Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home IAMblog Strong Authentication
Identity and Authentication Blog

Cloud Authenticaction Processing Generates Cost and Energy Savings

Delfigo recently filed for patent protection on its Cloud Authentication Processing (CAP) and Verification method. The cloud authentication processing method combines enhanced login accuracy and access speed based on multifactor authentication, with significant efficiencies in data processing and storage resulting in substantial resource and cost savings.

“We recognized that there were economic opportunities available here. A more elegant, 'green' approach to multifactor authentication (MFA) significantly reduces processing and storage needs,” said Delfigo’s CEO Ralph A. Rodriguez. “When you are talking about the scale of Facebook, Twitter or Google, who are on their way to authenticating a billion users globally, CPU processing and storage optimization with CAP will reduce energy consumption requirements, enhance scale and result in millions of dollars in annual savings.”

Our team continues to take the lead in developing novel approaches to tackle authentication challenges. With the growth of cloud computing and other high user count systems, companies are faced with processing millions of users over the Internet. Additional data traffic, complex mathematical computation and exponential increases in hardware storage requirements for password, device, network and geo-centric user data will place huge drains on processing resources, related to CPU, memory, bus and circuit board speed in massive cloud data centers. This will in turn increase power and HVAC costs.

Delfigo’s Cloud Authentication Processing and Verification method creates the highest known efficacy of end user login accuracy in relationship to end user login time to access cloud based systems safe and fast. This unique approach is estimated to decrease storage requirements by a 10:1 ratio, and reduce processing requirements as only a single stored entry is utilized to authenticate against prior end user data. This method will save millions of dollars per data center, and an enormous amount of natural resources needed by companies, organizations and countries globally to power and cool equipment.


Is Indifference to Mobile Security The Problem?

Over the past 25 years, the cell phone has evolved from the one dimensional brick phones to the powerful smartphone technology of today. Estimates indicate that smartphone ownership will reach 43% of the US mobile population by 2015 with Gartner stating that sales of smartphones will reach 95 million in 2011. With ever increasing processing power, and hundreds of thousands of applications currently available, the smartphone has rapidly become the primary device for everyday access to social media, banking, commerce, shopping, and personal entertainment.

What is often lost in this love affair with mobility is that the smartphone presents the same level of risk as the PC. The rapid expansion of capabilities and acceptance of these devices as an essential element of our personal and professional life has regrettably coincided with an overall indifference to security. Convenience - in the moment, on the go convenience - trumps any concern for protection of assets. The average user has a wide variety of confidential private data stored on these very personal devices, and estimates show that 40% of business professionals carry sensitive business information as well.

Look no further than the recent articles on Zitmo or DroidDream to see that the risk is real. Zitmo, a variant of the Zeus Trojan, has been adapted to target phones running the Android OS. Users are tricked in to adding a “security component” that they assume comes from their bank, but is really malware. DroidDream, malware that initially exploited a bug in older versions of Android that resulted in 58 apps being pulled from the Android marketplace, recently resurfaced in 4 additional apps in July.

User indifference is often identified as a key part of the problem. The user fails to play the role that security managers expect them to play. They do this for an obvious reason; they do not want to be inconvenienced. Vendors that assume the user should play a key role in security strategy are missing an important element in developing, and implementing strong authentication solutions for the mobile user. The user does not want to be inconvenienced. Security should operate invisibly in the background and not in any way interfere with their user experience.


1. “Smartphone Malware Report” Raising Awareness of the Threats Affecting Mobile Devices

2. Zeus Banking Trojan Hits Android Phones

3. DroidDream Again Appears in Android Market Apps 

4. Smartphone Market Statisitcs

5. Research and Markets – Mobile Phone Biometric Security Report 


New OddJob Trojan Threatens Financial Institutions

Security firm Trusteer has identified a new trojan they have named OddJob which keeps banking sessions open after banking customers believe they have logged off. From Trusteer:

We have found a new type of financial malware with the ability to hijack customers’ online banking sessions in real time using their session ID tokens. OddJob, which is the name we have given this Trojan, keeps sessions open after customers think they have “logged off”’, enabling criminals to extract money and commit fraud unnoticed. This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital - and online monetary - assets.  We have been monitoring OddJob for a few months, but have not been able to report on its activities until now due to ongoing investigations by law enforcement agencies. These have just been completed. 

Information Week also reports the security firm F-Secure has found that a variant of the financial malware Zeus Mitmo is again active, this time targeting mobile phone customers of ING Bank in Poland. 

"Computers infected with a ZeuS Mitmo Trojan will inject a 'security notification' into the Web banking process, attempting to lure the user into providing their phone number," said Sean Sulllivan [of S-Secure]. "If a phone number is provided, the user will receive an SMS link pointing to the mobile component, ZeusMitmo.A." Clicking on the link then presents Symbian and BlackBerry users with Zeus Mitmo malware tailored to their smartphone.

The goal of Zeus Mitmo is to create fraudulent transactions using the mobile device, while subverting the bank's security procedures. In particular, the malware's mobile component creates a man-in-the-middle attack that steals the one-time password that some banks send via SMS to authorize a financial transaction, which are also known as mobile transaction authentication numbers (mTANs). By hijacking this security verification process, Zeus Mitmo disguises its fraudulent activities from users.


Significant Increase in Botnet Attacks in 2010

Information Week sites a new report that states there was a 654% increase in botnet victims in 2010!

The botnet market is both growing and consolidating. The top 10 botnets of 2010 -- based on total number of PCs compromised -- began the year with 22% market share, but grew to account for 57% of all botnet infections by the end of the year. Meanwhile, in the same timeframe, the number of unique botnet victims grew by 654%.

Much of this is the result of readily available botnet building toolkits. These crimeware toolkits such as MPack, Neosploit, Zeus, Nukesploit P4ck, and Phoenix compete with each other on the black market according to the Symantec Report on Attack Toolkits and Malicious Websites. Prewritten code allows those with limited skills to "to customize, deploy, and automate widespread attacks, such as command-and-control (C&C) server administration tools. As with a majority of malicious code in the threat landscape, attack kits are typically used to enable the theft of sensitive information or to convert compromised computers into a network of zombie bots (botnet) in order to mount additional attacks."



California's SB 1411 - Regulating Online Identities

California's new law SB-1411, calls for criminal penalities for impersonating someone online:

"any person who knowingly and without consent credibly impersonates another actual person through or on an Internet Web site or by other electronic means, as specified, for purposes of harming, intimidating, threatening, or defrauding another person is guilty of a misdemeanor." 

Source: ZDNet: Analysis: California's Online Impersonation Law, Effective January 1


What is Projected for Identity Management in 2011

Dave Kearns at Network World takes a look at what folks are discussing for Identity Management in 2011. Some highlights include:

  • New round of M & A activity as large non-IAM vendors seek identity technologies to add to their core services
  • Cyber criminals target the extended enterprise - trusted partners and vendors that have access to valued data
  • Need for increased focus on threats from inside an organization (48% of data breaches in 2010 according to Secret Service report)
  • Perception of IAM as cloud service will shift from cloud barrier to cloud enabler.

Security vs. Usability: And the Winner Is?

There has been and will continue to be a significant tension between security and user convenience. Everyone wants their systems to be more secure. I have never heard anyone say they want their systems to be less secure. But what tradeoffs will they make to provide that security. When it comes  to decision time the concern over user convenience / usability and security comes to the forefront, and security frequently ends up on the short end of the stick. Why?

The answer is simple. Security is provided to keep people off of a system, specifically those people who are not authorized to access them. But on the other side of the coin the systems were put into service, at significant effort and expense, to help a business grow. Whether we are talking about back end management and support systems or front end customer facing ecommerce systems, they do not serve their purpose if it is too difficult for users to access them. Therefore, in the majority of cases user convenience trumps security, as usability and access to systems and services is of primary importance. As a well known CEO said, “I do not want to trade $1 of fraud for $1 of customer support.”

"Where Do Security Policies Come From?"  by Dinei Florencio and Cormac Herley touches on this issue. The study sought to examine whether the strength of password policies was directly related to the security requirements of a site (size of site, number of users, value of assets protected, frequency of attacks) . They conclude:

"Our analysis suggests that strong-policy sites do not have greater security needs. Rather, it appears that they are better insulated from the consequences of imposing poor usability decisions on their users. For commercial retailers like Amazon, and advertising supported sites like Facebook, every login event is a revenue opportunity. Anything that interferes with usability affects the business directly. At government sites and universities every login event is, at best, neutral, or, at worst, a cost. The consequences of poor usability decisions are less direct. That simple difference in incentives turns out to be a better predictor of password policy than any security requirement. This in turn suggests that some of stronger policies are needlessly complex: they cause considerable inconvenience for negligible security improvement."

Florencio and Herley clearly articulate the need for understanding the tradeoff between security and convenience in their conclusion. However, they also note that it is difficult to determine if you have the security - convenience tradeoff correct, or if decisionmakers are "imposing considerable inconvenience for marginal benefit."


Business Value of Versatile Authentication

Martin Kuppinger clearly articulates the business value of versatile authentication (support for different authentication methods).

The business value is easy to describe: Reusing existing strong authentication technologies for more use cases makes things cheaper. Being able to use expensive very strong authentication where required but relying on other, cheaper, and appropriate technologies in other use cases reduces costs. Logistics for reused strong authentication technology is cheaper. All use cases, including external users like customers and suppliers, can be supported.

Overall, supporting versatile authentication is more and more a standard feature and the “versatility” of platforms for authentication is, from my point of view, an important point when selecting vendors. Hard-coding strong authentication into applications doesn’t really make sense anymore.


Stolen Credentials Featured Prominently in 2010 Data Breach Investigations Report

The Verizon Risk Teams' 2010 Data Breach Investigations Report, compiled along with data from the United States Secret Service, looked at 141 confirmed breach cases worked by Verizon and the USSS in 2009. One area of the report examined what a particular threat agent did to cause or contribute to a breach. Under the threat hacking, the use of stolen credentials was number one in both the Verizon and USSS datasets.

 Threat Action

 % of Breaches

% of Records 






















 "The amount of breaches that exploit authentication in some manner is a problem. In our last report it was default credentials; this year it’s stolen and/or weak credentials. Perhaps this is because attackers know most users are over-privileged. Perhaps it’s because they know we don’t monitor user activity very well. Perhaps it’s just the easiest way in the door."

Source: 2010 Data Breach Investigations Report


Page 4 of 7