Delfigo Security - Strong Authentication

Payment Card Industry (PCI) Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.

Is PCI a law? No. It is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). Enforcement of compliance is done by  organizations processing transactions (i.e. Visa, Mastercard,   American Express etc.).

PCI DSS Requirements (Wikipedia)

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security

Resources:

• PCI Compliance Guide FAQ
• PCI Security Standards Council 
• PCI DSS Requirements (Wikipedia)

---

According to Technology Review Microsoft and Carnegie Mellon University will present new research at the IEEE Symposium on Security and Privacy to show once again that secret questions used for password backup authentication are easy to guess and provide less than adequate security.

The new research found that:

28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.

We have regularly argued here that passwords alone are very vulnerable, and not sufficient security. We have also believed that this was equally true for demonstrably simple questions, and this study clearly supports our beliefs. Despite all the effort and expense that goes into deploying and managing these complex and expensive identity management solutions, the fact remains that if someone really wants to gain access to your account they very likely will. And in most cases it may not be that difficult. There is clearly a need for a lower cost, less complex solution that provides the strong authentication required to prevent identity theft and reduce fraud.

The well publicized incident involving the breach of Republican VP Candidate Sarah Palin's Yahoo account highlighted this problem late last year. With a little effort any enterprising individual can gather the personal knowledge (e.g. mothers maiden name, high school name, pet name, street name) necessary to make some fairly targeted guesses, and eventually gain control of an account.

---

Over the weekend, MarketWatch reported hackers broke into the State of Virginia's Prescription Monitoring Program (PMP) database and are demanding a $10 million ransom. The nature of this crime is mind-boggling but not a surprise considering the increasing trend in identity theft. It should serve as an eye-opener to ensure adequate authentication and authorization policies are put in place, especially when databases with large volumes of individual data is managed for state wide use.

The Virginia database is intended for state wide doctors and pharmacies to track, and reduce the abuse and illegal sale of painkillers. It is not clear from the article how the hackers accessed the patient records, but it is obvious that a database of this nature should have a strong authentication solution. However, there are many inherent challenges with the distribution and management of hardware based second factor authentication solutions, chief among them integration and cost. It may be that it is just not plausible for the State to implement a second factor solution, such as "distribute" token based second factor authentication for use by the thousands of potential end users needing access.

Forrester Research's recent report on the State of Enterprise IT confirms that cost and complexity are the top barriers to Identity and Access Management. Delfigo Security has made it a point to address these challenges. Our business model focuses on lowering total cost of ownership, and our technology architecture concentrates on eliminating the hassles of integration, distribution and management.

I agree with Gov. Kaine, "it is difficult to foil every criminal that may want to do something against you". There is a need for manageable, cost effective solutions to prevent these types of brazen criminal acts from becoming regular occurrences.

Bharat Nair is Vice President of Business Development at Delfigo Security, www.delfigosecurity.com, Boston, MA. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by phone at 1.617.248.6501.

---

The Federal Trade Commission has again delayed the enforcement of the "Red Flags" Rule to give business more time to prepare programs to comply with the law. The FTC is making available new materials to help business better understand the rule's requirements, and templates designed to assist in creating identity theft prevention programs that are appropriate to the size of a particular business.

What are the "Red Flag" Rules?

The rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003.

They require "each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft."

What are basic elements of an Identity Theft Prevention Program?

According to the FTC's Red Flags Rule How To Guide for Business, there are four basic elements of and Identity Theft Prevention Program?

First, your Program must include reasonable policies and procedures to identify the "red flags" of identity theft you may run across in the day-to-day operation of your business. Red flags are suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft. For example, if a customer has to provide some form of identification to open an account with your company, an ID that looks like it might be fake would be a "red flag" for your business.

Second, your Program must be designed to detect the red flags you've identified. For example, if you've identified fake IDs as a red flag, you must have procedures in place to detect possible fake, forged, or altered identification.

Third, your Program must spell out appropriate actions you'll take when you detect red flags.

Fourth, because identity theft is an ever-changing threat, you must address how you will re-evaluate your Program periodically to reflect new risks from this crime.

---

Delfigo has been selected as a finalist for the TiE50 Awards, recognizing the hottest emerging startups.The winning companies will be announced on May 11, 2009.

Delfigo was selected from nearly 1,200 nominated companies, and is a finalist in the Internet Infrastructure Category. The selection process for TiE50 winners will be based on a combination of a public poll and private judges' vote. Voting is open to the public beginning Tuesday, April 28, 2009 and closes on Thursday, May 7, 2009.

Visit www.tie50.net/polling to cast your vote for Delfigo. 

---

Cloud Computing, where computing resources are delivered as a service over the Internet, continues to gain momentum. Microsoft recently announced its big push in SaaS with Microsoft Online Services. In the buzz driven discussion of life in the cloud, however, there is limited discussion of Identity Management. Martin Kuppinger recently addressed this, noting as security, privacy and minimal disclosure of personal information become more important, few SaaS providers are ready to support the Identity Management and GRC requirements of their customers. He states there are no standards for auditing and alerting, or for handling authorization management issues in the cloud.

"To become successful as a provider in the cloud, the 'externalization' of the management of authentication and authorization as well as externalized auditing will become mandatory. Customers can't afford to manage authorizations per cloud service but will have to apply pre-defined policies. Thus, we need new standards and we need new semantics for existing standards like XACML on a much higher level than today."

---

Matt Conroy does a great job of providing a clear description of multi factor security in his latest post Multi Factor Security Review. Matt clearly describes the key elements of multi factor - something you know (login credentials) something you have (token or smart card) and something you are (any form of biometric data). He is also spot on in pointing out the key challenge that prevents the majority of companies from  implementing biometric solutions - total cost of ownership.  Systems that utilize finger prints, retinal scans, and facial recognition are well beyond the typical security budget, and can be very challenging to deploy.

Where Matt's article falls short is by not mentioning keystroke dynamics as a biometric that is gaining acceptance in the market. The primary advantage of keystroke dynamics as a biometric option is that it directly addresses the two main challenges of cost and deployment logistics.  At Delfigo we have developed a zero footprint security platform that uses keystroke dynamics to deliver a multi factor authentication solution at very low cost. In addition, its novel architecture is web services based making it easier to deploy, integrates with existing security and network infrastructure, and does not require the installation of any hardware devices.

Bottom line, there is no reason why companies should defer or delay considering implementing a true multi factor security solution today.

Bharat Nair is Vice President of Business Development at Delfigo Security, www.delfigosecurity.com, Boston, MA. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by phone at 1.617.248.6501 

---

Gartner's four predictions for Identity and Access Management 

1. Hosted IAM and IAM as a service will account for twenty per cent of IAM revenue by 2011
   
2. Twenty per cent of smart-card authentication projects will be abandoned and thirty per cent scaled back in favour of lower-cost, lower-assurance authentication methods.
   
   (Key comment: "Gartner recommends that organizations with a free choice of authentication methods for local access should take a scenario-based approach to selecting new authentication methods, based on risk, end-user needs and total cost of ownership (TCO). ")
   
3. Thirty per cent of large corporate networks will become ‘identity aware' by controlling access to some resources via user-based policies by 2011
   
4. Approximately fifteen per cent of global organizations storing or processing sensitive customer data will use out-of-band OOB authentication for high-risk transactions by 2010.
   
   (Key quote: "Organizations that need to safeguard customer accounts should implement a three-pronged security strategy that includes risk-appropriate user authentication, fraud detection, and transaction verification for high-risk transactions."  - Ant Allan, VP, Research at Gartner)
   

---