Delfigo Security - Strong Authentication

Over the past 25 years, the cell phone has evolved from the one dimensional brick phones to the powerful smartphone technology of today. Estimates indicate that smartphone ownership will reach 43% of the US mobile population by 2015 with Gartner stating that sales of smartphones will reach 95 million in 2011. With ever increasing processing power, and hundreds of thousands of applications currently available, the smartphone has rapidly become the primary device for everyday access to social media, banking, commerce, shopping, and personal entertainment.

What is often lost in this love affair with mobility is that the smartphone presents the same level of risk as the PC. The rapid expansion of capabilities and acceptance of these devices as an essential element of our personal and professional life has regrettably coincided with an overall indifference to security. Convenience - in the moment, on the go convenience - trumps any concern for protection of assets. The average user has a wide variety of confidential private data stored on these very personal devices, and estimates show that 40% of business professionals carry sensitive business information as well.

Look no further than the recent articles on Zitmo or DroidDream to see that the risk is real. Zitmo, a variant of the Zeus Trojan, has been adapted to target phones running the Android OS. Users are tricked in to adding a “security component” that they assume comes from their bank, but is really malware. DroidDream, malware that initially exploited a bug in older versions of Android that resulted in 58 apps being pulled from the Android marketplace, recently resurfaced in 4 additional apps in July.

User indifference is often identified as a key part of the problem. The user fails to play the role that security managers expect them to play. They do this for an obvious reason; they do not want to be inconvenienced. Vendors that assume the user should play a key role in security strategy are missing an important element in developing, and implementing strong authentication solutions for the mobile user. The user does not want to be inconvenienced. Security should operate invisibly in the background and not in any way interfere with their user experience.

_______________________________________________

1. “Smartphone Malware Report” Raising Awareness of the Threats Affecting Mobile Devices

2. Zeus Banking Trojan Hits Android Phones

3. DroidDream Again Appears in Android Market Apps 

4. Smartphone Market Statisitcs

5. Research and Markets – Mobile Phone Biometric Security Report 

The much anticipated FFIEC Authentication Guidance was released on June 28, 2011 as a supplement to the very dated 2005 Guidance on Authentication in an Internet Banking Environment.  The complete text of the Supplement to Authentication in an Internet Banking Environment is available on the FFIEC website.

There is not much difference from the draft mistakenly released on the National Credit Union Administration website in 2010. The guidance is weak in a number of areas, specifically the need for multi factor authentication in consumer banking, not just commercial banking; and the failure to address security of mobile banking.

The supplement does emphasize the need for ongoing updates of risk assessments and the need for a layered approach to security. Both recommendations commonly found among best practices for identity and authentication management.

A number of vendors will scramble to re-position their products as multi factor, or attempt to adapt single dimension OTP or challenge response offerings to address the emphasis on risk assessment and layered security. However, there are many current offerings available to address regulatory requirements of 2012. Careful research is essential to identifying an authentication solution  that not only fits yours needs, but does so without adding additional burden to users, and also provides a flexible platform that can adapt and extend to meet the challenges of tomorrow.

 

--------------------------------------------------------

1. Supplement to Authentication in an Internet Banking Environment

2. BankInfo Security – New Authentication Directives Don't Address Emerging Risks

The HITECH Act contains incentives (and disincentives) designed to accelerate adoption of electronic health record (EHR) systems and deliver on the original goals of the Health Insurance Portability and Accountability Act (HIPAA). These goals are rightly identified as “critical to patient safety, quality of care and reduction of delivery costs.” These are all admirable goals. However, regardless of how admirable, there is little among the many recommendations that address the significant consequences that accompany the rollout of EHR systems.  Electronic medical records contain a vast wealth of personal information, and this information will only become more vulnerable, and more susceptible to potential misuse, as access extends to an ever wider network of consumers and health care providers. As has historically been the case with all information systems, the desire to provide more open access and greater usability is always at odds with genuine concerns for security and privacy.

The Privacy and Security Tiger Team of the Office of the National Coordinator for Health IT recently released recommendations aimed at addressing this big elephant in the room. They point out that the HIPAA Security Rule requires covered entities to implement procedures to verify that a person or entity seeking access to electronic PHI is the one claimed. However, the Security Rule does not specify authentication options, assurance levels or verification requirements. The Tiger Team’s goal was to establish stronger authentication policy as part of governance for the Nationwide Health Information Network (NwHIN). Their recommendations for authentication of a certified EHR include:

• Baseline user authentication policies should require more than just user name and password for remote access. At least two factors should be required.
• Organizations and entities are encouraged to adopt a risk based approach and provide multi factor authentication for sensitive, high risk transactions
• Minimum two factor authentication of e-prescriptions of controlled substances are required, consistent with the current DEA rule.
• Meaningful Use Stage 2 certification testing criteria for EHRs should include testing of compliance with the DEA authentication rule

It is refreshing to see direct commentary regarding stringent authentication standards. However, the open access-security conflict is clearly apparent throughout the document. This is evident in statements such as “providers must manage the risk of inappropriate access; however they should not set the identification requirements in a way that discourages or inhibits patients from participating.”  Open access to patients is no longer the future, it is happening now. EHR systems need to balance the requirement for access with the equally important need for security. An approach focused on layered access to information, using a risk based authentication modality that answers three simple questions – are you who you say you are, where will I allow you to go, and what will I allow you to do - is the best means of achieving this goal.    

-------------------------------------------------------------------

Resources:

1. ONC Privacy and Security Tiger Team
   http://healthit.hhs.gov/portal/server.pt/community/healthit.hhs.gov:_privacy_&_security_tiger_team/2833/home/19421
   
   
2. Summary: HIPAA Security Rule
   http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

The FFIEC was expected to provide an update to the 2005 Guidance on Authentication in an Internet Banking Environment in early 2011. Yet here it is almost May and nothing has been forthcoming. Bank Information Security recently reported the release is close, but would not speculate on when it would actually occur, as one FFIEC agency is rumored to be holding up the process.

It would be a dramatic understatement for the FFIEC to simply “reiterate and reinforce” given the dramatic change in online banking risks today as compared to 2005. In the 5 years since the FFIEC last released its guidelines on risk strategies and authentication technologies, a query of the Privacy Data Clearinghouse database shows that 2135 publicly reported data breach incidents have occurred. These breaches compromised 459,217,337 sensitive records (bank account information, credit card numbers or Social Security numbers). The ready availability of more advanced technology that allows those with little or no programming knowledge to launch sophisticated attacks, combined with the recognition that a more aggressive criminal element exists today, would certainly require much more than a reaffirmation.

Banking institutions and industry associations demonstrated their concern about the pending guidelines by scrambling to provide feedback following the public availability of an initial draft, "Interagency Supplement to Authentication in an Internet Banking Environment”, mistakenly posted on the National Credit Union Administration website in December 2010. This has led security analysts to speculate on the possibility that important changes are ahead.
Currently, the leaked draft remains the only available indicator of what to expect. The draft contained the following recommendations:

• More frequent risk assessments focusing on authentication and related controls at least every 12 months and prior to implementing new electronic financial services
• More robust controls as the risk level of transactions increases.
• Layered Security to detect and effectively respond to suspicious or anomalous activity both at initial login access and at initiation of online transaction
• Multi Factor Authentication, well beyond simple device identification and easily answered challenge questions
• Increased Customer Education and Awareness.

Here is the question: Are you prepared?  Many vendors are currently scrambling to re-position their products as multi factor, or attempting to adapt single dimension offerings to address the emphasis on layered security. In a complex and confusing market, careful research will be essential to identifying an authentication solution that will increase identity assurance without adding additional burden to users; while also providing a flexible platform that can adapt and extend to meet the challenges of tomorrow.
______________________________________
Resources:

1. Symantec Report on Attack Kits and Malicious Websites : Executive Summary
2. Verizon 2011 Data Breach Report
3. Privacy Rights List of Data Breaches 2005 to Present
4. Top Nine Security Threats of 2011
5. 2010 "Interagency Supplement to Authentication in an Internet Banking Environment" (summary here and here )
6. 2005 Guidance on Authentication in an Internet Banking Environment

Security firm Trusteer has identified a new trojan they have named OddJob which keeps banking sessions open after banking customers believe they have logged off. From Trusteer:

We have found a new type of financial malware with the ability to hijack customers’ online banking sessions in real time using their session ID tokens. OddJob, which is the name we have given this Trojan, keeps sessions open after customers think they have “logged off”’, enabling criminals to extract money and commit fraud unnoticed. This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users' digital - and online monetary - assets.  We have been monitoring OddJob for a few months, but have not been able to report on its activities until now due to ongoing investigations by law enforcement agencies. These have just been completed. 

Information Week also reports the security firm F-Secure has found that a variant of the financial malware Zeus Mitmo is again active, this time targeting mobile phone customers of ING Bank in Poland. 

"Computers infected with a ZeuS Mitmo Trojan will inject a 'security notification' into the Web banking process, attempting to lure the user into providing their phone number," said Sean Sulllivan [of S-Secure]. "If a phone number is provided, the user will receive an SMS link pointing to the mobile component, ZeusMitmo.A." Clicking on the link then presents Symbian and BlackBerry users with Zeus Mitmo malware tailored to their smartphone.

The goal of Zeus Mitmo is to create fraudulent transactions using the mobile device, while subverting the bank's security procedures. In particular, the malware's mobile component creates a man-in-the-middle attack that steals the one-time password that some banks send via SMS to authorize a financial transaction, which are also known as mobile transaction authentication numbers (mTANs). By hijacking this security verification process, Zeus Mitmo disguises its fraudulent activities from users.

Information Week sites a new report that states there was a 654% increase in botnet victims in 2010!

The botnet market is both growing and consolidating. The top 10 botnets of 2010 -- based on total number of PCs compromised -- began the year with 22% market share, but grew to account for 57% of all botnet infections by the end of the year. Meanwhile, in the same timeframe, the number of unique botnet victims grew by 654%.

Much of this is the result of readily available botnet building toolkits. These crimeware toolkits such as MPack, Neosploit, Zeus, Nukesploit P4ck, and Phoenix compete with each other on the black market according to the Symantec Report on Attack Toolkits and Malicious Websites. Prewritten code allows those with limited skills to "to customize, deploy, and automate widespread attacks, such as command-and-control (C&C) server administration tools. As with a majority of malicious code in the threat landscape, attack kits are typically used to enable the theft of sensitive information or to convert compromised computers into a network of zombie bots (botnet) in order to mount additional attacks."

 

Bank Info Security reports that the  Federal Financial Institutions Examination Council (FFIEC) is expected to provide new guidance on online banking and strong authentication:

 The Federal Financial Institutions Examination Council is expected to issue new security guidance revisiting online banking and strong authentication, according to industry experts who have been involved in recent meetings with the FFIEC.

Gartner Analyst Avivah Litan is quoted,  "I got the feeling that the guidance this time will be much more specific, suggesting banks might even be held more accountable in future cases of account takeover. Holding banks financially responsible for accounts would bring about significant change. Some solutions currently in place are more "check the box" solutions, designed primarily to address compliance, but not necessarily to improve security.

California's new law SB-1411, calls for criminal penalities for impersonating someone online:

"any person who knowingly and without consent credibly impersonates another actual person through or on an Internet Web site or by other electronic means, as specified, for purposes of harming, intimidating, threatening, or defrauding another person is guilty of a misdemeanor." 

Source: ZDNet: Analysis: California's Online Impersonation Law, Effective January 1