20 October 2014

PCarroll

Pat Carroll - ValidSoft

77 | posts 271,755 | views 38 | comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

iHack Hastens Call for Multi-factor Authentication

05 September 2014  |  2478 views  |  1

“If only I would have known” is a phase that Jennifer Lawrence, Kate Upton and possibly as many as 100 celebrities and notable personalities are likely saying after a reported massive breach of Apple’s iCloud service resulted in the unauthorized access to, and release of, personal information and photos. While the FBI, dozens of security vendors and Apple itself are investigating how this massive breach was executed, what should be clear to everyone is that data security policies need to be re-evaluated and updated to reflect the new realities of our mobile world, with one goal: To protect everyone’s privacy.

Whilst there are many conflicting views about the nature of the attack, the latest reports suggest that the “iCloud hack” exploited a vulnerability in Apple iCloud’s “Find My iPhone” service which was susceptible to “brute force” programs that repeatedly guess random passwords for a given username until it gets a match. Other reports suggest that the security questions posed when a user password is forgotten, provided an easier spearphish opportunity for the hackers. Whatever the cause, damage has been done. In the consumer mindset, the view will prevail that if Apple could fail to prevent such a simple security bug, what confidence can there be that iCloud is secure and safe? What does this tell us about enterprise security in general? If Apple, a company who has made strong statements about their commitment to consumer security and data protection, is vulnerable to basic security flaws, then what assurance can we have about the safety of our banking, stock and retirement accounts, or even our personal medical records? Unfortunately, because of the many inter-department silos present in today’s enterprise environments that prevents a systematic and holistic approach to data security, we may never know until it is too late and we read about it in the news.

Data breaches like iCloud, or  Target or the suspected breach at Home Depot, or the countless ones before and certainly the untold many that have yet to come, are repeated reminders that traditional “security”, passwords and PINs aren’t enough, cybercriminals will always find a way to beat the system (both from the outside, or even worse, from the inside). Instead of simply trying to keep the bad guys out (which clearly is not working within current deployments), we need to adopt multiple layers of security and multiple factors of authentication which will help ensure that the user accessing the information is who they purport to be. Strong security must prevail, and the same strength of security must be applied to all aspects of the customer experience: enrolment/registration, usage, and especially transaction and exception processing.

I know many readers will respond to this by saying that multilayer/multifactor authentication will only add complexity to the process, complexity that will draw the ire of end users and customers. For those of us in the transaction security business however, we already know that multilayer, multifactor authentication must be low friction or even frictionless and invisible in some layers. Ipso facto, the real benefit of a multi-layer/factor approach is that it’s virtually impossible for the fraudster to figure out what “invisible” layers are being applied and, if you don’t know what security is being applied, it’s extremely difficult if not impossible to break the model. Even if the fraudster does manage to compromise one layer, it’s not a case of break one layer and the fraudster is in.

Today, we are beginning to see banks, financial institutions and solution providers, like FICO, embracing strong authentication technologies such as: voice biometrics, location correlation, trusted channel Out of Band (OOB) communications and  trusted device (such as a mobile phone), and most importantly transaction verification. The objective is to ensure their customers valuable data and money is protected. It may seem cynical, but in an increasingly mobile and interconnected digital world, we may never truly eliminate identity theft and data breaches, but we can achieve significant progress through the adoption of strong authentication, whereby we can ensure that should your personal data be stolen, it can be rendered unusable because of additional security and transaction verification steps.

If Apple had adopted a more robust multilayered, multifactor authentication technology as the de-facto user experience, for example, using its own iPhone as the trusted device/OOB channel, incorporating its finger print biometric reader and geo-location correlation, hackers would have had significant difficulties in accessing Jennifer Lawrence’s iCloud account. In fact, as soon as an exception occurred, she could have been notified that irregular and unusual account access attempts had been made. With multifactor authentication, not only would we have better “security” and a better user experience, but we also build trust and gain the peace of mind that when our information is accessed, especially when it is accessed from an unknown device or location, we aren’t kept in the dark until it’s too late!

There are those who will try to play down the risk of attacks like this, arguing that these celebrities were specifically targeted because they are constantly in the public eye. While this may or may not be true, they now have something in common with an unfortunately large and growing population…they too have become a cybercrime statistic.

Companies like Apple need to seriously consider multi-factor authentication using multi-modal biometrics. What better way to complement their current iPhone finger print reader than by adding Voice Biometrics? No more PINs or passwords to remember, no more security questions to guess. Voice Biometrics is now of age for mass market deployment and is an extremely strong but very low friction security model that can complement other clever and often invisible security layers. Such a security architecture is intuitive and user friendly, yet can provide assurance to non-repudiation level if called upon. Apple already has the majority of the required technology and infrastructure in place, they just need to take that final step. Perhaps the current breach is the catalyst they need to make such a move.

TagsSecurityPayments

Comments: (1)

Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 08 September, 2014, 15:58

As the latest case of UBER in India illustrates (http://auto.economictimes.indiatimes.com/news/aftermarket/uber-in-talks-to-integrate-digital-wallet-in-india/41994881), it’s still difficult to implement a technology that strikes the right tradeoff between CX (as a company known for CX wants it) and security (as the regulator mandates it). Maybe such a technology exists but, for the specific case of iCloud Photo Scandal, can't such a hack be prevented by inserting a CAPTCHA in the “Find My iPhone” service so that (1) Fraudsters won't be able to run “brute force” programs to guess Jennifer Lawrence's iCloud account password (2) If she herself forgets her password, she'd be able to retrieve it with only the friction of cracking the CAPTCHA code? Seems like a simple solution.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Pat

Payment Card Data Theft At The POS - Time To Knuckle Down

13 October 2014  |  2593 views  |  1  |  Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

More Channels, More Payment Options, More Fraud

23 September 2014  |  853 views  |  0  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

iHack Hastens Call for Multi-factor Authentication

05 September 2014  |  2478 views  |  1  |  Recommends 0 TagsSecurityPaymentsGroupInformation Security

The Next Target-Style Attack This Holiday Season?

11 August 2014  |  1777 views  |  1  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services
name

Pat Carroll

job title

Founder/Executive Chairman

company name

ValidSoft

member since

2011

location

London

Summary profile See full profile »
Throughout his career, Pat has been at the forefront of industry thinking, representing organisat...

Pat's expertise

What Pat reads
Pat writes about

Who is commenting on Pat's posts

Melvin Haskins
Ketharaman Swaminathan
Kenneth Carnesi
Andrew Smith