Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home IAMblog Strong Authentication
Identity and Authentication Blog

Consumer Control Over Personal Information

Cyberattacks continue to increase against a variety of consumer-facing companies with an online presense. Here at Delfigo we frequently discuss the need to give individuals more control over their personal information. The lack of control, combined with the feeling of vulnerability as result of this lack of control, could certainly have a negative impact on the future of cloud computing. In a recent article on cloud based privacy concerns that are slowing cloud adoption in Europe, the author notes work being done at HP to give the user more control over personal information: 

"Another solution being studied is to give individuals the ability in advance to set the degree of privacy control on each part of their personal information in the cloud by digitally tagging bits of the data. Under this model, a person could make an e-mail address available to marketers, while shielding a phone number and street address from unwanted solicitations. "


Identity Theft Scheme Steals Childrens Social Security Numbers

Thieves are targeting children's social security number before they have any credit history attached to them according to the Associated Press. Online companies seek out information to identify dormant Social Security numbers. After the numbers have been checked using publicly available resources to make sure that no one is actively using them they are sold online,.

"Social Security numbers follow a logical pattern that includes a person's age and where he or she lived when the number was issued. Because the system is somewhat predictable, sellers can make educated guesses and find unused numbers using trial and error.

A "clean" CPN (credit profile, credit protection or credit privacy numbers) is a number that has been validated as an active Social Security number and is not on file with the credit bureaus. The most likely source of such numbers are children and longtime prison inmates, experts said. "


Backup and Secure Access for Cloud Computing

David Baum, July 20, 2010

 As one of the original seed investors in Carbonite, I often worry about data backup. As we move toward a nearly 100% digital life it becomes extremely important that we backup our digital data, because the digital data has become our lives.

As we move toward cloud computing, backup becomes more nebulous. Certainly the online providers are backing up our data in mass to protect themselves from major data center disasters, but in a multitenant environment, what happens to the individual when they lose their cloud data?

As a huge Gmail fan, I used Outlook to synch with the cloud, so I was less worried about backing up my email in the cloud because it was replicated on my local Outlook database. Also, all of the rest of my personal information was store locally in Outlook and I backed that information up with Carbonite.

The scenario above all changed last fall when I made the move to Android for my mobile computing needs. I was “forced” into the cloud to take full advantage of everything great that Android had to offer. This meant that I had to move all my scheduling and contact data into the sky, and thus I stopped using Outlook all together as Gmail became my full time personal information management (PIM) system. Never again would I have to sync the data between my desktop PIM and my mobile device as they were always in sync wirelessly. I must admit for an old client/server user, the move to the cloud was was a bit of a leap for me as the network of contacts that I have built over 25 years in high tech has become my business life blood.

However, I quickly noticed how much more productive I was having all my cloud data available on any computer with a web browser, my Android devices, and my iPad. It worked so well that I stopped worrying about backup. The senior people that I know at Google ensured me that their cloud was backed up in multiple data centers, and that I would never lose my data.

Everything was fine until last week when I got a call from my brother that someone from Nigeria had hacked his Gmail account and changed his password, which locked him out of his account (see log file below).

My first thought was “lights out and game over”, how can you manage your business if you don’t have access to your Gmail account. My second thought turned to backup and I realized that I had not backed up my information in Gmail in over six months. I quickly logged into Gmail and exported all of my contacts and re-synched my email database with my old friend Outlook (maybe syncing backup of the cloud will be Outlook’s legacy).

To Google’s credit, they were able to restore access to my Brother’s Gmail account quickly. However, when he logged back in, all of his contact data was deleted. I can only image the numerous identity thefts that might come from this data being in the wrong hands, but can you imagine losing all of your contact information? Google has too many users to hand restore individual contact databases for their Gmail users, so I would strongly suggest that all users make an effort to backup through export or sync to an external client-based PIM program like Outlook.

The “hacker 101 rule” after accessing a hacked email account is to immediately change the legitimate user’s password to buy precious time in order to download contacts, send out fraudulent emails, setup simple email rules on the unsuspecting user account like “forward all * emails to” and the Holy Grail problem of most online accounts that know you not by your name but by your email address. This puts everything you are, who you know and what you have the ability to access online at immediate risk and poses a clear and present danger to your online identity. Why? Simple, if the hacker assumes your email address is your account UserID he would simply try and access every social media site like LinkedIn, Twitter and Facebook as well as the major financial sites like Schwab, eTrade Quicken BoA, Wells, and Chase to name a few and he would simply click the link called “forgot my password” and enter the email address. Within seconds an email would arrive to the hacked inbox allowing the fraudster to gain access and full control to every account that uses this password reset modality.

The next big question is how someone was able to hack the account? The obvious answer is that some sort of spyware was installed on the client machine that was sniffing keystrokes for usernames and passwords. The Nigerian Hacker then used this information to log-in and change my brother’s password. Again, Google was able to “notice” this remote login, and inform the active session, but the real question is why would the Gaia (Google’s single sign on and password system) allow this to happen. The problem is that Gaia is not utilizing strong or any visible multi-factor authentication system for client log-ins.

For example, if Google was using a solution like Delfigo Security (yes, one of our portfolio companies) that implements multi-factor authentication including a sophisticated keyboard bio-metric, machine ID, geospatial paramaters, etc, they could have flagged this rouge log-in and aborted the password reset by a user that was clearly not the owner of the account.

We have all heard the news about the high profile break-ins to Gmail accounts that made Google abandon the Chinese market, but what happens when these break-ins occur to ordinary individuals which is more the norm theses days?

Google needs to do more to protect the access plane and provide more timely out of band notification like SMS’s to registered cell phones. In addition, Google should use the confidence factor of the log-in to prevent features such as export and the deletion of data. All of these features could easily be built into the business logic of Gmail and could be triggered from the confidence factor of the login that is provided by systems like Delfigo.

Lastly, users of Cloud Solutions like Gmail should also be careful not to store sensitive information in the various contact note fields. For example, storing social security numbers, credit card numbers, PIN numbers, account passwords, and physical safe combinations should not be stored in plain text fields that are only protected by username and passwords. User should instead move to more secure solutions like eWallet that encrypt the data that is shared between client computers and mobile devices and thus never gets into the cloud.

David Baum is a general partner at Stage 1 Ventures, LLC ( with 23 years in the information technology industry, including fourteen years in technology finance and nine years in entrepreneurial operating management roles.


Man In The Browser Attacks Beat Two Factor Authentication

Out of band strong authentication options that send one time passwords via phone based systems are widely used by banks and other financial institutions. However, as the research group Gartner points out [Where Strong Authentication Fails and What You Can Do About It], these methods  are susceptible to man in the browser and social engineering attacks when they are not deployed using a layered approach:

“ In instances where a bank might use a phone-based, "out-of-band" authentication system, criminals are increasingly using call forwarding so that it is the fraudster rather than the legitimate user that is being called by the financial institution, Gartner said. If security application places outbound call, synchronized to a Web session - then this outbound call can be forwarded to fraudsters. If in addition security application displays a number on the Web screen that must be entered via telephone keypad in the phone - then this number can easily intercepted by Man-in-the-Browser Trojan and forwarded to the same fraudsters , thus hijacking the session. We can reverse the loop and request user to sent some transaction info using phone keypad. But this does not make any difference.”

A layered, risk based approach takes into consideration additional authentication factors in relation to activity type. In addition, requirements are typically raised for higher risk transactions. These additional security elements have demonstrated effectiveness in a variety of scenarios.


OASIS Identity in the Cloud (IDCloud) Technical Committee

An Identity in the Cloud (IDCloud) Technical Committee has been formed by the non-profit OASIS group. They are charged with identifying "gaps in existing identity management standards and investigate the need for profiles to achieve interoperability within current standards. Committee members will perform risk and threat analyses on collected use cases and produce guidelines for mitigating vulnerabilities."

Hopefully, the establishment of this committee will produce positive outcomes. Standards for policy management, authentication services and security tokens  (XACML, SAML, WS-Security, WS-Trust) are essential to to the acceptence and success of cloud computing.  

Who is OASIS?

OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that drives the development, convergence and adoption of open standards for the global information society. OASIS promotes industry consensus and produces worldwide standards for the Smart Grid, security, Web services, XML conformance, business transactions, electronic publishing, and other applications.


Bruce Schneier on Risk Analysis

Bruce Schneier comments on the value of properly calculating probabilities when performing risk assessment. He cautions on focusing too much of risk assessment on "worst case" thinking. 

My nightmare scenario is that people keep talking about their nightmare scenarios....There's a certain blindness that comes from worst-case thinking. An extension of the precautionary principle, it involves imagining the worst possible outcome and then acting as if it were a certainty. It substitutes imagination for thinking, speculation for risk analysis, and fear for reason."

"Worst-case thinking leads to bad decisions, bad systems design, and bad security."


Cloud Security and Strong Authentication

I wholeheartedly agree with Fran Rosch's comment that the industry must move to stronger authentication technologies. There is no doubt in anyone's mind that simple User ID and Password (including strong passwords) offer very little to no security when it comes to protecting digital assets. 

The complexity and frequency of cyber threats today call for companies to consider a new breed of strong authentication - one that strives to validate the user and not just the device. One-time-passwords (OTP) delivered through unique (individually assigned) tokens have been around for a while. Fran argues correctly that infrastructure costs limited the wide spread use of such token based OTP. The infrastructure costs may have been addressed with a Cloud based offering of OTP, but what about the usability of such token based OTP? People lose or forget physical devices. People damage physical devices. I speak from personal experience having learned from my own internal customer base. 

Why not rely of technology that requires no tokens what so ever? No Plastic tokens, USB drives, SMS-enabled devices or software running on mobile devices. A strong authentication solution that is more than two-factor and delivers true multifactor authentication with zero distribution and end user management costs is what enterprises should look for when having to scale solutions globally and across a large user base.

Bharat Nair is Vice President of Business Development at Delfigo Security,, Boston, MA. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by phone at 1.617.248.6501. You can now follow Delfigo Security news and articles on twitter (@delfigo).


RSA Survey on Budget, Cost and Strong Authentication

A recent RSA survey, Tight Budgets Harm IT Security, once again reaffirms that the biggest complaint IT security executives have is having less money to handle increasing threats. When Delfigo started out just over a year ago we knew from years of experience managing IT departments that cost, both fixed and operating, were the top concerns for identity and access management. That was a key element that drove early decisions to develop a solution that utilized open standards, easily integrated with existing technologies and back-end systems, and most importantly is simple to use and does not require end users to change their access routines or behaviors. There are no tokens or software downloads required. One of our key objectives was  to eliminate the very things that create the majority of integration and management challenges, and drive up the total cost of ownership of the second factor or strong authentication solutions in the market today.


What Is "Intelligent Authentication"?

Intelligent authentication is the future of data security. It is the next step in the ongoing effort to authenticate or confirm users accessing and executing transactions with protected information assets, by providing real-time risk assessment and event driven security response during each user session.

Authentication in the networked world is directly tied to your digital identity. For security purposes it has traditionally been the initial interaction between systems and user where you prove you are who you say you are.[1] The user is typically required to provide the system with one or more "authentication factors". In simple terms authentication factors are technical - something you have (id card or security token), personal - something you know (password, phrase or pin number) or human - something you are (fingerprint, retinal scan or other biometric identifier).

First factor authentication is normally username / password. However, this has proven to be of limited value for security. Passwords, even when properly enforced are a security vulnerability, as they can be easily shared, copied or stolen. Second factor authentication was devised to provide stronger authentication given the inherent weakness of single factor authentication. In two factor authentication, the standard login (username/ password) is combined with a second factor, usually in the form of a security token. But implementing many second factor authentication solutions usually requires expensive tokens, smart cards or other devices, and can prove cost prohibitive both in terms of initial distribution and overall management.


Page 5 of 7