Gone phishing: protecting yourself and your business

We have already witnessed so many examples of crimes committed as a result of what almost always essentially boils down to an authentication and identity problem. Someone might capture someone else's Internet banking username and password, and logs in as them to steal their funds. Or perhaps someone captures your field agent's information, logs into your company system, and steals precious business data.

We have seen phishing emails and SMSes, where customers of banks and other institutions are sent carefully crafted fraudulent messages by criminals which fool the customer into parting with their private details. Again, this is achieved by the use of fraudulent identity, whereby someone is able to masquerade as somebody else, in a convincing manner that results in an effective security breach.

Identity management, and with it, authentication, have become crucial issues to address and embrace in the digital age. With someone's identity under your control, the opportunities to defraud are almost endless and, with technology spreading into all spheres of our lives, security breaches have increasingly frightening potential consequences.

All about authentication

Authentication is the processing of validating your identity and is used by all digital systems to allow a user to prove who they are and establish their identity to that system. A typical example of authentication is a username and password, used to login to Internet banking, for example. The aim of this is to prove that you are the person logging in, which then gives you certain access and certain rights to perform tasks which are assigned to your identity, such as a money transfer. Other examples of authentication include biometrics, where a fingerprint or an iris is used to prove identity.

To date a number of different solutions have been touted as the answer for providing strong authentication. Strong authentication typically refers to any means of securely verifying someone's identity with a sufficiently high level of certainty that it can be more trusted.

As the vast majority of systems currently employ the common username and password for authentication, many solutions so far focus on strengthening this, and for good reason. It is highly impractical and prohibitively expensive for instance, to try and distribute biometric hardware devices to all Internet banking customers, particularly when customers are likely to be on the move and not always near their desk where the hardware is located.

Commonplace “static” usernames and passwords are very weak for a number of reasons. Due to human nature, people often choose passwords which are either easy to guess or crack, just as the word “password” or their name. Alternatively, if very complex passwords are enforced, then people are often forced to write them down somewhere obvious as they struggle to remember lots of different, difficult passwords. Static passwords are also inherently flawed in that if the password is ever captured, either by an observer or by keystroke logging software for example, then the attacker is immediately able to fully take over that person's identity.

So, while it is clear that stronger authentication is becoming a more and more important requirement, unfortunately it is by no means simple. Customers are mobile and online from multiple points. They need to be able to securely and conveniently authenticate themselves with the minimum of hassle, and the solution needs to be inexpensive and easy to use and distribute from a logistical point of view.

OTPs - the future of security?

The most widely recognised solution to date for passwords is one-time-passwords or OTPs. This is a concept which has been around for some time, and means that rather than having a fixed, static password to go with your username, you have a new, random password generated every time you need to login. The instant you use the password, it expires, meaning that even if it is captured by keystroke logging software, it is still useless to the attacker.

Thus far a number of solutions have looked at how best to deliver one-time-passwords to the user. Some institutions have issued printed booklets containing tables of one-time-passwords, which immediately has obvious flaws.

Many large corporations have invested in hardware token solutions, which requires each user to carry around a physical device on their keyring which prints an OTP on a small screen when the user needs it. These solutions can be very expensive, cumbersome and a headache to implement and distribute, which is why widespread adoption for consumer's use has not occurred.

Others have elected to SMS OTPs to customers on demand which, while it is far more convenient, it is still costly, sometimes slow, and has many security risks. SMS messages are sent as plaintext in the clear, and their origin cannot be verified. Also, it is impossible to verify that the recipient of the SMS is actually the intended recipient - anyone with possession of the mobile phone or a copy of the SIM card could receive it. It is also possible to relatively inexpensively build a device which is able to capture and decode SMSes over the air.

The proposed solution

I've recently been involved in a South African project to develop new technology to tackle the obvious problems that exist with current solutions and thereby overcome possible security breaches. The technology uses a small software program which securely generates OTPs on your mobile phone, whenever you need them. Interestingly, it's also doesn't make use of any Internet or SMS connectivity and therefore can be deployed on virtually any mobile phone currently retailing.

Considering the widespread penetration of mobile phones in the country, there's hope that the technology could revolutionise the security sector with all users able to access their information securely and conveniently.

The threat of identity fraud is a serious one and businesses, from SMEs to corporates, need to analyse and scrutinise their security systems. Authentication, previously a murky playground, has become of key importance to businesses when protecting their data from hackers or unwanted intruders. Remember that it only took a matter of hours for the notorious Absa hacker to siphon R500 000 from various bank accounts… don't let your company be next.