Welcome!

Web 2.0 Authors: Pat Romanski, Liz McMillan, Saar Bitner, Elizabeth White, Yeshim Deniz

Related Topics: Security, Java, SOA & WOA, .NET, Linux, Web 2.0

Security: Article

Confronting Identity Theft Head-On with Multi-Factor Authentication

Methods of identity theft have outpaced popular security measures, necessitating a new standard in data defense

The online world has become a dangerous place. According to a survey, 90 percent of all companies fell victim to a security breach in the last twelve months. Hacking and advanced persistent threats (APTs) have rendered the two-factor authentication token, now over 20 years old, essentially obsolete. Without question, a real need exists for a truly secure approach to real-time multifactor authentication to combat today's modern threats.

Remote Access Spikes Security Risk
The use of online services has exploded in the last decade as enterprises have adopted remote access as the default way to access systems and conduct business. With the pervasive use of online access to conduct business, the threat of identity theft has increased with stunning speed and complexity. Ponemon Research surveyed more than 500 corporations and found that 90 percent had been successfully hacked in the last twelve months. This finding underscores the need for major enterprises to adopt stringent, effective security methods as a means to protect against breaches. As a result, modern mobile phone-based multifactor authentication is in high demand.

Advances in Hacking
In the same way that the remote access industry has evolved, so have threats and their complexity. In the early days of online services, usernames and passwords were typically the only form of authentication. To defeat them, hackers used "brute force" attacks to guess the username or password, or "dictionary attacks" to assume a user's identity. In a dictionary attack, a computer or a hacker attempts various combinations of potential passwords until access is granted.

Systems eventually evolved to block these attempts by locking the account down after a few faulty attempts, leading hackers to develop new techniques like key loggers. Today, the most widely used attacks are pharming, phishing or a combination of the two. These terms describe methods by which users are led to a counterfeit website that looks just like the original. This tricks the user into entering his or her username and password. Some of the more advanced attacks send stolen information to the hackers in real time via a small instant message program, compromising many popular two-factor authentication tokens. As an example, Zeus malware captures a user's credentials - even advanced time-based token codes - and sends the information to the hacker.

As if that weren't enough, newer and more sophisticated methods of intercepting user interactions with online services have emerged in recent years, including man-in-the-browser, man-in-the-middle and session hijacking. Even the most secure traditional two-factor authentication token devices can no longer secure a user's identity against these new, more insidious threats. Yet many organizations are unaware that traditional tokens can be compromised, posing a significant security risk.

Many Security Technologies Fall Short
Today's ever-changing threat environment creates a never-ending battle wherein organizations must constantly evaluate the right level of investment in security. Often, the best possible protection is not financially feasible for many organizations, and thus a trade-off has to be made. To protect against identity theft schemes within budgetary constraints, organizations have sampled different technologies, including certificates, biometric scanning, identity cards and hard- and software tokens, with the latter being the most dominate technology. Certificates are often viewed as the ideal way to connect two devices with a secure, identifiable connection. The main issue is the deployment and administration of these certificates and the risks that these are copied without the user knowing it. Furthermore, the certificate authority might be compromised as well.

Biometric scanning has also enjoyed some success, often seen as a very secure alternative. However, the assumption that you always have a functioning finger or iris scanner handy has proven impractical, and the resulting scan produces a digital file that can itself be compromised. Another alternative is the identity card, which often proves impractical in a world of Bring Your Own Device ("BYOD"), where users demand access from an ever-changing variety of devices. Therefore, a new approach is needed.

A Mobile Approach to Security
Many organizations have begun using multi-factor authentication based on mobile networks to address today's modern threats while meeting a user's need for easier and more flexible solutions.

Two elements drive the adoption of the new crop of multi-factor authentication: one, the need to deliver hardened security that anticipates novel threats; and two, the need to deploy this level of security easily and at a low cost. The device used in the authentication process also needs to be connected to the network in real time and be unique to the user in question.

If the authentication engine sends a regular token via SMS, however, today's malware threats can steal the code easily. Therefore, organizations must seek strategies that operate efficiently in a message-based environment to successfully defend against modern threats. Key elements can include:

  • One-time password: To get the highest possible level of security, the one-time password (OTP) must both be generated in real time and be specific (locked) to the particular session, as opposed to tokens that use seed files where the passcodes are stored.
  • Minimal complexity: To minimize infrastructure complexity, the solution should plug into different login scenarios, such as Citrix, VMware, Cisco, Microsoft, SSL VPNs, IPsec VPNs and web logins. Other ways to minimize infrastructure overload include providing these logins in an integrated, session-based architecture.
  • Multiple defenses: To support real-time code delivery, the organization needs robust and redundant server-side architecture along with multiple delivery mechanism support, regardless of geographic location.
  • Easy management: The solution should be able to be managed easily within the existing user management infrastructure.
  • Context-specific: To maximize security, the company should leverage contextual information - such as geo-location and behavior patterns - to effectively authenticate the user.

The Security Horizon
The modern convenience of online services has brought with it the modern scourge of identity theft. Methods of identity theft have outpaced popular security measures, necessitating a new standard in data defense: session- and location-specific multi-factor authentication. This kind of real-time solution, delivered to a user's mobile phone, can provide the security organizations must have if they hope to protect their employees, users and data from modern online threats.

More Stories By Claus Rosendal

Claus Rosendal is a founding member of SMS PASSCODE A/S, where he oversees the product strategy and development in the role of Chief Technology Officer. Prior to founding SMS PASSCODE A/S, he was a co-founder of Conecto A/S, a leading consulting company within the area of mobile computing and IT security solutions with special emphasis on Citrix, Blackberry and other advanced handheld devices. Prior to founding Conecto A/S, he headed up his own IT consulting company, where he was responsible for several successful ERP implementations in different companies (C5 / SAP). Claus holds a Master Degree in computer science from University of Copenhagen.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
The Internet of Things is a misnomer. That implies that everything is on the Internet, and that simply should not be - especially for things that are blurring the line between medical devices that stimulate like a pacemaker and quantified self-sensors like a pedometer or pulse tracker. The mesh of things that we manage must be segmented into zones of trust for sensing data, transmitting data, receiving command and control administrative changes, and peer-to-peer mesh messaging. In his session at @ThingsExpo, Ryan Bagnulo, Solution Architect / Software Engineer at SOA Software, focused on desi...
"At our booth we are showing how to provide trust in the Internet of Things. Trust is where everything starts to become secure and trustworthy. Now with the scaling of the Internet of Things it becomes an interesting question – I've heard numbers from 200 billion devices next year up to a trillion in the next 10 to 15 years," explained Johannes Lintzen, Vice President of Sales at Utimaco, in this SYS-CON.tv interview at @ThingsExpo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
"For over 25 years we have been working with a lot of enterprise customers and we have seen how companies create applications. And now that we have moved to cloud computing, mobile, social and the Internet of Things, we see that the market needs a new way of creating applications," stated Jesse Shiah, CEO, President and Co-Founder of AgilePoint Inc., in this SYS-CON.tv interview at 15th Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that Gridstore™, the leader in hyper-converged infrastructure purpose-built to optimize Microsoft workloads, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Gridstore™ is the leader in hyper-converged infrastructure purpose-built for Microsoft workloads and designed to accelerate applications in virtualized environments. Gridstore’s hyper-converged infrastructure is the industry’s first all flash version of HyperConverged Appliances that include both compute and storag...
"People are a lot more knowledgeable about APIs now. There are two types of people who work with APIs - IT people who want to use APIs for something internal and the product managers who want to do something outside APIs for people to connect to them," explained Roberto Medrano, Executive Vice President at SOA Software, in this SYS-CON.tv interview at Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Today’s enterprise is being driven by disruptive competitive and human capital requirements to provide enterprise application access through not only desktops, but also mobile devices. To retrofit existing programs across all these devices using traditional programming methods is very costly and time consuming – often prohibitively so. In his session at @ThingsExpo, Jesse Shiah, CEO, President, and Co-Founder of AgilePoint Inc., discussed how you can create applications that run on all mobile devices as well as laptops and desktops using a visual drag-and-drop application – and eForms-buildi...
We certainly live in interesting technological times. And no more interesting than the current competing IoT standards for connectivity. Various standards bodies, approaches, and ecosystems are vying for mindshare and positioning for a competitive edge. It is clear that when the dust settles, we will have new protocols, evolved protocols, that will change the way we interact with devices and infrastructure. We will also have evolved web protocols, like HTTP/2, that will be changing the very core of our infrastructures. At the same time, we have old approaches made new again like micro-services...
Code Halos - aka "digital fingerprints" - are the key organizing principle to understand a) how dumb things become smart and b) how to monetize this dynamic. In his session at @ThingsExpo, Robert Brown, AVP, Center for the Future of Work at Cognizant Technology Solutions, outlined research, analysis and recommendations from his recently published book on this phenomena on the way leading edge organizations like GE and Disney are unlocking the Internet of Things opportunity and what steps your organization should be taking to position itself for the next platform of digital competition.
The 3rd International Internet of @ThingsExpo, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that its Call for Papers is now open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than 20 years ago.
As the Internet of Things unfolds, mobile and wearable devices are blurring the line between physical and digital, integrating ever more closely with our interests, our routines, our daily lives. Contextual computing and smart, sensor-equipped spaces bring the potential to walk through a world that recognizes us and responds accordingly. We become continuous transmitters and receivers of data. In his session at @ThingsExpo, Andrew Bolwell, Director of Innovation for HP's Printing and Personal Systems Group, discussed how key attributes of mobile technology – touch input, sensors, social, and ...
In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect at GE, and Ibrahim Gokcen, who leads GE's advanced IoT analytics, focused on the Internet of Things / Industrial Internet and how to make it operational for business end-users. Learn about the challenges posed by machine and sensor data and how to marry it with enterprise data. They also discussed the tips and tricks to provide the Industrial Internet as an end-user consumable service using Big Data Analytics and Industrial Cloud.
Building low-cost wearable devices can enhance the quality of our lives. In his session at Internet of @ThingsExpo, Sai Yamanoor, Embedded Software Engineer at Altschool, provided an example of putting together a small keychain within a $50 budget that educates the user about the air quality in their surroundings. He also provided examples such as building a wearable device that provides transit or recreational information. He then reviewed the resources available to build wearable devices at home including open source hardware, the raw materials required and the options available to power s...
Things are being built upon cloud foundations to transform organizations. This CEO Power Panel at 15th Cloud Expo, moderated by Roger Strukhoff, Cloud Expo and @ThingsExpo conference chair, addressed the big issues involving these technologies and, more important, the results they will achieve. Rodney Rogers, chairman and CEO of Virtustream; Brendan O'Brien, co-founder of Aria Systems, Bart Copeland, president and CEO of ActiveState Software; Jim Cowie, chief scientist at Dyn; Dave Wagstaff, VP and chief architect at BSQUARE Corporation; Seth Proctor, CTO of NuoDB, Inc.; and Andris Gailitis, C...
There's Big Data, then there's really Big Data from the Internet of Things. IoT is evolving to include many data possibilities like new types of event, log and network data. The volumes are enormous, generating tens of billions of logs per day, which raise data challenges. Early IoT deployments are relying heavily on both the cloud and managed service providers to navigate these challenges. In her session at Big Data Expo®, Hannah Smalltree, Director at Treasure Data, discussed how IoT, Big Data and deployments are processing massive data volumes from wearables, utilities and other machines...
"There is a natural synchronization between the business models, the IoT is there to support ,” explained Brendan O'Brien, Co-founder and Chief Architect of Aria Systems, in this SYS-CON.tv interview at the 15th International Cloud Expo®, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Media announced that Splunk, a provider of the leading software platform for real-time Operational Intelligence, has launched an ad campaign on Big Data Journal. Splunk software and cloud services enable organizations to search, monitor, analyze and visualize machine-generated big data coming from websites, applications, servers, networks, sensors and mobile devices. The ads focus on delivering ROI - how improved uptime delivered $6M in annual ROI, improving customer operations by mining large volumes of unstructured data, and how data tracking delivers uptime when it matters most.
In this Women in Technology Power Panel at 15th Cloud Expo, moderated by Anne Plese, Senior Consultant, Cloud Product Marketing at Verizon Enterprise, Esmeralda Swartz, CMO at MetraTech; Evelyn de Souza, Data Privacy and Compliance Strategy Leader at Cisco Systems; Seema Jethani, Director of Product Management at Basho Technologies; Victoria Livschitz, CEO of Qubell Inc.; Anne Hungate, Senior Director of Software Quality at DIRECTV, discussed what path they took to find their spot within the technology industry and how do they see opportunities for other women in their area of expertise.
While great strides have been made relative to the video aspects of remote collaboration, audio technology has basically stagnated. Typically all audio is mixed to a single monaural stream and emanates from a single point, such as a speakerphone or a speaker associated with a video monitor. This leads to confusion and lack of understanding among participants especially regarding who is actually speaking. Spatial teleconferencing introduces the concept of acoustic spatial separation between conference participants in three dimensional space. This has been shown to significantly improve comprehe...
The Industrial Internet revolution is now underway, enabled by connected machines and billions of devices that communicate and collaborate. The massive amounts of Big Data requiring real-time analysis is flooding legacy IT systems and giving way to cloud environments that can handle the unpredictable workloads. Yet many barriers remain until we can fully realize the opportunities and benefits from the convergence of machines and devices with Big Data and the cloud, including interoperability, data security and privacy.
Performance is the intersection of power, agility, control, and choice. If you value performance, and more specifically consistent performance, you need to look beyond simple virtualized compute. Many factors need to be considered to create a truly performant environment. In his General Session at 15th Cloud Expo, Harold Hannon, Sr. Software Architect at SoftLayer, discussed how to take advantage of a multitude of compute options and platform features to make cloud the cornerstone of your online presence.