authenticating their users with the use of out of band authentication.

Out of band authentication is a great way at authenticating users because most threats of online banking come from malware used to steal user credentials, man in the middle attacks (MITM), and through phishing attacks.  Malware is the greatest threat to online banking users today because it is so widespread.  Malware is becoming more advanced as hackers come up with new ways to infiltrate user’s computers.  Man in the middle attacks are the most common type of malware attacks and they work by mimicking a user’s online banking portal so that users enter their login credentials into the “fake” login site instead of their actual online portal.  Financial institutions are the most profitable to hackers so many of them focus on harvesting login credentials.

Users that don’t know that they have malware on their computer are fooled into entering their login credentials because man in the middle attacks mask the website used to look like the banking institutions.  Both the financial institution and the user are fooled because they think that the authenticated session is without interference.  Even if the institution allows authentication by giving out hardware tokens with one time passwords, the password is still used to authenticate the user and the hacker can freely roam the user’s account with fraudulent transactions such as wire and ACH transfers.

To prevent these types of online fraud attacks, additional security needs to be added such as out of band authentication for financial transactions.  For example, if a user was to use their debit card online or transfer money from one account to another, they would be alerted by a message being sent to their cell phone via SMS with a one-time password.  If they did make the said purchase or transfer, they would enter in their one time password in the OTP prompt within the allowed time frame to confirm it and authorize it.  Using this verification method, an unauthorized user attempting to make a wire transfer, purchase, or transaction they would not be able to authorize it because they would not have access to the user’s mobile device.  Not many security companies offer a product that verifies transactions, but DynaPass, located in Orange County, California does.  DynaPay by DynaPass.com is a two factor authentication solution for users to verify their online transactions and is the additional layer of security that users need to stay protected against hackers and online attacks.

Read More

Are Static Passwords Obsolete? The Rise of One Time Passwords

April 26, 2012   Adam Quart   No comments
static one time password

With the introduction of new ways of authenticating a user such as face recognition, fingerprint scanning, retina scans, and puzzle solving; regular static passwords are becoming less secure and cumbersome for users to remember.  When the internet first started, it was exciting to have a strong and hard to guess password for your emails, but now these same types of passwords can be easily guessed and hacked into.

More and more users are using online banking, making financial transactions, purchasing things online on their tablets, and putting sensitive information on the web.  Ordinary passwords just aren’t as secure enough to protect users against malware and hackers.  With all these sites and logins that we have, it gets harder and harder to remember all these usernames and passwords.  It’s not only the security that is of question, but also the costs associated with it.  We rarely think about how much it costs to reset a password if it’s lost, stolen, or forgotten, but someone or some company is always responsible to reset passwords and send users a new one.  Industry reports show that an average cost of resetting a password is $30.

One time passwords are a great way to protect users from fraud and malware, especially if combined with an out of band authentication method.  Banking and financial institutions use one time passwords to secure their user logins using an out of band authentication method.  How it works is a user enters in their login credentials and their mobile phone is sent a one-time password from an outside server.  Once the user receives the password on their mobile phone, they enter it into the website they are trying to gain access to and access is granted if the one time password is correct.  This is one of the best ways to authenticate a user because the password is sent to a user’s mobile phone.  This is type of authentication method doesn’t require a user to carry additional hardware or even install additional software on their cell phone to use which makes it more convenient than hardware tokens.  It’s also a great way to authenticate a user because most users have their cell phones on them all the time.

Google also uses one-time passwords and sends them to their users if a user is logging in from a separate IP address than the one usually used if the user requests for this service.  One time passwords aren’t just as secure as they used to be even though they’re still widely used and one time passwords are going to be the future of authentication and securing user’s sensitive data.

Read More

Google’s Responsibility and 2 Step Verification

April 24, 2012   Adam Quart   No comments

Google’s Larry Page has stepped up security measures as Google’s new CEO ever since Eric Schmidt stepped down in 2011.  Google, the most widely used search engine in the world, is popular among users because it is valuable for their users by showing them the most relevant search results when users are looking for something.  By offering such a great user experience, they have a very direct relationship with their users.  When a user wants to search an image or product, Google’s search algorithm “magically” compiles relevant search results.  In a swiftly changing industry, Google has managed to stay innovative.  Users don’t always like the changes, but some grow to love them.  When Google releases a product that isn’t up to par to user’s expectations or doesn’t work, they know that it’s easy for users to go to their competition which is a click away.  User’s have a lot of trust in Google with their searches and especially with their data in emails, documents, pictures, and accounts.

To retain the trust and ensure that user’s information is safe, Google invests in security and tools for users such as 2-step verification (also called two factor authentication) and encryption.  Their security efforts help thwart unauthorized access to user’s information and also increases trust with Google and their users.  Google also recently changed their privacy policies, which gained a lot of interest from users, but ultimately changes were made so that Google can create a more intuitive experience across their products and create a better user experience for its users.  Larry Page’s update within Google’s privacy policy was to create a more seamless experience across its services and products.  A way to create a more seamless experience is for users to stay logged in while using Google products such as Google Chrome, Google Docs, Gmail, Youtube.com, Google+, and Google Play.

Google’s implementation of security features like two factor authentication help improve the user experience by decreasing the likelihood of information and accounts being compromised.  One way a user can be verified using two factor authentication is by logging into their account using their login credentials and at the same time a one-time password is be sent to their mobile phone to be entered into the website where access is being granted to verify them.  This is a powerful way to authenticate users because not only do they use their login credentials to login (using a login and password), they are sent a one-time password to their mobile device which let’s Google know that they are who they say they are.  The great thing about this two factor authentication method is that most users always have their cell phone on them so verifying them doesn’t require the users to carry any additional hardware or software to install.  Users just need to be able to receive text messages through their mobile devices and they can receive a one-time password that hackers and intruders won’t even be able to access even if their logins are compromised.  With over 100 million users active on Google+ and over 3 billion searches on Google’s search engine per day, security is a concern for users and implementing 2 step verification is a great way to ensure that user’s information remains safe and Google can continue improving the experience for us all with all their products and services.

Read More

Consumers Fighting Identity Theft Need To Demand Data Breach Protection

March 13, 2012   Adam Quart   2 Comments
identity theft protection

Are you one of the millions affected by identity theft? Even if you are not, 2011 was the year of the data breach with over 36 million affected by breaches. Javelin Strategy and Research says that people whose information was stolen in a data breach are almost 10 times more at risk of identity theft or fraud. If your information has been stolen or compromised, you very well could be the next victim of identity theft or fraud.

Data breach protection can provide a solution for lowering the risk of identity theft. In 2010, 8.6 million households were involved in identity theft incidents as reported by the U.S. Bureau of Justice. With the 36 million breaches occurring in 2011, the number of identity theft incidents last year must be through the roof however they are still being accounted for.

It is plain to see that identity theft is one of the biggest problems we are facing today because it can destroy credit score ratings and cause financial ruin for victims. Recently, Schield Family Brands employees have become victims of tax fraud which was an identity theft based attack. Over a hundred employees of the window and door manufacturing company were left without a tax return, were charged fees, and their credit scores could have been affected as well by fraudulent activity. By using the victim’s identities, thieves were able to receive false tax returns through the victim’s social security numbers. To make things even worse, the victims did not know about the fraud until they were notified that their returns had already been filed.

Although data breach protection is perceived to be the responsibility of corporations, there are precautions that can be take on the consumer end to ensure better safety. In a recent report by Javelin, some shocking information was published about online social network behaviors. It was found that 68% of public profiles contained birth date information while 63% contained high school information. This type of confidential data could be used in a social network engineering attack for identity fraud. It is important to keep personal information like this private in order to prevent from these types of attacks.

Forbes recently posted info about 6 mistakes most people are already making online which can lead to becoming a victim of cyber crime:
1. Displaying a full birth date on a Facebook profile
2. Participating in online quizzes
3. Mobile devices without password protection
4. Tweeting plans including destinations and vacations
5. Leaving geotagging on which displays location
6. Using weak email passwords and never changing them

By avoiding these mistakes online people can do their part in protecting their identities, but it is also the responsibility of the organizations to keep user’s information secure. This is why consumers, employees and even the government should fight for remote access security which defends against hackers utilizing data breach information to commit fraud. Utilizing a two-factor authentication solution could add a layer of protection that removes a piece of the identification process from the criminals and places power back in the hands of the individual, literally.

By utilizing an SMS text message for transmission of a one-time password, not only is access more protected, but the user receives notice of authentication and access of information. Even if an attacker were to gain information from data breaches or they used social engineering to try and gain access, this added layer of security could prevent the attack. It is both an effective and efficient solution which does not take much time to put into place.

Read More