23 May 2018
Pat Carroll


Pat Carroll - ValidSoft

79Posts 355,214Views 40Comments
Information Security

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Security by Obscurity is the key!

27 January 2015  |  4241 views  |  0

2014 shocked us all into the reality that no institution or organization, no matter how big or sophisticated, was immune to being “hacked” or “breached”. Towards the end of the year, we were all numbed into submission and the shock factor resulting from the headlines that continued to dominate, was replaced with an uneasy bewilderment.

Already this year, we have witnessed headlines concerning fraud at institutions like PayPal and XOOM where the CFO became a casualty of its $30m fraud. In the world of Virtual Currencies: fraud theft on a grand scale with the “loss” of 19,000 bitcoins from UK based Bitcoin Exchange, Bitstamp. Alongside this, the US IRS alerts folk that IRS paid some $5.2 billion in fraudulent identity theft refunds last year whilst preventing some $24.2 billion in attempted fraud - according to the Government Accountability Office (GAO).

No small wonder then that I am concerned that 2015 will see a continuation of the reporting of such breaches, but in a much broader and deeper manner. Unfortunately the majority of security architectures have not kept pace with the evolution of sophisticated fraud. The situation is so severe that in October last year it prompted the Director of the FBI, James Comey, to make the following statement regarding Chinese hackers: “…..There are two kinds of big companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese....”. I believe that the same could be said for sophisticated fraud and its impact on big US businesses.

Has the industry learned anything and is it finally coming to terms with the extent and scope of the problem? What of the FIDO Alliance, and specifically Google’s “new” Physical Two-Step Security Key (FIDO Token). In this day and age, is a new physical token the right approach to user authentication?

According to Google, the new Security Key is a physical USB that acts as a 2nd factor authentication “…that only works after verifying the login site is truly a Google website. Rather than typing a code, you just insert the Security Key into your computer’s USB port and tap it when prompted….”. The Security Key incorporates the open Universal 2nd Factor (U2F) protocol from the FIDO Alliance, so its primary claim is that it will work with any website account login process that supports FIDO U2F. However, this does not mean that it will work with all websites, whether it’s a Google website or otherwise. It doesn’t.

Leaving aside the “token necklace” argument which is always a by-product concern of physical tokens, we need to be especially cognizant that today’s cybercrime is very sophisticated and comprehensive. Not only are personal computers, tablets and mobile phones routinely hacked, infected and otherwise compromised to steal a user’s personal data, the most insidious  threats come from fraud vectors such as Man-in-the-Browser (MitB) attacks which can render all forms of user authentication, even a physical Security Key, ineffective.

In fact, worse, since the token can engender a false sense of security for both the consumer and the bank. Trust is established in the relationship which of course creates a perception that any resulting transaction must of course be genuine. Wrong. The MitB thrives on such trust to perpetrate its crime, stealing personal information and credentials, manipulating the details of the transaction in real-time with such precision that whilst the customer believes (s)he is confirming the transaction visible on the screen, the bank/service provider is receiving an entirely different transaction that the fraudster wishes to take place. And there any countless variations of such malware available in the wild today, all custom built for a specific purpose.

Such fraud is possible since MitB is a threat that infects a web browser by taking advantage of its security vulnerabilities to modify web pages, modify transaction content or insert additional transactions, all in a completely covert manner invisible to all parties to a transaction. MitB acts as a sophisticated “Man in the Middle” and is capable of compromising all forms of user authentication.

When we first encountered MitB in 2007, we were shocked by the scope of the problem. Sadly, 7 years later, the full horror of such fundamental weaknesses in our core internet security architecture became apparent. 2014 will remembered for headlines concerning Heartbleed, POODLE, and many others that created global enterprise panic and a rush to produce patches and other “fixes”. In 2015, we need to understand that all authentication tools, be they passwords, Security Keys or even biometrics, are just tools, all necessary parts of a larger, multilayered authentication and transaction verification system. 

The blueprint for success is device trust and strong user and transaction authentication incorporating voice biometrics. The battle for the “token” is long over, the best “token” remains our smart phone, once the device is “trusted”. This platform provides the optimum environment for the implementation of a real-time, multi-layer, multi-factor security model. There, the layers are invisible and user and transaction authentication can be reliably committed through the application of voice biometrics. The resultant security model is very strong, available today in a totally integrated and indigenous format, is easy to use and virtually frictionless. Moreover it enables the capability for such a strong security model to be deployed across all the channels, to counter all known sophisticated fraud threats, including MitB.

Food for thought indeed!


TagsSecurityTransaction banking

Comments: (0)

Comment on this story (membership required)

Latest posts from Pat

Security by Obscurity is the key!

27 January 2015  |  4241 views  |  0 comments | recomends Recommends 0 TagsSecurityTransaction bankingGroupInformation Security

Chip and Signature, a Paradise Lost

28 October 2014  |  5518 views  |  2 comments | recomends Recommends 1 TagsCardsPaymentsGroupDisruption in Retail Banking

Payment Card Data Theft At The POS - Time To Knuckle Down

13 October 2014  |  5299 views  |  1 comments | recomends Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

More Channels, More Payment Options, More Fraud

23 September 2014  |  2583 views  |  0 comments | recomends Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

iHack Hastens Call for Multi-factor Authentication

05 September 2014  |  3972 views  |  1 comments | recomends Recommends 0 TagsSecurityPaymentsGroupInformation Security

Pat's profile

job title Founder/Executive Chairman
location London
member since 2011
Summary profile See full profile »
Throughout his career, Pat has been at the forefront of industry thinking, representing organisations on industry bodies and leading participation in industry initiatives. At ValidSoft, he leads the R...

Pat's expertise

Member since 2011
79 posts40 comments
What Pat reads

Who's commenting on Pat's posts