Delfigo Security - Strong Authentication

  • Increase font size
  • Default font size
  • Decrease font size
Home Identity Theft
Identity Theft

Using Keyboard Biometrics to Detect Automated System or BOT

Monday, 04 October 2010 00:00 Ralph Rodriguez

The recent Wall Street Journal article, Accounts Raided in Global Bank Hack, discusses the latest example of the Zeus Trojan being used to steal credentials and access user accounts. Nearly $3 million was stolen in the scheme in which accounts were illegally accessed at J.P. Morgan Chase & Co., Ally Financial Inc. and PNC Financial Services Group Inc. Funds from the accounts of those financial institutions were then  transferred to "mule" accounts at the Bank of America Corp. and TD Bank Financial Group before being sent to Eastern Europe. 

“Hackers used malicious computer software known as Zeus Trojan, disguised in seemingly benign email. When the email recipient clicks on a link or attachment in the email, the virus monitors the victim's computer activity to grab user names and passwords.”

This is exactly the type of cyber attack that Delfigo’s authentication platform, working in conjunction with a banks existing security ecosystem, is designed to address. First off, keystroke biometric technology would have detected an automated system or BOT. The reason, mathematically the keystroke timings of an automated system or BOT are too pure and clear. For example:

kestroke biometric ekg comparison

The top half of the picture to the right demonstrates the keystroke timing vector for a human being. It looks sort of like an EKG (all over the place), therefore, unique.  However, the bottom part of the picture demonstrates the keystroke timing vector of an automated system or BOT. The signature would look very square and perfect. This is particularly true for the “dwell” times since there will be no variance.

A series of “triggers” would detect the BOT in real time and deny access.  However, what if the stolen credentials had been manually typed in? Once again, keystroke biometrics would have identified a mismatch between the human hacker's keystroke ID and that of the legitimate user on record.

In addition, also consider that the legitimacy of the hacker's login attempt,  whether manual or automated, would have been challenged based on other factors as well. The ID and password would have been flagged as being delivered from a IP address that did not match the user profile; and elements of the device ID would have conflicted with existing attributes on record. In almost any scenario that involved a high risk activity such as a change to an account profile or a transfer of assets, the system would have challenged the transaction and either denied access on the spot, or escalated to a secondary authentication layer.

Despite the well known fact that “first factor” authentication, in the form of a standard login (username and password), provides little in the way of security, many institutions continue to rely upon it as a primary option. This is for the most part a result of older two factor authentication solutions that required cumbersome hardware that inconvenienced users and escalated support costs. A keystroke biometric solution provides a lightweight alternative that requires no change in user behavior, and substantially eliminates maintenance and support costs because there is no hardware or software to distribute or maintain.

 

FTC Pushes Back Identity Theft Red Flag Rules Again

Wednesday, 02 June 2010 01:34 Charles Bouthot

The Federal Trade Commission announced that it is once again pushing back enforcement of the “Red Flags” Rule. This time through December 31, 2010 so that Congress can consider legislation that would clarify and fix affect the scope of entities covered by the Rule.

Federal Trade Commission statement:

The Rule became effective on January 1, 2008, with full compliance for all covered entities originally required by November 1, 2008. The Commission has issued several Enforcement Policies delaying enforcement of the Rule. Most recently, the Commission announced in October 2009 that at the request of certain Members of Congress, it was delaying enforcement of the Rule until June 1, 2010, to allow Congress time to finalize legislation that would limit the scope of business covered by the Rule. Since then, the Commission has received another request from Members of Congress for another delay in enforcement of the Rule beyond June 1, 2010.

The Red Flags Rule is part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). It requires “creditors” and “financial institutions” to address the risk of identity theft.

 

Identity For Sale Online

Wednesday, 20 January 2010 00:00 Charles Bouthot

Symantec points out the most frequently advertised items for sale on underground economy servers.

Source: Symantec Intelligence Quarterly: APJ October - December, 2009

 

New Generation Trojans Counter Token Based Temporary Passwords

Monday, 31 August 2009 01:15 Charles Bouthot

A recent New York Times article once again draws attention to potentical vulnerabilities of token based temporary passwords. Saul Hansell describes in the article how hackers use new trojans to capture passwords in real time, thereby by-passing the security of offered by a token based device that utilizes a complex algorithm to generate a new temporary password every minute.

Source: How Hackers Snatch Real-Time Security ID Numbers

 

Data Security Breach Puts Twitter In The News Again

Friday, 17 July 2009 00:38 Bharat Nair
Twitter is in the news again - this time their internal documents stored on Google Apps that were hacked.

Questions about cloud security and the feasibility of storing critical information in Web-based services are being raised in the wake of a hacking incident involving Twitter and Google Apps.  

Twitter management was swift to jump into action with internal policy changes. With the popularity of Twitter on the uptick, security practices, policies, and procedures must be front of mind for the management team.

Companies such as Twitter, Google, and Facebook are immensely popular, with membership in the tens millions. Strong passwords are simply no longer adequate to secure data and identity. I am sure these companies are concerned and challenged with how to best contain this increasing menace. However, it would be cost prohibitive for these companies, whose business model is based on free use adoption, to start sending out tokens or force each member to install digital certificates in their browsers for second factor authentication. In addition, even if they were willing to set up token-based second factor authentication for members willing to pay a premium to protect online accounts, they would be confronted with significant integration, distribution and ongoing management challenges that would constantly impose a burden upon organizational resources.

Another primary concern is user convenience. Clearly these social media sites would not be enjoying the same level of popularity if members were subject to cumbersome processes to secure online access. Therefore, balancing the need for strong authentication with user convenience is of utmost importance for these companies as well. But this seemingly insurmountable challenge is not without a solution. Delfigo Security's business model and product architecture is predicated on addressing these very challenges - it provides implicit multifactor authentication without inconveniencing end users. There is no need for end users to change their current use patterns to have the assurance their account and profile information is secure on these sites. And our DSGateway platform is easily deployed, configured, and managed. It is a true zero footprint solution and requires no client downloads or tokens.

I agree with analyst Dan Blum of the Burton Group when he said, "I wouldn't store sensitive documents in a cloud-based service unless I had a lot of confidence in the specific service," Blum says. "I'd hold them to the same standards that you hold for your own internal applications. If you expect your internal applications to be accessed only through two-factor authentication then the cloud should be at least as secure as that."

Any regular user of these social media sites should be concerned as well. Delfigo would like to make Twitter and other social media companies an offer. We will provide our strong authentication solution free of per user (member) fees for up to one year . If you want to assure that your information is safe you should hope they take us up on this offer."

Bharat Nair is Vice President of Business Development at Delfigo Security, This e-mail address is being protected from spambots. You need JavaScript enabled to view it , Boston, MA. He can be reached at http://www.delfigosecurity.com or by phone at 1.617.248.6501. You can now follow Delfigo Security news and articles on twitter (@delfigo).

 
More Articles...
  • «
  •  Start 
  •  Prev 
  •  1 
  •  2 
  •  Next 
  •  End 
  • »
Page 1 of 2