Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home IAMblog
Identity and Authentication Blog

Security vs. Usability: And the Winner Is?

There has been and will continue to be a significant tension between security and user convenience. Everyone wants their systems to be more secure. I have never heard anyone say they want their systems to be less secure. But what tradeoffs will they make to provide that security. When it comes  to decision time the concern over user convenience / usability and security comes to the forefront, and security frequently ends up on the short end of the stick. Why?

The answer is simple. Security is provided to keep people off of a system, specifically those people who are not authorized to access them. But on the other side of the coin the systems were put into service, at significant effort and expense, to help a business grow. Whether we are talking about back end management and support systems or front end customer facing ecommerce systems, they do not serve their purpose if it is too difficult for users to access them. Therefore, in the majority of cases user convenience trumps security, as usability and access to systems and services is of primary importance. As a well known CEO said, “I do not want to trade $1 of fraud for $1 of customer support.”

"Where Do Security Policies Come From?"  by Dinei Florencio and Cormac Herley touches on this issue. The study sought to examine whether the strength of password policies was directly related to the security requirements of a site (size of site, number of users, value of assets protected, frequency of attacks) . They conclude:

"Our analysis suggests that strong-policy sites do not have greater security needs. Rather, it appears that they are better insulated from the consequences of imposing poor usability decisions on their users. For commercial retailers like Amazon, and advertising supported sites like Facebook, every login event is a revenue opportunity. Anything that interferes with usability affects the business directly. At government sites and universities every login event is, at best, neutral, or, at worst, a cost. The consequences of poor usability decisions are less direct. That simple difference in incentives turns out to be a better predictor of password policy than any security requirement. This in turn suggests that some of stronger policies are needlessly complex: they cause considerable inconvenience for negligible security improvement."

Florencio and Herley clearly articulate the need for understanding the tradeoff between security and convenience in their conclusion. However, they also note that it is difficult to determine if you have the security - convenience tradeoff correct, or if decisionmakers are "imposing considerable inconvenience for marginal benefit."


Business Value of Versatile Authentication

Martin Kuppinger clearly articulates the business value of versatile authentication (support for different authentication methods).

The business value is easy to describe: Reusing existing strong authentication technologies for more use cases makes things cheaper. Being able to use expensive very strong authentication where required but relying on other, cheaper, and appropriate technologies in other use cases reduces costs. Logistics for reused strong authentication technology is cheaper. All use cases, including external users like customers and suppliers, can be supported.

Overall, supporting versatile authentication is more and more a standard feature and the “versatility” of platforms for authentication is, from my point of view, an important point when selecting vendors. Hard-coding strong authentication into applications doesn’t really make sense anymore.


Using Keyboard Biometrics to Detect Automated System or BOT

The recent Wall Street Journal article, Accounts Raided in Global Bank Hack, discusses the latest example of the Zeus Trojan being used to steal credentials and access user accounts. Nearly $3 million was stolen in the scheme in which accounts were illegally accessed at J.P. Morgan Chase & Co., Ally Financial Inc. and PNC Financial Services Group Inc. Funds from the accounts of those financial institutions were then  transferred to "mule" accounts at the Bank of America Corp. and TD Bank Financial Group before being sent to Eastern Europe. 

“Hackers used malicious computer software known as Zeus Trojan, disguised in seemingly benign email. When the email recipient clicks on a link or attachment in the email, the virus monitors the victim's computer activity to grab user names and passwords.”

This is exactly the type of cyber attack that Delfigo’s authentication platform, working in conjunction with a banks existing security ecosystem, is designed to address. First off, keystroke biometric technology would have detected an automated system or BOT. The reason, mathematically the keystroke timings of an automated system or BOT are too pure and clear. For example:

kestroke biometric ekg comparison

The top half of the picture to the right demonstrates the keystroke timing vector for a human being. It looks sort of like an EKG (all over the place), therefore, unique.  However, the bottom part of the picture demonstrates the keystroke timing vector of an automated system or BOT. The signature would look very square and perfect. This is particularly true for the “dwell” times since there will be no variance.

A series of “triggers” would detect the BOT in real time and deny access.  However, what if the stolen credentials had been manually typed in? Once again, keystroke biometrics would have identified a mismatch between the human hacker's keystroke ID and that of the legitimate user on record.

In addition, also consider that the legitimacy of the hacker's login attempt,  whether manual or automated, would have been challenged based on other factors as well. The ID and password would have been flagged as being delivered from a IP address that did not match the user profile; and elements of the device ID would have conflicted with existing attributes on record. In almost any scenario that involved a high risk activity such as a change to an account profile or a transfer of assets, the system would have challenged the transaction and either denied access on the spot, or escalated to a secondary authentication layer.

Despite the well known fact that “first factor” authentication, in the form of a standard login (username and password), provides little in the way of security, many institutions continue to rely upon it as a primary option. This is for the most part a result of older two factor authentication solutions that required cumbersome hardware that inconvenienced users and escalated support costs. A keystroke biometric solution provides a lightweight alternative that requires no change in user behavior, and substantially eliminates maintenance and support costs because there is no hardware or software to distribute or maintain.


Stolen Credentials Featured Prominently in 2010 Data Breach Investigations Report

The Verizon Risk Teams' 2010 Data Breach Investigations Report, compiled along with data from the United States Secret Service, looked at 141 confirmed breach cases worked by Verizon and the USSS in 2009. One area of the report examined what a particular threat agent did to cause or contribute to a breach. Under the threat hacking, the use of stolen credentials was number one in both the Verizon and USSS datasets.

 Threat Action

 % of Breaches

% of Records 






















 "The amount of breaches that exploit authentication in some manner is a problem. In our last report it was default credentials; this year it’s stolen and/or weak credentials. Perhaps this is because attackers know most users are over-privileged. Perhaps it’s because they know we don’t monitor user activity very well. Perhaps it’s just the easiest way in the door."

Source: 2010 Data Breach Investigations Report


Consumer Control Over Personal Information

Cyberattacks continue to increase against a variety of consumer-facing companies with an online presense. Here at Delfigo we frequently discuss the need to give individuals more control over their personal information. The lack of control, combined with the feeling of vulnerability as result of this lack of control, could certainly have a negative impact on the future of cloud computing. In a recent article on cloud based privacy concerns that are slowing cloud adoption in Europe, the author notes work being done at HP to give the user more control over personal information: 

"Another solution being studied is to give individuals the ability in advance to set the degree of privacy control on each part of their personal information in the cloud by digitally tagging bits of the data. Under this model, a person could make an e-mail address available to marketers, while shielding a phone number and street address from unwanted solicitations. "


Identity Theft Scheme Steals Childrens Social Security Numbers

Thieves are targeting children's social security number before they have any credit history attached to them according to the Associated Press. Online companies seek out information to identify dormant Social Security numbers. After the numbers have been checked using publicly available resources to make sure that no one is actively using them they are sold online,.

"Social Security numbers follow a logical pattern that includes a person's age and where he or she lived when the number was issued. Because the system is somewhat predictable, sellers can make educated guesses and find unused numbers using trial and error.

A "clean" CPN (credit profile, credit protection or credit privacy numbers) is a number that has been validated as an active Social Security number and is not on file with the credit bureaus. The most likely source of such numbers are children and longtime prison inmates, experts said. "


Backup and Secure Access for Cloud Computing

David Baum, July 20, 2010

 As one of the original seed investors in Carbonite, I often worry about data backup. As we move toward a nearly 100% digital life it becomes extremely important that we backup our digital data, because the digital data has become our lives.

As we move toward cloud computing, backup becomes more nebulous. Certainly the online providers are backing up our data in mass to protect themselves from major data center disasters, but in a multitenant environment, what happens to the individual when they lose their cloud data?

As a huge Gmail fan, I used Outlook to synch with the cloud, so I was less worried about backing up my email in the cloud because it was replicated on my local Outlook database. Also, all of the rest of my personal information was store locally in Outlook and I backed that information up with Carbonite.

The scenario above all changed last fall when I made the move to Android for my mobile computing needs. I was “forced” into the cloud to take full advantage of everything great that Android had to offer. This meant that I had to move all my scheduling and contact data into the sky, and thus I stopped using Outlook all together as Gmail became my full time personal information management (PIM) system. Never again would I have to sync the data between my desktop PIM and my mobile device as they were always in sync wirelessly. I must admit for an old client/server user, the move to the cloud was was a bit of a leap for me as the network of contacts that I have built over 25 years in high tech has become my business life blood.

However, I quickly noticed how much more productive I was having all my cloud data available on any computer with a web browser, my Android devices, and my iPad. It worked so well that I stopped worrying about backup. The senior people that I know at Google ensured me that their cloud was backed up in multiple data centers, and that I would never lose my data.

Everything was fine until last week when I got a call from my brother that someone from Nigeria had hacked his Gmail account and changed his password, which locked him out of his account (see log file below).

My first thought was “lights out and game over”, how can you manage your business if you don’t have access to your Gmail account. My second thought turned to backup and I realized that I had not backed up my information in Gmail in over six months. I quickly logged into Gmail and exported all of my contacts and re-synched my email database with my old friend Outlook (maybe syncing backup of the cloud will be Outlook’s legacy).

To Google’s credit, they were able to restore access to my Brother’s Gmail account quickly. However, when he logged back in, all of his contact data was deleted. I can only image the numerous identity thefts that might come from this data being in the wrong hands, but can you imagine losing all of your contact information? Google has too many users to hand restore individual contact databases for their Gmail users, so I would strongly suggest that all users make an effort to backup through export or sync to an external client-based PIM program like Outlook.

The “hacker 101 rule” after accessing a hacked email account is to immediately change the legitimate user’s password to buy precious time in order to download contacts, send out fraudulent emails, setup simple email rules on the unsuspecting user account like “forward all * emails to” and the Holy Grail problem of most online accounts that know you not by your name but by your email address. This puts everything you are, who you know and what you have the ability to access online at immediate risk and poses a clear and present danger to your online identity. Why? Simple, if the hacker assumes your email address is your account UserID he would simply try and access every social media site like LinkedIn, Twitter and Facebook as well as the major financial sites like Schwab, eTrade Quicken BoA, Wells, and Chase to name a few and he would simply click the link called “forgot my password” and enter the email address. Within seconds an email would arrive to the hacked inbox allowing the fraudster to gain access and full control to every account that uses this password reset modality.

The next big question is how someone was able to hack the account? The obvious answer is that some sort of spyware was installed on the client machine that was sniffing keystrokes for usernames and passwords. The Nigerian Hacker then used this information to log-in and change my brother’s password. Again, Google was able to “notice” this remote login, and inform the active session, but the real question is why would the Gaia (Google’s single sign on and password system) allow this to happen. The problem is that Gaia is not utilizing strong or any visible multi-factor authentication system for client log-ins.

For example, if Google was using a solution like Delfigo Security (yes, one of our portfolio companies) that implements multi-factor authentication including a sophisticated keyboard bio-metric, machine ID, geospatial paramaters, etc, they could have flagged this rouge log-in and aborted the password reset by a user that was clearly not the owner of the account.

We have all heard the news about the high profile break-ins to Gmail accounts that made Google abandon the Chinese market, but what happens when these break-ins occur to ordinary individuals which is more the norm theses days?

Google needs to do more to protect the access plane and provide more timely out of band notification like SMS’s to registered cell phones. In addition, Google should use the confidence factor of the log-in to prevent features such as export and the deletion of data. All of these features could easily be built into the business logic of Gmail and could be triggered from the confidence factor of the login that is provided by systems like Delfigo.

Lastly, users of Cloud Solutions like Gmail should also be careful not to store sensitive information in the various contact note fields. For example, storing social security numbers, credit card numbers, PIN numbers, account passwords, and physical safe combinations should not be stored in plain text fields that are only protected by username and passwords. User should instead move to more secure solutions like eWallet that encrypt the data that is shared between client computers and mobile devices and thus never gets into the cloud.

David Baum is a general partner at Stage 1 Ventures, LLC ( with 23 years in the information technology industry, including fourteen years in technology finance and nine years in entrepreneurial operating management roles.


Man In The Browser Attacks Beat Two Factor Authentication

Out of band strong authentication options that send one time passwords via phone based systems are widely used by banks and other financial institutions. However, as the research group Gartner points out [Where Strong Authentication Fails and What You Can Do About It], these methods  are susceptible to man in the browser and social engineering attacks when they are not deployed using a layered approach:

“ In instances where a bank might use a phone-based, "out-of-band" authentication system, criminals are increasingly using call forwarding so that it is the fraudster rather than the legitimate user that is being called by the financial institution, Gartner said. If security application places outbound call, synchronized to a Web session - then this outbound call can be forwarded to fraudsters. If in addition security application displays a number on the Web screen that must be entered via telephone keypad in the phone - then this number can easily intercepted by Man-in-the-Browser Trojan and forwarded to the same fraudsters , thus hijacking the session. We can reverse the loop and request user to sent some transaction info using phone keypad. But this does not make any difference.”

A layered, risk based approach takes into consideration additional authentication factors in relation to activity type. In addition, requirements are typically raised for higher risk transactions. These additional security elements have demonstrated effectiveness in a variety of scenarios.


OASIS Identity in the Cloud (IDCloud) Technical Committee

An Identity in the Cloud (IDCloud) Technical Committee has been formed by the non-profit OASIS group. They are charged with identifying "gaps in existing identity management standards and investigate the need for profiles to achieve interoperability within current standards. Committee members will perform risk and threat analyses on collected use cases and produce guidelines for mitigating vulnerabilities."

Hopefully, the establishment of this committee will produce positive outcomes. Standards for policy management, authentication services and security tokens  (XACML, SAML, WS-Security, WS-Trust) are essential to to the acceptence and success of cloud computing.  

Who is OASIS?

OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that drives the development, convergence and adoption of open standards for the global information society. OASIS promotes industry consensus and produces worldwide standards for the Smart Grid, security, Web services, XML conformance, business transactions, electronic publishing, and other applications.


Page 8 of 11