24 November 2014

The Joy of Fraud Fighting

Uri Rivner - BioCatch

77 | posts 318,049 | views 35 | comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

What's the worst that can happen?

13 June 2012  |  3339 views  |  0

Here are some further thoughts on the LinkedIn compromise, following my previous blog post.

Over the years I did some unscientific research on LinkedIn. Here’s some unofficial statistics I have on LinkedIn accounts: about 25% of LinkedIn users use their real corporate email account as the user name. That’s not a good practice for many reasons, some of them related to security. Are you one of the 25%?

Interestingly enough, those that use their corporate email address as the user name tend to have more senior job titles. Executive types. People who don’t expect to move between jobs, or who are in an outbound position such as director of business development, head of global alliances, etc. And last but not least, these individuals tend to use LinkedIn for a lot of corporate related activity. It appears that people with a Yahoo! or Gmail address as their user name often use LinkedIn for other things like looking for a job.   

Passwords can be stolen locally at the user level using Phishing or Trojans: in such cases the length of the password isn’t going to help anyone. But in many cases passwords are mass-compromised by hacking into the application servers.

What’s the worst that can happen if your LinkedIn account is exposed?

I think you can figure out what it can mean for you personally, but let me point out some less obvious potential for damage to the corporation you work for.

When a legitimate LinkedIn account is compromised by a cybercriminal, there’s a trusted identity in the wrong hands. The hacker can send personal emails to those linked into the compromised account that recipients will probably consider 100% legitimate. This can be used for infecting contacts with malware, for the purpose of gaining access to their personal devices – and worse, their corporate networks. Executives can be a subject of extortion. And lets not forget the password thingy: if you’re an IT person that has access to corporate network resources or FTP sites, a hacker may try to see if your LinkedIn password also works there. In many cases it does.

We should however take into account that passwords are not alone anymore. On their own - without additional lines of defense - static passwords are an outdated protection: the industry realized that long ago. Passwords are effective against a variety of attacks, but if stolen they let the attacker straight through… unless there are additional defenses in place. Which is now getting to be the norm.

Today there are many ways to augment password protection with additional controls. The financial industry no longer uses password authentication as the sole protection, and also moves beyond login-level controls. In-session activity or transaction monitoring is used, where what you do and how you do it is being evaluated.

DARPA (the US Defense Advanced Research Projects Agency) has indicated it’s considering a future world where passwords are not used, and users are continuously authenticated based on their behavioral traits, and emerging eCommerce protection techniques now rely less on passwords people selected and more on analyzing their actions. 

The use of smartphones further accelerates this shift from traditional passwords to more comprehensive, advanced techniques. So don’t be surprised if at some point in the future, perhaps very distant and perhaps less so, passwords will be a thing of the past – just like punch cards and squealing modems.

But while we await this future reality, maybe we’d better change our LinkedIn passwords.

 

TagsSecurityOnline banking

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Uri

Brazil vs. Germany: A Surprising Find

12 July 2014  |  2329 views  |  1  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Sweetheart Scams: When Fraudsters Turn to Romance

30 June 2014  |  1804 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

BitCoin Explained: How to Become a BitCoin Thief - part 1

04 December 2013  |  17644 views  |  1  |  Recommends 1 TagsMobile & onlinePaymentsGroupInformation Security

A Message from Hell

01 October 2013  |  2880 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

The Dark Side of Security

11 September 2013  |  2145 views  |  0  |  Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services
name

Uri Rivner

job title

Head of Cyber Strategy

company name

BioCatch

member since

2008

location

Tel Aviv

Summary profile See full profile »
Internet. The perfect fraud frontier. These are the thoughts of Uri Rivner, head of Cyber Strateg...

Uri's expertise

What Uri reads
Uri writes about

Who is commenting on Uri's posts

Ketharaman Swaminathan
Brett King