An article this week on arstechnica.com highlighted an innovative new approach to password security at Stanford University. The policy is aimed at dynamically imposing requirements for password complexity based on the length the user chooses for their password, so that "short passwords must pass additional checks designed to flag common or weak passcodes (presumably choices such as "P@ssw0rd1", which can usually be cracked in a matter of seconds). The standards gradually reduce the character complexity requirements when lengths reach 12, 16, or 20 characters. At the other end of the spectrum, passcodes that have a length of 20 or more can contain any character type an end user wants, including all lower case."
This is an encouraging development on top of being a novel approach - passwords are so common that they won't be going away any time soon, and most password policies leave users extremely vulnerable and/or frustrated. Acknowledging that passwords will be part of a security strategy, but leaving a "one size fits all" set of requirements behind, this kind of policy both encourages users to create easy to remember, but more secure passwords, and applies rules based on choices made by the user. This is the kind of policy other organizations should look at to extend the value and lifespan of password requirements for their users. In closing, the author states "The elegance of Stanford's policy is that it eschews the one-size-fits-all approach most websites and networks take when attempting to ensure their users choose strong passwords. By offering increased flexibility, there's a better likelihood that people connecting to University services will remain secure. In an age when passwords have never been weaker and crackers have never been stronger, that's enlightenment indeed."
TwoFactorAuth.org provides a useful list of widely used sites who have enabled 2 factor authentication (2FA) for their users. In an article on Wired, Josh Davis, the founder of TwoFactorAuth.org describes the site as "a single place to go when determining alternative services based on the care and engineering they have in place for their customers."
Scrolling through the list could be very concerning for users with accounts at some of the very well known and trusted companies who are being pointed out here as still not 2FA enabled. The sites who have already enabled some form of 2FA appear in green - but take a closer look - the 2FA approach they have implemented is described here too, and the majority seem to have done this with SMS, a one time password to the user's mobile device.
When considering the importance of 2FA, it's extremely important that end users understand not only that the companies they know and trust are taking steps to increase security, but what those steps are and what exactly they are securing. A one time password via SMS essentially makes a hardware token out of the end user's device, but does not validate the identity of the individual making the request and does not serve to protect activity on that device, at a time when the increase in transactions users are doing on their mobile devices is skyrocketing. 2FA is truly meaningful when it elegantly addresses the need for security while integrating successfully with user experience, which fuels widespread adoption. Before we breathe our sighs of relief when we see our sites in "green", we need to make sure we understand what is really being protected, and under what circumstances.
On April 7, 2014, it was announced that all versions of OpenSSL in the 1.0.1 series up to and including 1.0.1f had a severe memory handling bug in their implementation of the TLS Heartbeat Extension. This defect could be used to reveal up to 64 kilobytes of the application's memory with every heartbeat (see Wikipedia for additional references).
See here for more information.
This bug, which many media sources have been pointing out this week potentially effects 50% or more of the internet, should serve as a sobering warning that traditional mechanisms we have relied on (such as SSL) to protect us when we are online, are vulnerable. It is simply not enough to rely as heavily as we have collectively relied on SSL for security when what is needed is a comprehensive and varied approach.
The key here is a diverse strategy, one that is designed to combat breaches and vulnerabilities at as many different points as possible. Encryption? Yes (this bug will be addressed, and OpenSSL will be stronger for it). Authentication? Yes. Securing both front and back end transactions, content management and security training for end users? Yes, yes, and yes. Vulnerability carries the most potential damage when protections in place are too few, and becomes more manageable when protection mechanisms are distributed in such a way as to minimize the potential for any one element to compromise the whole.
Google's wallet may start "showing up" for you. This article in Slate gives a high level walkthrough of the feature you may already see on your Gmail account which enables you to send money via Gmail.
As far as mobile payments go, this could not be easier to do. It's also clear why Google has an interest in users sending money using their Google accounts, as they'll have access to the data, attract new users who want to use this feature (in this case users accept the money with their wallets, too) and adoption could make a Google account even more essential for users day-to-day. Along with this feature, Google has stepped up email encryption, but it's very important that users understand the kind of security they will need to protect themselves while using this technology. From the article above: "Once you know what Google is really driving at, does Google Wallet seem less appealing? Probably not. It's convenient, well thought-out, and email-able. Just don't go too crazy, OK? It's still real money."
It's still real money. And this should give anyone with an insecure gmail password, or anyone who has ever experienced their account being highjacked, some pause. It's not just enterprises that need to consider the right balance between user experience and security. Increasingly, users need to do this for themselves as well.
At the end of February, Apple released a security patch that addressed a critical bug associated with SSL sessions, which you can read about here and here. Apple explained that without the patch, “an attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS.” This being a serious threat, there has been much discussion around how this oversight was missed during the development process, where there would have been several opportunities to catch it before a product release.
But relying on SSL, or any network security, won't solve the growing security issues associated with increased access to banking and other critical content that comes with mobility and the changing way we interact with our most sensitive data. Knowing that a request is valid, and that it comes from the owner of the account that is being accessed, is a growing space in security. Securing the connection is critical, but so is knowing that the actor (in this case, the end user) is who they say they are. Organizations looking to increase security should take advantage of technologies and capabilities related to using data in new ways to create policies and context awareness to add to the security of their applications.
As BYOD presents organizations with an ever increasing number of security challenges, CIOs are examining strategic benefits associated with moving beyond MDM (mobile device management) and controlling the actual devices, to a MAM (mobile application management) focused strategy that enables their users to continue to use their own devices, while protecting enterprise resources, data and applications.
"Cloud-based services can provide myriad security benefits, as many CIOs are realizing. According to Infonetics Research, cloud-based security is projected to increase at a compound annual growth rate of 10.8 percent from 2012 to 2017. Mobile apps that run through the cloud can be better protected, as cloud infrastructures offer enhanced encryption and safer enterprise mobility capabilities" said this article from MaaS360.
This trend speaks to the need to accommodate users of all kinds of devices, in any environment, as mobile devices become more entrenched in our day to day lives. Managing and distributing devices to employees carries challenges associated with scale, and the potential to turn off users who love their personal devices because of the great experience they offer. Enterprises and organizations who are creating security strategies for the mobile world should maximize their efforts and resources by enhancing the security and usability of their applications, instead of controlling the devices they run on.
"Beginning later next year, you will stop signing those credit card receipts. Instead, you will insert your card into a slot and enter a PIN number, just like people do in much of the rest of the world. The U.S. is the last major market to still use the old-fashioned signature system, and it’s a big reason why almost half the world’s credit card fraud happens in America, despite the country being home to about a quarter of all credit card transactions."
Tom Gara's article in the Wall Street Journal discussed the impending shift from swiping a credit card and signing the receipt, to swiping the card and entering a PIN. This is the way credit card transactions happen across the globe, and we will now begin to see this model adopted in the US as well.
What will this mean for the PIN and the security of using one each time we do a transaction? Most of us have PIN numbers associated with screen locks on our devices, or the access applications. It's not an unfamiliar concept, but there has been much discussion about how easy PINs are to crack - and how often we choose insecure PINs to make our lives easier. With this shift will come a need to implement security on top of PINs to that is transparent to the end user, and secures these transactions in order to extend protection to end users against identity theft, and continue to combat fraud.
"...it's become so 'consumery' out there that the old security requirements on the desktop PC just haven't grafted over. It might be easier to change the security methods than change the user behaviour. Biometrics here we come" says I.D. Scales for TelecomTV.
The challenges associated with BYOD, coupled with the capabilities of smart devices, are creating an environment that begs for innovative security solutions that secure the right content at the right juncture, without requiring users to change their behavior, or imposing outdated processes or workflow users are accustomed to on their PCs. Mobile devices are designed to enhance user experience - allowing an individual to access and interact with all kinds of applications on demand, and it makes sense to consider how standard features of these devices can be deployed to facilitate requirements like security. Biometrics fit into this use case because they leverage information that is already there - information about the user themselves, which a user always has at their disposal.
Successfully leveraging these capabilities will require a commitment to the user experience expected on a mobile device. It shouldn't feel like logging into a PC and going through the "old" requirements for security. It is absolutely worth exploring how features on the mobile device can be used to achieve a "new" kind of security for users.