A firm called Hold Security has announced their discovery that a single hacker group holds over a billion user credentials (usernames/passwords). “Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security told the New York Times. “And most of these sites are still vulnerable.”
Many of us have experienced our credentials being hijacked - or have received emails or social media communications from someone we know to whom this has happened. Typically, the ability to access email accounts simply allows the hacker to spam contact lists to phish them or to advertise products - which they make money doing. If your account is hijacked in this way, it is a matter of resetting your account credentials with a new username and password. After doing so, you're only as safe as your credentials an no less vulnerable to the same attack the next time the threat comes around. Access to even seemingly benign credentials can open the door to much more serious risks, like identity theft which can take years to untangle and liability for financial transactions that can take place under these circumstances (most banks protect from this kind of fraud on credit cards, but if the hackers reaches your cash, it's a different story).
If your credentials are in a database like the one Hold Security identified, it doesn't matter how secure your password is (length, varied characters, etc). You'll be advised by well meaning companies you deal with, who will contact you after discovering the breach, to change your password - a process with which by now we are all familiar.
But what's really needed here is a deeper collective understanding of our digital identities, and better ways to protect them. 2 Factor authentication (which has been recently discussed previously here, here and here in this blog) is a good way to start taking control of your credentials - so that a username and password alone are not enough to compromise you, but often the impact on user experience (waiting a bit longer to access your favorite site, carrying around a piece of hardware that's easy to lose and expensive to replace) hinders adoption by both end user populations and organizations.
If a hacker has your password, you should think about how many more times you want to go through this, because this won't be the last time, unless and until we collectively commit to better security.
TechCrunch's Ingrid Lunden called Android's share of the 300M smartphones shipped in Q2 of this year a "one horse race".
Android, which is gaining market share across the globe, is popular because of its flexibility and compatibility across a wide range of devices. However, Ms. Lunden says: "Google’s win comes at a loss for everyone else, and interestingly for the smartphone market overall. Apple, Windows Phone and BlackBerry all declined, and while there were nearly 300 million (295.2 million, to be exact) smartphone units shipped for sale in the quarter, smartphone growth has nearly halved compared to a year ago."
With the growth of smartphone adoption across the globe, and the changing way we interact with (and rely on) these devices, any dominant platform/OS should be ready to take on the emerging security challenges associated with smartphones and tablets. Android, because it is open and flexible, is unique challenged in this area. Says Darlene Storm for ComputerWorld in a recent article: "Although Android owners might not want to hear it, the platform is still the top target for malicious attacks. Android owners have been hearing that for years. In fact, back in 2011, Android was dubbed a cyber menace... Kaspersky found that 98.05% of malware targets Android, which confirms 'both the popularity of this mobile OS and the vulnerability of its architecture.'"
Emerging mobile security technologies should have strong solutions for Android, and be uniquely tuned in to the vulnerabilities it has.
Can we stop just reacting to security challenges? Can organizations shift their focus so that they anticipate them instead?
This week the New York Times posted an article about the role of the CISO and the challenges they face, including sense of inevitability that when a breach happens the blame will fall on them. Quoted in the article: “We’re like sheep waiting to be slaughtered,” said David Jordan, the chief information security officer for Arlington County in Virginia. “We all know what our fate is when there’s a significant breach. This job is not for the fainthearted.” More and more organizations are adding executives whose focus is security, but the author suggests that while talented and dedicated, a part of this role is simply to bear the burden of blame when a breach inevitably happens. Security professionals know that it's a "cat and mouse game" and that staying one step ahead, meeting requirements (regulatory or organizational), and being prepared to react, is the current recipe for success.
But this article, which also appeared this week, makes a compelling point - one that could transform roles like those described in the NYT article, and ultimately, the extent to which organizations succeed with security and with other areas of the business. Viewing being effective at anticipating what will happen - and internalizing that as an organizational value - as a core goal and guiding principle may create a culture and environment where CISOs are not simply waiting for the one big breach they don't see coming, but where the focus becomes their ability and vision when it comes to seeing what is coming, instead of assigning blame to them when a breach happens. For security specifically, this has some really compelling implications. Not every attack can be anticipated, but trends that pertain to end user behavior, adoption, and interactions, can be identified and understood. That's the time for action - not directly after a breach. Effort and time can be devoted to strengthening technology that secures an anticipatory organization, which will lead to fewer breaches, and hopefully decrease the amount of "reacting" the company does as a whole. This can happen when organizations are committed to fostering an environment where talented leaders are encouraged to anticipate, instead of to react.
Tuesday Apple and IBM announced a partnership which will bring the power and reach of IBM's enterprise applications to Apple's widely successful mobile platforms. As part of the partnership, IBM will create enterprise apps targeting the healthcare, finance and retail verticals (among others). The CEOs of Apple and IBM called described their offerings fitting together "like puzzle pieces" in an interview with CNBC.
Security is a key goal driving the partnership, enabling the most innovative mobile apps and technologies to reach enterprise customers, who require greater levels of security. "Apple touts the access the partnership gives them to IBM’s big data and analytics capabilities, and talks about how the apps that it produces with IBM will be developed 'from the ground up for iPhone and iPad.' These apps will supplement new cloud services aimed at iOS specifically, including security and analytics solutions, and device management tools for large-scale MDM deployments" says TechCrunch. Analysis of the interview in the New York Times highlights the importance of security for the partnership. "Industry surveys show that corporate technology managers are reluctant to put applications that can pull sensitive corporate data on mobile devices, because of security concerns. IBM has a corps of 6,000 security researchers and developers in 25 security labs worldwide — another asset IBM brings to the partnership."
“It’s clear that IBM and security go hand in hand,” Mr. Cook said.
The Huffington Post ran this article this week describing various methods of biometric authentication which could be used to offset the risk associated with the username/password paradigm. Each of the methods described has becoming a technological reality, if not a widely available feature, on the devices users rely on to access secure accounts and communications/content.
Far from theoretical or deeply technical, this article speaks to the notion that users are finally beginning to understand the scope of the risk associated with username/password, and looking to understand alternatives that may exist, which goes beyond the simple need to comply with corporate requirements which are the traditional drivers of adoption of strong(er) passwords and/or second factor authentication.
With biometrics, end user education will be a key ingredient of success since by definition the user is required to leverage something about themselves to achieve the level of security biometric authentication can provide. The widening scope of the discussion around biometrics is a strong indicator that this is occurring.
Last week Google I/O showed us Google's vision for our future.
"Google essentially wants to unify the user experience across all connected devices. That means allowing you to respond to text messages via your watch, order pizza from your TV, control your home from your car, and accomplish it all via a common voice-command interface that remembers your appointments and preferences" says James O'Toole for CNN's Innovation Nation.
Android's ever expanding platform is offering the kind of connectivity that means a user's identity will not just be their device, but a group of devices, all integrated and working with each other to deliver a seamlessly integrated experience. "It's a shrewd strategy" O'Toole continues, "As Internet-enabled products become more commonplace, we're not going to want to manage a huge variety of accounts. It's more convenient to have a common digital identity that moves with you across devices. The company that provides that single software identify is poised to reap massive rewards."
The notion of a single identity, free of the nuisance of maintaining multiple accounts, is seductive for users even as vulnerabilities continue to be exposed. To protect this broader concept of identity for users, across all of their devices, innovative identity security solutions will need to become part of the vision. These solutions will need to transcend hardware based delivery methods and take a hard look at what a user "is", and what makes them who they are. Biometrics are an obvious choice, as they are driven by the notion of using "something you are" to identify users. Because of this, we will likely see biometrics increase in usage, as they align with the emerging needs related to identity in this vision of the future.
Authentication continues to evolve to toward leveraging information about the user, instead of information possessed by the user. "Face Lock" technology is discussed here, and is particularly compelling because successful authentication by the end user requires the end user to recognize a face (not a famous person - someone not everyone would recognize) from a group of faces. This is an interesting take on "facial recognition" that is being done by a human (the user) as opposed to a machine (your computer, using facial recognition software). In this model, the faces could change and as long as the user could still pick out a face that is familiar to them, the rate of success will still be high.
Bypassing something like this as a fraudster would be a question of pure luck (as long as the selections made by the end user were not obvious enough to be easily socially engineered), and the technology wouldn't require any special hardware. This is compelling because it relies on the human ability to recognize, instead of the ability of the human to be recognized by technology. Innovative methods, like this one, are continuing to broaden the discussion around next-gen authentication.
"The best security is always layered security, and this principle holds true when securing the telephony channel" says Gartner's Aviva Litan on Forbes.com. While Ms. Litan's article focuses on the strength of a combination of voice biometrics and device printing to fight fraud in the call center, this article highlights the importance of both a layered strategy and one where the methods are designed for the transaction.
Call center fraud can be especially tough, when, as the article cited above states, the perpetrator of the fraud may well have the answer to security questions (through social engineering), account details, and fail to raise any red flags in their interaction with the call center representative, who are trained to help customers when they call in with a request. In this case, the presence of a voice biometric allows for the perpetrator of fraud to be "flagged" and possibly to be identified if/when they next attempt to commit fraud. This is done passively, an area where the most cutting edge biometric technologies excel - there is no need to inconvenience the customer in order to pull, measure, or flag this potentially extremely valuable information.
In this way, biometric technology races ahead of other authentication methods, which often require the user to "do something" - even if that something is as simple as receiving a text message. By layering security measures that passively collect and measure information, and aligning those methods with specific use cases, organizations can reduce fraud and protect their customers.
Business Insider posted an article today telling the story of a young woman whose smartphone was stolen and how, against the odds, she managed to get it back. This story will resonate with anyone who has lost their phone (as so many of us have) and have hoped, if briefly, to have it returned, or who have felt the overwhelming relief of finding it and realizing that it wasn't lost, just misplaced.
The fear of losing our smartphone is real, and so is the potential risk. Symantec published findings on an experiment they conducted earlier this year, the results of which are highlighted here. The analysis puts into focus some of the real risks involved when these devices are lost or stolen, and do not have additional security features installed to prevent unauthorized access to the information they hold. Some key findings from the article:
"On studying this information, the following conclusions were drawn:
1. 96 percent of lost smartphones were accessed by the finders of the devices
2. 89 percent of devices were accessed for personal related apps and information
3. 83 percent of devices were accessed for corporate related apps and information
4. 70 percent of devices were accessed for both business and personal related apps and information
5. 50 percent of smartphone finders contacted the owner and provided contact information"