Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home Strong Authentication
Strong Authentication

Get BYOD Right

Are organizations getting BYOD wrong? InfoWorld's "The Squeaky Wheel" featured a compelling post by Brian Katz this morning, where he examines what the fundamental goals and principles of BYOD really are, and how companies and organizations "miss the mark" when it comes to the true benefits of BYOD - empowering the user to use their own device, and enabling productivity.

Katz is right to point out that there are a number of emerging vendors targeting organizations who implement BYOD programs. These vendors enable organizations to deploy, manage and provision company resources on a privately owned device. These activities require security solutions that are designed to meet the needs of users accessing company data and applications - and of the companies providing them - including the increased productivity and ease of access users enjoy on their own devices. When this approach is adopted, simple and easy to use security should be at the top of the list for organizations who make their resources available on devices they do not own and do not control. 


Google I/O and User, App and Device Security

As developers who attended Google I/O last week return to their work inspired by  innovative concepts they saw in action in San Francisco, flexible and innovative security should be on their minds. Google's Android operating system now has over 900,000,000 users, and will continue to grow as developers take advantage of the tools and services Google provides, which were the highlight of the conference this year. According to the 5 year product roadmap Google released this month, "stronger authentication" is a priority. As new features, applications and devices are rolled out and adopted, we will see increasing emphasis on securing these new technologies.

Security and user experience can seem to be at odds, but in reality they go hand in hand. Cumbersome security workflow will have an effect on experience, but the opposite is also true - elegant, innovative security designed for the mobile experience, will enhance it. ZDNet published an article last week emphasizing the importance of speed and user experience for increasing conversion for mobile commerce apps. Security is part of that experience, especially where having it extends users' ability to knit technology into their day to day activities. As users adjust to new ways to pay, transfer money or access data, a sense of security will part of what makes these technologies easy to use. User experience will benefit from enhanced mobile security.

Securing mobile technologies, with user experience in mind, will require innovative security solutions that are intuitive, easy to understand, easy to integrate with and easy to support. 


Cloud Authenticaction Processing Generates Cost and Energy Savings

Delfigo recently filed for patent protection on its Cloud Authentication Processing (CAP) and Verification method. The cloud authentication processing method combines enhanced login accuracy and access speed based on multifactor authentication, with significant efficiencies in data processing and storage resulting in substantial resource and cost savings.

“We recognized that there were economic opportunities available here. A more elegant, 'green' approach to multifactor authentication (MFA) significantly reduces processing and storage needs,” said Delfigo’s CEO Ralph A. Rodriguez. “When you are talking about the scale of Facebook, Twitter or Google, who are on their way to authenticating a billion users globally, CPU processing and storage optimization with CAP will reduce energy consumption requirements, enhance scale and result in millions of dollars in annual savings.”

Our team continues to take the lead in developing novel approaches to tackle authentication challenges. With the growth of cloud computing and other high user count systems, companies are faced with processing millions of users over the Internet. Additional data traffic, complex mathematical computation and exponential increases in hardware storage requirements for password, device, network and geo-centric user data will place huge drains on processing resources, related to CPU, memory, bus and circuit board speed in massive cloud data centers. This will in turn increase power and HVAC costs.

Delfigo’s Cloud Authentication Processing and Verification method creates the highest known efficacy of end user login accuracy in relationship to end user login time to access cloud based systems safe and fast. This unique approach is estimated to decrease storage requirements by a 10:1 ratio, and reduce processing requirements as only a single stored entry is utilized to authenticate against prior end user data. This method will save millions of dollars per data center, and an enormous amount of natural resources needed by companies, organizations and countries globally to power and cool equipment.


Is Indifference to Mobile Security The Problem?

Over the past 25 years, the cell phone has evolved from the one dimensional brick phones to the powerful smartphone technology of today. Estimates indicate that smartphone ownership will reach 43% of the US mobile population by 2015 with Gartner stating that sales of smartphones will reach 95 million in 2011. With ever increasing processing power, and hundreds of thousands of applications currently available, the smartphone has rapidly become the primary device for everyday access to social media, banking, commerce, shopping, and personal entertainment.

What is often lost in this love affair with mobility is that the smartphone presents the same level of risk as the PC. The rapid expansion of capabilities and acceptance of these devices as an essential element of our personal and professional life has regrettably coincided with an overall indifference to security. Convenience - in the moment, on the go convenience - trumps any concern for protection of assets. The average user has a wide variety of confidential private data stored on these very personal devices, and estimates show that 40% of business professionals carry sensitive business information as well.

Look no further than the recent articles on Zitmo or DroidDream to see that the risk is real. Zitmo, a variant of the Zeus Trojan, has been adapted to target phones running the Android OS. Users are tricked in to adding a “security component” that they assume comes from their bank, but is really malware. DroidDream, malware that initially exploited a bug in older versions of Android that resulted in 58 apps being pulled from the Android marketplace, recently resurfaced in 4 additional apps in July.

User indifference is often identified as a key part of the problem. The user fails to play the role that security managers expect them to play. They do this for an obvious reason; they do not want to be inconvenienced. Vendors that assume the user should play a key role in security strategy are missing an important element in developing, and implementing strong authentication solutions for the mobile user. The user does not want to be inconvenienced. Security should operate invisibly in the background and not in any way interfere with their user experience.


1. “Smartphone Malware Report” Raising Awareness of the Threats Affecting Mobile Devices

2. Zeus Banking Trojan Hits Android Phones

3. DroidDream Again Appears in Android Market Apps 

4. Smartphone Market Statisitcs

5. Research and Markets – Mobile Phone Biometric Security Report 


New OddJob Trojan Threatens Financial Institutions

Security firm Trusteer has identified a new trojan they have named OddJob which keeps banking sessions open after banking customers believe they have logged off. From Trusteer:

We have found a new type of financial malware with the ability to hijack customers’ online banking sessions in real time using their session ID tokens. OddJob, which is the name we have given this Trojan, keeps sessions open after customers think they have “logged off”’, enabling criminals to extract money and commit fraud unnoticed. This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital - and online monetary - assets.  We have been monitoring OddJob for a few months, but have not been able to report on its activities until now due to ongoing investigations by law enforcement agencies. These have just been completed. 

Information Week also reports the security firm F-Secure has found that a variant of the financial malware Zeus Mitmo is again active, this time targeting mobile phone customers of ING Bank in Poland. 

"Computers infected with a ZeuS Mitmo Trojan will inject a 'security notification' into the Web banking process, attempting to lure the user into providing their phone number," said Sean Sulllivan [of S-Secure]. "If a phone number is provided, the user will receive an SMS link pointing to the mobile component, ZeusMitmo.A." Clicking on the link then presents Symbian and BlackBerry users with Zeus Mitmo malware tailored to their smartphone.

The goal of Zeus Mitmo is to create fraudulent transactions using the mobile device, while subverting the bank's security procedures. In particular, the malware's mobile component creates a man-in-the-middle attack that steals the one-time password that some banks send via SMS to authorize a financial transaction, which are also known as mobile transaction authentication numbers (mTANs). By hijacking this security verification process, Zeus Mitmo disguises its fraudulent activities from users.


Page 6 of 12