What is the Value of Customer Credentials?securenvoy 02/01/2013, Archive
Last month, organisations received an enormous wake-up call – news of the largest cyber-attack ever on a state government in the US. While the fact that breaches still occur is almost to be expected, it’s the magnitude of what the criminals stand to make from the data stolen that beggars belief. Is there any way to stop criminals profiting from our information?
For anyone that missed it, the South Carolina state computer system hack is notable for the volume of data – 3.6m social security numbers plus 387,000 credit plus debit card credentials – that were stolen. Cybercriminals can use this data to create cloned payment cards, apply for credit, and even open bank accounts in the victim’s name. While on the face of it that might seem limited, when you work out that with a conservative $3.00 rate per set of card information stolen, the cybercriminals stand to make more than a million dollars simply for selling on the credentials they stole is this single haul.
The sad reality is that attacks on third-party credentials - which can be used in identity theft frauds - are fast becoming a global cybercriminal commodity business.
What went wrong? Fundamentally, the computer system was left unprotected. According to reports, the perpetrator first infiltrated the Department of Revenue computers in August, snooped around a couple of times, and then simply downloaded the records. And it’s as simple as that!
Criminals are patient creatures. They’ll conduct reconnaissance missions, from the safety of their lair, using an automated set of hacking tools to probe likely IP addresses on the Internet. Once they’ve identified an inadequately protected gateway, they’ll sneak in, scout around, and they’re off with the goods. A bit like a cat burglar but with less risk of detection and often far greater rewards.
It would be wonderful to say that attacks of this nature are rare but unfortunately that simply isn’t true. In the US 11 state tax agencies have experienced breaches since 2005. And of course it’s not just the tax agencies that have been breached as numerous US government agencies have also been breached. And it’s not just the US as the UK’s NHS has itself lost 1.8 million sets of patient records in the last year alone. What it all means is there is a big question mark hanging over the security of government systems.
What can be done? The fact that government – at both local and national levels – is short of money in these straightened times means the problem can’t be solved whatever the cost. That’s the sad reality. Instead organisations need to introduce effective security precautions.
Databases, and the gateways they hide behind, are typically opened with simple credentials – the combination of a user name and password. We’ve said this before but it’s worth reiterating that automated password cracking software can perform 100 million checks per second – that equates to a four character password being cracked in 0.16 seconds; a six character password in 11.4 minutes; and an eight character password in just 32 days. Industry opinion is that this is vastly inadequate.
The long and short of it is organisations are duty bound to add a decent level of security. Fundamentally this is two things – decent encryption and industry standard two factor authentication (2FA).
The security foundation stone is 2FA as all security systems sit on top. If you can’t verify the identity of the person gaining access, given that they can be anyone on the internet, then everything else is superfluous.
True 2FA is the combination of two, of a possible three, elements:
- Something you know – such as a pin or password
- Something you own – such as a key, token or the chip embedded in a credit card
- Something specific to the person – such as a fingerprint, or retina
It’s worth clarifying at this point that entering certain characters from a memorable phrase does not constitute 2FA - it’s still something you know, albeit a little more complex.
Conversely, while something specific to the person – or biometrics as it’s widely referred – is considerably more foolproof, it requires hardware, which often makes this element a non-starter.
It’s not surprising, therefore, that when introducing 2FA, it is the first two elements that are the most common combination employed. In the real world we regularly use Chip and Pin to make a purchase in the high street, or withdraw cash from an ATM. Quite simply this is 2FA in action in the real world.
That said, it’s important to remember that not all 2FA systems are the same. Clever companies have realised that it’s the end user who is ultimately in control and are introducing systems that allow organisations to offer strong authentication with end user flexibility. Any device that can be connected to the internet can act as an authentication token - an SMS on a mobile, an app on a Smartphone or tablet, or a soft token on a laptop – with the ability to swap between devices at will.
This is what is referred called ‘tokenless’ two-factor authentication (2FA), such as that offered by SecurEnvoy’s SecurAccess solution, and it secures an IT interaction with `something you have’ (the handset) and `something you know’ (the challenge authentication data) across an easy-to-use system (the mobile network.)
Implementing tokenless 2FA is a very easy and low-cost way of securing access to large data repositories in the public sector, both with employees and members of the public, where appropriate. With every practically every pocket now containing a mobile phone, the chances of a user not having their ‘token’ with them at the point of entry is unlikely.
While we might not be able to stop criminals looking for data, especially when it’s such a valuable commodity, organisations have a responsibility not to make it easy for them.