NuData Security is proud to be supporting the Petition Against Passwords in their quest to make businesses and consumers aware of their inherent weaknesses.[/text]
We specialize in real-time web threat detection, primarily with Fortune 50 companies – One of the largest, most devastating threats to their financials and reputation is “account takeover” where a malicious user gains access to a previously legitimate user’s account, increasingly through stolen passwords.
Passwords are an Enabler to Fraud
Imagine what could happen if someone got access to your personal email?
Could they reset all of your online-shopping passwords, social networks, cell-phone and home internet package? Likely, and it is probably protected by a simple 6-10 characters.
Now imagine the scenario where a hacker gains access to the webmail account of a law-firm employee.
They’d likely have access to a lot of confidential emails, holiday calendars and vital resources such company policies and procedures. Hackers are increasingly intelligent, using a mixture of technical knowhow and social engineering to achieve their aims. They could quite passively use this information in order to perform a slick attack.
Knowing when a user was on holiday, a hacker could email IT support asking for them to setup a username and password for a new team-member (themselves) or an admin assistant to email over some documents. This is not dissimilar to how Ubuntu lost 1.82 million user details. Read the full post mortem here.
I’ve seen many enterprises hypothesise about the vast array of risks and draft lengths policy documents in order to ‘mitigate’ these. In our opinion, this is shutting the stable door after the horse has bolted. There is a better way.
1. Replace passwords
Replace passwords with a convenient alternative. They should be dynamic, changing and not rely on the user to remember something; these are prone to reuse.
Two factor authentication is popular, most people in enterprise have used the infamous ‘RSA’ token at some point to varying levels of satisfaction. I personally once owned 4 identically looking tokens for my daily tasks – there are alternatives.
One time access codes by text message, app code generation to more visual methods such as Clef.
2. Notice changes in user behaviour
Just as credit card companies actively monitor for large purchases which are abnormal, system administrators should implement similar systems to mitigate internal and externals threats against their firms.
Behaviour analytics can be cloud integrated meaning low implementation and maintenance costs. If a user has begun to act out of line from usual, perhaps checking webmail in Asia instead of their usual desktop mail in North America, perhaps they should need to re-login. This is what we call “adaptive countermeasures”.
Adaptive countermeasures can be risk-based authentication methods. They are ideal for preserving a smooth user experience with maximum security.
In the scenario that a users password (or any other authentication method) have been stolen, their change in behavior will require re-authentication, using an alternative method.