High profile security breaches are constantly in the news, due to the world’s biggest companies facing new and emerging threats on a daily basis. Brands like Apple and Starbucks are struggling to protect their customers as they build an online profile of their lives. According to Ofcom, 70% of UK internet users are happy to give away their details* which is drip feeding hackers with the power to make seismic security breaches.
Knowledge is power to the hacker – every day they are being equipped for their next attack, as users are trusting organisations with their personal information online.
One of the biggest threats is hackers exploiting how major internet browsers cache login credentials and simply assume it is the same person accessing their pages over and over again. If a business leaves its systems as open as this, a successful attack will lead to dire consequences.
When an individual user logs in to an account on a web browser, such as Internet Explorer or Google Chrome, they will be asked if they want their credentials remembered via a tick box. A pop-up will then appear asking the user to confirm this decision. If the user confirms, the browser will cache the credentials and use them every time the user returns to that account.
Google has gone a step further, allowing users to save their entire Chrome history and their bookmarks to the cloud, providing access from any computer or tablet when they sign in. This flexibility has sacrificed security, and a range of accounts or systems could be left vulnerable to attack. A hacker could be presented with relatively easy access to bank accounts, private online documents, or a secure corporate network through a VPN.
While this is a risk consumers are willing to take in return for simplicity and convenience, it should never be contemplated by businesses as it would risk their reputation and heavy fines for not protecting their systems.
By allowing browsers to cache credentials, users are left with their personal information being not only known by the system the user is trying to login to but also by the browser which processes the login request. It is like a butler owning a set of keys to the master’s safe. It is another person a burglar can exploit to open the safe when the user is absent.
The same principle can be applied to a range of security systems and this knowledge is power to hackers, as successful attacks have the potential to fully compromise companies.
What would happen if a security system had zero knowledge of the login credentials? Hackers are capable of the most complicated attacks without any help, so it is now time to stop giving them the code to the safe once they have broken in through the front door.
Two-factor authentication (2FA) ensures these credentials cannot work alone to access important information; however, getting this technology wrong is not worth contemplating.
Deployed and used correctly two factor authentication is the layer needed to protect ones digital identity. However, despite 2FA adding this protection, users can be left with a false sense of security as some systems they are logging in to request their credentials – only the first time of use. The user only needs to fully authenticate once and they can come back to the system day after day with instant access. For example, an online retailer will ask customers to use 2FA to confirm their purchase but then allow them to return the next time to purchase more goods without asking for log in credentials.
While private users who find 2FA inconvenient may deem this to be safe, it is essential for the more security conscious to ensure credentials are physically entered every time a user logs in. Certainly for anyone who has been compromised before, this added protection is absolutely no issue compared to the travesty when your identity has been compromised.
In 2011 RSA Security had to replace 40 million of its SecurID tokens – nearly every one in existence at the time – after hackers attacked contractor Lockheed Martin. Users logged in with a username and password, with a random number on their token as the second factor to authenticate. This number changed every 30 to 60 seconds, controlled by an RSA algorithm. The hackers attained this algorithm, making the tokens worthless, and putting the entire system in jeopardy.
Automatically separating the records is a secure solution to such a breach. This is where one part is created locally on the customer’s server, while the second is generated using specific characteristics of the mobile device that make it unique, e.g. information about the SIM card, the CPU or equivalent. When the app generates a passcode, the end device decrypts the first half of the seed record and derives the second half accordingly. Since one part of the two seed record parts is never located on the employee’s mobile device, the security software excludes the possibility that attacking malware can steal this seed record. Since the seed record is derived in part from the phone’s own hardware fingerprint at time of enrolling, the security system clearly can’t have a copy of the seed.
The latest 2FA technology is built upon this ‘zero knowledge’ foundation. This means neither the user, nor the platform they are trying to access knows all of the information. Nor indeed does the information security company called in to protect that data. Splitting the seed record means no party has a 360 degree view of the credentials.
As the need for more online security increases, so does the user’s willingness to provide personal and important information. Sharing this knowledge has led to hackers learning more information than ever before, allowing them to capitalise on previously trusted systems. To ensure security, firms need to embrace solutions that remove this knowledge, and rendering the hacker powerless.
Steve Watts, co-founder of SecurEnvoy
