Delfigo Security - Strong Authentication

A healthcare focused study by Bitglass reveals that theft of user devices and resulting theft of personal information poses significant risks to companies and end users.

We often think of the theft of credit card data as being the most common threat to identity and user data but the Bitglass report points out that healthcare related data accessed via stolen devices has the potential to cause many more problems for organizations and their users when it falls into the wrong hands. An article in SC Magazine discussing the results of the Bitglass report points out:

"Citing an 2013 EMC report (PDF), Bitglass noted that the value of stolen health records on the black market far outweighs that of credit card information, and that criminals can “continue using or selling the [PHI] even after the victim knows it's been compromised,” as opposed to credit card information, for instance, that can be quickly devalued by canceling a card.

A health record is sold on average for $50 on the black market, while a stolen Social Security number usually fetches a $1, the report said."

In addition to the value of these records to thieves who can reuse and resell them, the Bitglass report states that 68% of data breaches occurred when devices were lost of stolen, as opposed to the 23% which were accessed in data breaches due to hacking.

This problem centers around a specific need in security to assure that only the true user of the device and the applications on it can access the device. This report specifically speaks to the risk introduced by the device falling into the wrong hands, as opposed to the often cited risks associated with viruses and malware.

JP Morgan Chase, and several other large US banks, experienced large scale coordinated attacks during the month of August. Several news outlets have reported that the attacks may be politically motivated instead of being part of an effort to commit fraud, even though it's possible that theft of account credentials, personal data and information were part of the attacks. First to report was Bloomberg, who suggested that the attacks were retaliation for sponsored sanctions against Russia. Exactly what the motives were is still under discussion. If the motives for the attack were simply to show US banks that they are vulnerable, or if there were more insidious motives tied to espionage, these attacks have not correlated with an increase in fraud (as of yet). "Companies of our size unfortunately experience cyber attacks nearly every day,” said Patricia Wexler, a JPMorgan spokeswoman. “We have multiple layers of defense to counteract any threats and constantly monitor fraud levels.”

It is interesting that the response from JP Morgan Chase mentions fraud monitoring. This response speaks to traditional security strategies where the security "layers" are often correlated with detecting fraud. The assumption that the actions of a hacker will identify him/her through their actions is a good one - if there is an account breach at a bank, one of the first indications that the breach has occurred may be the immediate transfer of funds or changes to the ownership information on the account. But if that doesn't happen, and someone has simply gained access to the account, how does that impact the strength of the security components in place to protect the account?

It is critical that organizations have security methods in place that can silently and identify account activity that does not belong to the owner of the account. What the organization does with this information is up to them. But instead along with tracking fraud, we need to understand who the user is, so that we can differentiate between a user, and a hacker with their credentials.

We know that magnetic strip cards, the standard for credit cards in the US, is going to change. EMV, or "Chip-and-PIN" cards are coming, and will become the new norm. The changeover is touted as a way to improve security and reduce fraud, and has been widely adopted and accepted outside the US. In October of 2015, Visa will impose a "liability shift", making the party involved in the transaction (the retailer or vendor), responsible for fraud when it happens when the customer does not use EMV.

Ross Anderson of Cambridge University spoke about how this will effect fraud, and vulnerabilities that will survive the shift in Las Vegas this week at Black Hat 2014. Anderson warned: “Banks believed that replacing magnetic strips with an alternative such as chip and PIN that they would be able to cut fraud...Fraud went up, however, then down, and now it’s up again. The overall effect is as if they’ve taken a bulldozer to the landscape; the river of crime is still flowing, just from slightly different channels.” ThreatPost provided further analysis, highlighting the fact that new security flaws are introduced when the security of a transaction relies on a PIN.

Security for PINs themselves will need to increase, as will the other security factors that are used with them.

Google's wallet may start "showing up" for you. This article in Slate gives a high level walkthrough of the feature you may already see on your Gmail account which enables you to send money via Gmail.

As far as mobile payments go, this could not be easier to do. It's also clear why Google has an interest in users sending money using their Google accounts, as they'll have access to the data, attract new users who want to use this feature (in this case users accept the money with their wallets, too) and adoption could make a Google account even more essential for users day-to-day. Along with this feature, Google has stepped up email encryption, but it's very important that users understand the kind of security they will need to protect themselves while using this technology. From the article above: "Once you know what Google is really driving at, does Google Wallet seem less appealing? Probably not. It's convenient, well thought-out, and email-able. Just don't go too crazy, OK? It's still real money."

It's still real money. And this should give anyone with an insecure gmail password, or anyone who has ever experienced their account being highjacked, some pause. It's not just enterprises that need to consider the right balance between user experience and security. Increasingly, users need to do this for themselves as well.