Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home Strong Authentication
Strong Authentication

Stolen Credentials Featured Prominently in 2010 Data Breach Investigations Report

The Verizon Risk Teams' 2010 Data Breach Investigations Report, compiled along with data from the United States Secret Service, looked at 141 confirmed breach cases worked by Verizon and the USSS in 2009. One area of the report examined what a particular threat agent did to cause or contribute to a breach. Under the threat hacking, the use of stolen credentials was number one in both the Verizon and USSS datasets.

 Threat Action

 % of Breaches

% of Records 






















 "The amount of breaches that exploit authentication in some manner is a problem. In our last report it was default credentials; this year it’s stolen and/or weak credentials. Perhaps this is because attackers know most users are over-privileged. Perhaps it’s because they know we don’t monitor user activity very well. Perhaps it’s just the easiest way in the door."

Source: 2010 Data Breach Investigations Report


Consumer Control Over Personal Information

Cyberattacks continue to increase against a variety of consumer-facing companies with an online presense. Here at Delfigo we frequently discuss the need to give individuals more control over their personal information. The lack of control, combined with the feeling of vulnerability as result of this lack of control, could certainly have a negative impact on the future of cloud computing. In a recent article on cloud based privacy concerns that are slowing cloud adoption in Europe, the author notes work being done at HP to give the user more control over personal information: 

"Another solution being studied is to give individuals the ability in advance to set the degree of privacy control on each part of their personal information in the cloud by digitally tagging bits of the data. Under this model, a person could make an e-mail address available to marketers, while shielding a phone number and street address from unwanted solicitations. "


Identity Theft Scheme Steals Childrens Social Security Numbers

Thieves are targeting children's social security number before they have any credit history attached to them according to the Associated Press. Online companies seek out information to identify dormant Social Security numbers. After the numbers have been checked using publicly available resources to make sure that no one is actively using them they are sold online,.

"Social Security numbers follow a logical pattern that includes a person's age and where he or she lived when the number was issued. Because the system is somewhat predictable, sellers can make educated guesses and find unused numbers using trial and error.

A "clean" CPN (credit profile, credit protection or credit privacy numbers) is a number that has been validated as an active Social Security number and is not on file with the credit bureaus. The most likely source of such numbers are children and longtime prison inmates, experts said. "


Backup and Secure Access for Cloud Computing

David Baum, July 20, 2010

 As one of the original seed investors in Carbonite, I often worry about data backup. As we move toward a nearly 100% digital life it becomes extremely important that we backup our digital data, because the digital data has become our lives.

As we move toward cloud computing, backup becomes more nebulous. Certainly the online providers are backing up our data in mass to protect themselves from major data center disasters, but in a multitenant environment, what happens to the individual when they lose their cloud data?

As a huge Gmail fan, I used Outlook to synch with the cloud, so I was less worried about backing up my email in the cloud because it was replicated on my local Outlook database. Also, all of the rest of my personal information was store locally in Outlook and I backed that information up with Carbonite.

The scenario above all changed last fall when I made the move to Android for my mobile computing needs. I was “forced” into the cloud to take full advantage of everything great that Android had to offer. This meant that I had to move all my scheduling and contact data into the sky, and thus I stopped using Outlook all together as Gmail became my full time personal information management (PIM) system. Never again would I have to sync the data between my desktop PIM and my mobile device as they were always in sync wirelessly. I must admit for an old client/server user, the move to the cloud was was a bit of a leap for me as the network of contacts that I have built over 25 years in high tech has become my business life blood.

However, I quickly noticed how much more productive I was having all my cloud data available on any computer with a web browser, my Android devices, and my iPad. It worked so well that I stopped worrying about backup. The senior people that I know at Google ensured me that their cloud was backed up in multiple data centers, and that I would never lose my data.

Everything was fine until last week when I got a call from my brother that someone from Nigeria had hacked his Gmail account and changed his password, which locked him out of his account (see log file below).

My first thought was “lights out and game over”, how can you manage your business if you don’t have access to your Gmail account. My second thought turned to backup and I realized that I had not backed up my information in Gmail in over six months. I quickly logged into Gmail and exported all of my contacts and re-synched my email database with my old friend Outlook (maybe syncing backup of the cloud will be Outlook’s legacy).

To Google’s credit, they were able to restore access to my Brother’s Gmail account quickly. However, when he logged back in, all of his contact data was deleted. I can only image the numerous identity thefts that might come from this data being in the wrong hands, but can you imagine losing all of your contact information? Google has too many users to hand restore individual contact databases for their Gmail users, so I would strongly suggest that all users make an effort to backup through export or sync to an external client-based PIM program like Outlook.

The “hacker 101 rule” after accessing a hacked email account is to immediately change the legitimate user’s password to buy precious time in order to download contacts, send out fraudulent emails, setup simple email rules on the unsuspecting user account like “forward all * emails to” and the Holy Grail problem of most online accounts that know you not by your name but by your email address. This puts everything you are, who you know and what you have the ability to access online at immediate risk and poses a clear and present danger to your online identity. Why? Simple, if the hacker assumes your email address is your account UserID he would simply try and access every social media site like LinkedIn, Twitter and Facebook as well as the major financial sites like Schwab, eTrade Quicken BoA, Wells, and Chase to name a few and he would simply click the link called “forgot my password” and enter the email address. Within seconds an email would arrive to the hacked inbox allowing the fraudster to gain access and full control to every account that uses this password reset modality.

The next big question is how someone was able to hack the account? The obvious answer is that some sort of spyware was installed on the client machine that was sniffing keystrokes for usernames and passwords. The Nigerian Hacker then used this information to log-in and change my brother’s password. Again, Google was able to “notice” this remote login, and inform the active session, but the real question is why would the Gaia (Google’s single sign on and password system) allow this to happen. The problem is that Gaia is not utilizing strong or any visible multi-factor authentication system for client log-ins.

For example, if Google was using a solution like Delfigo Security (yes, one of our portfolio companies) that implements multi-factor authentication including a sophisticated keyboard bio-metric, machine ID, geospatial paramaters, etc, they could have flagged this rouge log-in and aborted the password reset by a user that was clearly not the owner of the account.

We have all heard the news about the high profile break-ins to Gmail accounts that made Google abandon the Chinese market, but what happens when these break-ins occur to ordinary individuals which is more the norm theses days?

Google needs to do more to protect the access plane and provide more timely out of band notification like SMS’s to registered cell phones. In addition, Google should use the confidence factor of the log-in to prevent features such as export and the deletion of data. All of these features could easily be built into the business logic of Gmail and could be triggered from the confidence factor of the login that is provided by systems like Delfigo.

Lastly, users of Cloud Solutions like Gmail should also be careful not to store sensitive information in the various contact note fields. For example, storing social security numbers, credit card numbers, PIN numbers, account passwords, and physical safe combinations should not be stored in plain text fields that are only protected by username and passwords. User should instead move to more secure solutions like eWallet that encrypt the data that is shared between client computers and mobile devices and thus never gets into the cloud.

David Baum is a general partner at Stage 1 Ventures, LLC ( with 23 years in the information technology industry, including fourteen years in technology finance and nine years in entrepreneurial operating management roles.


Man In The Browser Attacks Beat Two Factor Authentication

Out of band strong authentication options that send one time passwords via phone based systems are widely used by banks and other financial institutions. However, as the research group Gartner points out [Where Strong Authentication Fails and What You Can Do About It], these methods  are susceptible to man in the browser and social engineering attacks when they are not deployed using a layered approach:

“ In instances where a bank might use a phone-based, "out-of-band" authentication system, criminals are increasingly using call forwarding so that it is the fraudster rather than the legitimate user that is being called by the financial institution, Gartner said. If security application places outbound call, synchronized to a Web session - then this outbound call can be forwarded to fraudsters. If in addition security application displays a number on the Web screen that must be entered via telephone keypad in the phone - then this number can easily intercepted by Man-in-the-Browser Trojan and forwarded to the same fraudsters , thus hijacking the session. We can reverse the loop and request user to sent some transaction info using phone keypad. But this does not make any difference.”

A layered, risk based approach takes into consideration additional authentication factors in relation to activity type. In addition, requirements are typically raised for higher risk transactions. These additional security elements have demonstrated effectiveness in a variety of scenarios.


Page 8 of 12