Lily Hay Newman wrote a compelling article for Slate.com this week in which she argued that, like the food we eat and the products we buy, software should come with disclosures where our personal data is being put at risk. It seems that we're now hearing about our data being hacked on a constant basis, and there is good reason to worry that many people are tuning out the risk because the sheer volume of attacks makes it seem like there is nothing we can do.
Regulation, and shared standards are one obvious approach to an issue that is so large it can target entire industries while simultaneously effecting well known individual entities. Regulation would presumably standardize levels of risk and more importantly, communicate those risks broadly so that users could have a collective understanding that would have context, but Newman notes: "In the absence of a reliable disclosures, the burden of personal online security largely falls to users. The simpler and more straightforward the demands on them are, the more likely they are to comply. And one of the most important areas to address is passwords." Passwords are used so widely, while being so widely known to be flawed, that they do a good job illustrating the pressing need for change. As she closes her article, Newman argues that dual factor authentication addresses some of the most widespread and exposed risks, while noting that new technologies (such as biometrics) are enabling stronger authentication without complex requirements for end users.
We all know that when a new OS release comes out, it's probably a good idea to update iPhones and iPads. If you're a little behind though, specifically if you haven't upgraded to 8.1.1, your iPhone or iPad is vulnerable to the kind of brute force hack described here. If you have an older device and are unable to upgrade, your device remains vulnerable.
'“It’s always been known that having a 4-digit PIN on your phone is inherently insecure however the ‘erase data after 10 invalid attempts’ configuration setting was seen as somewhat of a mitigation in many circles,” said Dominic Chell, director at MDSec. “We believe that the device is able to evade this constraint by aggressively powering off the iPhone after each PIN entry attempt is made, but before the failure has been committed to flash memory – it does this by directly powering the iPhone itself.”'
Being aware of this kind of vulnerability is the first step, but insisting on a higher level of security for access to our devices is the next one. As we do more and more on our devices, it is increasingly necessary to understand the security threats that can compromise them, and search for ways to mitigate the risk.
User Experience is a widely discussed topic in and beyond the security space. Previous posts here have cited the need to provide seamless and even transparent ways to secure mobile apps and transactions, in order to to enhance both security and adoption. This article examines that concept and points out that "no experience" is often the best user experience in a wide range of contexts.
The author says quite plainly "...unless your name is Disney, your customers almost certainly aren’t coming to you for an experience at all. They’re coming to you because they want to solve some problem or meet some need, and they think your company has a product or service that will help them do that – whether it’s feeding the family a meal, or fixing their car, or maybe communicating with a friend." This idea speaks directly to the notion that frictionless experience is king with end users, who are most likely looking to accomplish something as opposed to "experience" something when accessing an application or doing an online transaction. While security sometimes requires that the user devote some amount of effort to participate in authentication, access a secure environment, or protect valuable information, end users are still likely to embrace a frictionless experience - making them more likely to embrace security technologies that are designed with this in mind.
One time passwords are commonly viewed as an easy to use strong authentication method, a recent report by the Javelin Group and Nok Nok Labs suggests that heavily relying on OTP, especially on Android, carries a significant risk of fraud, as hackers figure out ways to compromise the secure messages this method of authentication relies on. With a high percentage (41%) of Android users using OTP with their financial accounts last year, it is important for users to understand the risks and that all strong authentication methods are not created equal.
The report recommends that users "Use the effective authentication capabilities of the mobile device. To protect mobile users and their accounts from vulnerabilities associated with the use of passwords, take advantage of hardware integrated into mobile devices to protect all channels. More secure solutions, such as those based on biometrics, can be delivered directly to consumers without the cost of providing additional hardware."
Do you trust Apple's Touch ID?
Click here for a poll where readers are asked to state whether they "trust" the Touch ID feature which is is available on the latest iPhones and iPads. With the release of iOS 8, the Touch ID APIs were made available for developers, meaning that the use of Touch ID will be possible in apps, not just on Apple's devices. However, users are still hesitant, as recent news of high profile breaches are bringing to light how easy it can be to get user data and use it for nefarious purposes. One of the dangers of fingerprint and other similar biometric technologies is that they cannot be changed - and can be permanently compromised. Still, where many users seem to be hesitant even as Touch ID is presented as a more secure alternative to a traditional password or PIN, many others are ready to embrace new authentication technologies.
Biometrics are poised to become a widely accepted way to secure devices and applications, and in many cases to replace "traditional" authentication methods such as passwords and tokens. The Washington Post discussed this "biometric revolution" and asked whether we are really ready for the paradigm shift it will bring.
As we collectively adopt this new technology, it is crucial to remember how it differs from what we are accustomed to in terms of it not being "something we know" (like a password or PIN) or "something we have" (such as a token, smart card, QR code...). Biometrics by their nature are something we "are", which makes them perfect for authenticating the user's identity, but challenging to manage and maintain as both a provider and as a user. As a user, I can't "reset" my fingerprint (without some serious effort), and once it's compromised, that's it. New technologies will be needed to handle the issues biometric authentication introduces, and perhaps as importantly, new discussions on how it should be used will be needed. This includes a critical discussion related to privacy and identity, once users start authenticating with something they "are".
The Atlantic says biometrics can be cool again.
Citing a Google study that explores use of voice searches, two of the most common answers to the question "Why do we use voice search" were "it's cool" and "it's safer". 89% of teens and 85% of adults also said "it's the future".
With highly visible security breaches happening alongside the release of new technology to enable us to do more and more with our devices, many organizations are embracing the idea that biometrics may well be a real answer to the tough question of how to secure the many things we want to be able to do with our phones, tablets and laptops. If biometrics can be used to successfully lessen the risk associated with using apps we love, and can improve our experience while we use them, that would definitely be...Cool.
It seems that we're always recovering from, or hearing about, the latest security breach or vulnerability. This week it was Home Depot, who announced that they have "have completed a major payment security project that provides enhanced encryption of payment card data at point of sale in our U.S. stores, offering significant new protection for customers. The rollout of enhanced encryption to Canadian stores will be completed by early 2015. Canadian stores are already enabled with EMV “Chip and PIN” technology".
One of the most powerful elements of EMV is the fact that it combines authentication methods to strengthen the security of a transaction. Passwords themselves have taken a beating as a standalone authentication method, with many organizations choosing to deploy second or multi factor authentication, and some choosing to forgo passwords all together. Biometrics are emerging as an answer to the "Password Problem", offering a unique credential that represents something the user "is" instead of something they "know" (which can be discovered, and reused by a bad actor), but each method has its drawbacks. This article discusses the good and bad of each method, and argues that a secure transaction may well require multiple methods at once to be optimally secure.
This idea is a compelling one, especially if the combined solution can offer an elegantly simple end user experience. Biometrics may be an ideal "enhancement" for authentication precisely because of what they are - something the user "is" (nothing to remember, receive, carry, or otherwise maintain). As we continue to discuss how to enhance security, the conversation will likely become one of the best combination of methods, instead of any one method, for security.