By Josh Gatka

How did people in medieval times know the queen was the queen? She was the one who had the crown. Proving an individual’s identity based on an item they have with them has carried over into modern times.

Go to the bank to make a withdrawal or a deposit. The teller may ask for a driver’s license or other photo ID. Traveling internationally? You will verify your identity with a passport.

The latest trend in ID technology uses biometrics to recognize a person based on something that is a completely unique part of him or her. Fingerprint readers or retina scans are common forms of biometric technology. In this case, you are the thing that is being used to prove your identity. If you’ve ever unlocked your smartphone with your fingerprint ID, you’ve used biometrics.

In cybersecurity, the process of proving identity is called authentication. We’ve discussed authenticating by using something you have or something you are. Now let’s talk about the most common form of authentication: something you know.

The internet has been around for decades, and the process of authentication has remained unchanged. Software asks us to prove our identity by providing information only we should know—a username and password.

Identity Crisis

Unfortunately, authentication based on username and password has caused some problems. The human mind values efficiency, causing many to choose ease-of-use over security. As a result, people adopt poor security practices, such as using weak passwords across multiple services.

Rotating passwords and replacing them with strong new ones with a password manager is an obvious solution. Still, many people use the same password for years, even though hackers may have gained access to that password in a breach that happened ten years ago.

The cause for concern may not be terribly high if hackers only gain access to an individual’s Pinterest account. But if the user has the same password for every service, their finances can fall into an attacker’s crosshairs. The user then faces headaches and phone calls to the bank as the two parties compare notes and start a fraud investigation.

Two Factors Are Better Than One

The cybersecurity industry’s answer to the authentication problem is called multi-factor authentication (MFA). Unfortunately, hackers access stolen databases of login information daily. But what if possession of a username and password wasn’t enough to access an account? What if users strengthened the security of their accounts by requiring a second factor of authentication before a successful login? Enter MFA.

For example, to get into my Google account, a hacker would first have to guess my password. But they still wouldn’t be able to log in.

After entering my information, a screen prompts them to press the gold button on my USB security key. If the security key is plugged into my computer, I simply press the button to log on successfully.

No USB security key? No login.

A USB security key, however, is not the most common authentication item. That distinction goes to a thing that 99 percent of people have in their pockets right now – a cell phone.

The majority of people who leverage MFA use an authentication code sent to their cell phone via SMS text message or an authenticator app (such as Google Authenticator or Duo). After login, the user checks their text messages for the code or opens the authenticator app and enters the code, which rotates every 30 seconds.

Evolving Tactics

So, what is a cybersecurity article about MFA doing in a magazine about mortgage compliance? In the immortal words of Sean Combs, it’s all about the Benjamins.

According to the Ponemon Institute’s Global Cost of Cybercrime report, the financial services sector loses the most money to cybercrime, with an average annualized cost of $18.28 million. This is more than the U.S. Public Sector and Hospitality industries average annualized costs combined! Cybercriminals know the value of the assets the financial sector protects.

According to the report, the number of ransomware attacks doubled from 2016 to 2017, and 67 percent of organizations experienced phishing and social engineering attacks during that time. A common tactic hackers employ is leveraging trust between users. An individual may not open an email attachment from a stranger. But if the hacker successfully impersonates the user’s friend, Bob from accounting, they may increase the odds of success.

SMS and SIM-Swapping

Thwarted by implementations of MFA, the bad guys (and gals) recently stepped up their game. SMS, or text message-based, MFA suffers from a significant flaw. If an attacker calls a target’s mobile carrier and successfully impersonates him or her, the carrier may transfer service to a different SIM card. This is an attack known as SIM-swapping. After the successful SIM-swapping attack, the code gets texted to the attacker’s phone, instead of to the victim. The SMS-based MFA is circumvented, and the attacker successfully logs in.

A SIM-swapping attack led to a data breach at Reddit. The breach highlights the need for organizations to support other methods of MFA, such as authenticator apps, USB security keys, and biometric readers. Unfortunately, far too many organizations only support one type of MFA, if any.

Authentic8

What can organizations do to protect themselves? The good news is it’s not all doom and gloom. There are plenty of tools at your disposal to protect yourself, your employees and your customers from identity theft.

Adopting best practices is key. You can get a solid start with what I call the authentic8:

1)    Use a password manager

2)    Ensure that your master password is strong

3)    Check haveibeenpwnd.com to see if your credentials are already available to attackers

4)    Change your password for ALL of the services that are flagged by haveibeenpwnd.com

5)    Turn on multi-factor authentication everywhere it is supported, especially on your email accounts

6)    Don’t use SMS-based MFA when there are other services available, like authenticator apps or a USB security key

7)    Seek out training on how to recognize phishing emails – hackers are getting really good at making those emails look genuine

8)    Print out the one-time-use backup codes provided when you set up MFA, and store them where you store your birth certificates and other important documents – you’ll need these to log in if you lose your phone or USB key

 

Josh Gatka serves as security evangelist at Hyland. He can be reached at Josh.Gatka@Hyland.com

 

Be Sociable, Share!

(Visited 1 times, 1 visits today)

http://platform.twitter.com/widgets.js(function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(d.getElementById(id)){return}js=d.createElement(s);js.id=id;js.src=”http://connect.facebook.net/en_US/all.js”;fjs.parentNode.insertBefore(js,fjs)}(document,”script”,”facebook-jssdk”));



Source link

This Content is Generated from RSS Feeds, if your content is featured and you would like to be removed, please Contact Us

Tech Shop Offers



Music and Hifi Offers

Money and Loans

Get the very best deal on Loans, Credit Cards, Bank Accounts and Mortgages.

Motor Insurance Quote

Get a Quick Motor Insurance Quote and Compare from over 65 Providers.

Home Insurance and More

Compare Home Insurance from over 65 Insurance Providers to guarantee you the best deal.

Life Insurance and More

Get a Quick Life Insurance Quote and Compare Deals from UK's well known Insurance Providers.

Travel Insurance Quotes


0