Multifactor Authentication trumps knowledge based Authentication (KBA)

What is knowledge-based authentication? The KBA design asks the user to correctly answer at least one question, a “secret” only the user would know.

8DThere are two types of KBA: 1) Answering a question that the user has pre-selected (static scheme), and 2) Answering a question that’s determined by garnering data in public records (dynamic scheme).

The idea is that if a question is correctly answered, the person’s ID has been verified.

KBA Flaws

Fraudsters can answer “secret” questions—even those that the user must think hard to answer. But how?

Spear-phishing: gaining access to the public data aggregators by tricking their employees and getting into their accounts, getting the “keys” to the data. Knowledge-based authentication is definitely flawed. Additionally, with all our personal information floating out there in social sites, it is becoming much easier to research anyone enough to pass these questions.

KBA is especially unreliable when it applies to people new to the U.S. or who are young, as they don’t have much public data built up.

Though KBA is flawed, it’s also the heavily preferred method for ID because it’s so technically easy. This is why Obamacare will be using it for the new healthcare insurance exchanges.

Attempts at Regulation

A regulation attempt was made by the U.S. banking regulators that involved costliness. That didn’t go over well. Another instance was that in 2006, ChoicePoint was fined by the FTC for a 2004 breach; they were ordered to conduct intense security audits for possibly 20 years.

Solutions

Authentication should be multifactorial. A multidimensional security system might include:

  • Customer history and behavior is considered.
  • Dual customer authorization via varying access devices
  • Transactions verified via out-of-band
  • Debit blocks, positive pay and other methods that appropriately curtail an account’s transactional use
  • More refined controls over account activities, such as number of daily transactions, payment recipients, transaction value thresholds and allowable payment windows
  • Blockage of connection attempts to banking servers from suspicious IP addresses
  • Policies for addressing potentially compromised customer devices
  • Improved control over any changes done by customers to their account
  • Better customer education to increase awareness of security risks, including how customers can mitigate risks

A layered security program should include, at a minimum, the following:

  • Detection of suspicious activity followed by a response. Suspicious activity may be related to logins and verification of customers wanting access to the bank’s electronic system, and also to initiation of electronic transactions that pertain to fund transfer to other parties.
  • Institutions should do away with using simple device ID as the primary control.
  • They should also do away with using basic “secret” questions as a primary control.

An Alternative to KBA

There is now a software-only biometric that can authenticate the user’s identity in a way that’s so unique that no imposter can beat it.

This patented software is referred to as the “Missing Link,” created by Biometric Signature ID (BSI). It’s the strongest form of ID confirmation on the market today, and it doesn’t even require any additional hardware.

How does this biometric work?

It measures how a person moves their mouse,  finger or stylus when they log in using a password created with BioSig-ID™.

Biometrics measured include elements like height, length, speed and direction, angle of each stroke. These all define the user’s unique pattern—that a fraudster cannot replicate. Positive IDs can be done when someone logs in on any device.

In order to access the device, or whatever else (bank account, medical information, online college exam, etc.), the user must be previously authenticated against their original profile. . In seconds and with only 3-4 characters BioSig-ID™ software will establish whether the person who registered for the account is the same person who is attempting access. This SaaS based software is now used in over 60 countries and was recently awarded a grant by the White House to use their solution to validate user identity before online they can access a digital asset.

Robert Siciliano, personal security and identity theft expert and BioSig-ID advisory board member. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

7 Safety tips on the Mobile Internet

It’s time to know all the ways you can make sure you’re safe when in mobile space to prevent identity theft.
1W

  1. It’s 10 pm; do know where the malware is? Malware is stealthy and hides in places you least expect, like search engines, tech-related sites, entertainment sites and web ads. Malware can even be waiting for you when you download what seems to be an innocent app for your favorite game. In fact, gaming and gambling sites are common targets, as are search engines—and these threats aren’t going to disappear too soon. Install antivirus especially on Android phones.
  2. Beware of peeping toms. That is, someone peering over your shoulder to catch you typing in a password. Mobile devices don’t mask passwords with those big dots like a laptop or desktop will. That snooping thief is hoping to get a glimpse of your password. Consider sitting against a wall when using your mobile in public. Cover your device with your other hand when entering PINs
  3. Click with discretion. The mobile webscape is replete with juicy-looking items to click: promotions, ads, weblinks…and it’s pretty much impossible to tell the legit ones from the fraudulent ones. Even the URL can’t indicate this. Scam offers can look legit and trick you into clicks. Don’t let the menagerie of all that stuff to click on overwhelm you. Don’t visit anyplace you’re not sure of.
  4. Don’t get reeled in by phishing e-mails. What should you do if you get an e-mail from eBay or something like that, requesting you click a link to update your credit card information because suspension of your account is imminent? Don’t open. Delete.
  5. Credit card companies, the IRS, banks, etc., will never contact you via e-mail and request your private information. Other scams take the form of announcements you’ve won money, your password has been compromised, or some other emotional message. Make a habit of never even opening these.
  6. Stay with app stores. The mobile webscape is cluttered with enticing offers of free downloads. A minority are fraudulent and it’s impossible to tell which are which. Never download from mobile-only sites or those crammed with ads. Download only from app stores you trust.
  7. No “Jailbreaking or “rooting”. These terms refer to installing software that will break down the walled gardens of your iPhone or Android. Once you do this you oprn the devices up to malware.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Data Insecurity causes Customer Headaches

Imagine not being able to use cash for even the smallest purchases because your bank—still shaking from news of the recent retail data breach that affected at least 110 million accounts—has decided to block all customer transactions. This actually happened.

12DIn many recent interviews I have been asked the question numerous times “Is it time to go back to cash?” The answer is NO, but consumers should definitely have cash on hand. Not having cash will severely limit consumers in the event of a massive power outage and we are seeing that massive data breaches have big time negative effects too.

Large banks, in response to that 110-million-account breach, may be putting limits on card usage, and can have cards replaced relatively quickly. But smaller financial institutions do not have the means to replace cards quickly. They also lack budgets to cover potential breach incidents.

As a result, a customer may learn that their card is blocked from transactions that don’t involve a PIN. Many consumers got stung by this during the holidays. One customer reported he had to contact his bank first to confirm any online purchases. His card then gets unblocked for an hour, but then blocked again. Supposedly this ban has since been lifted.

In a litigious society, don’t bet against the possibility of consumers suing retailers for these kinds of consequences; it’s already begun happening. One woman filed a class-action lawsuit on Dec. 23, 2013, citing a giant retailer’s alleged failure to secure its data, leading to the massive breach.

Tips for Businesses

  • Always update. Your software should always be up to date. Thieves can easily overcome old software and invade your sensitive data.
  • Control access. Who has access to your servers? Do you know? Make sure that only trusted users/administrators have access.
  • App testing. If a custom application code is running on your servers, it should be tested for the top 10 security issues regarding web applications.
  • Be alert. Keep a tight rein on your server, and your cloud provider’s bill. A traffic surge that you don’t expect can signal a spam attack.

Don’t pass the buck. Business owners, and consumers as well, have been playing key roles in cyber crimes—though not with malicious intentions, but rather, being uninformed as well as not wanting to step up to the plate.

Stepping up to the plate is the only option retailers have in order to survive. The time to show your customers you are serious about preventing credit card fraud and the lengths you’ll go to protect their identities is right now.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Amber Alert GPS: Say Hello to Smart Affordable Child Locators

The AmberAlert GPS,  is “The Intelligent Way to Keep Families Connected and Safe”,  today unveiled an infographic that explains how Smart Locators make it easier for families to stay connected and protected.  In the course of raising a family, over 90% of parents will at some point lose track of a child.  Kids are curious beings, so it’s not surprising that every 40 seconds a child goes missing in the US and close to 50% of autistic kids wander each year.  These panic stricken moments are usually the result of a child misunderstanding directions, being lost, running or wandering away.

With today’s busy schedules and dual-working parents, it’s not only about locating the whereabouts of family members that’s important, but also staying connected. Smart Locators, unlike tracking devices, have two key additional functions.  In addition to providing the known location of a person, they have 2-way mobile voice capability, and can be pre-programmed to send specific types of alerts to parents and caregivers.

“These are important distinctions”, said Alan Baratz, CEO of Amber Alert GPS.  “Tracking a set of car keys or a misplaced phone is very different from knowing the location of a person. The ability to receive an alert when, for example, your child is entering or leaving a designated area, or is within 500 feet of a registered sex offender’s home can provide invaluable information to a parent.  For little kids who are still too young for a cell phone, a smart locator allows them, with the push of a button, to get a hold of you or send an SOS alert if they feel threatened.  From a kids perspective, it’s like a modern day walkie-talkie, but so much more powerful”.

“Preventing the wandering away or loss of our kids is priceless,” said Robert Siciliano, a national expert on personal security. “A lot can happen in five minutes when dealing with a child. Making sure the device provides GPS reporting on a five minute interval without draining the battery, is crucial. Using an innovative tool like the Amber Alert GPS Smart Locator, enables families to easily locate loved ones and keep track of their kids anytime, from anywhere”.

The Amber Alert GPS Smart Locator is a trusted device used by thousands of families and caregivers nationwide, in a variety of ways.  It not only provides peace of mind for kids going to-and-from school, but is also used by families during sleepovers, after-school sports practice, playing on the beach and traveling internationally.  Furthermore, family members prone to wandering due to autism, Alzheimer’s and other disabilities, use the Amber Alert GPS Smart locator as an additional set of eyes and ears.

The same level of innovation that goes into the Amber Alert GPS Smart Locator is also used in the accompanying smartphone mobile apps. Available on iPhone® and Android, they allow you to keep track of your kids anytime, from anywhere. Families can download the free mobile app and purchase the Amber Alert GPS smart locator here or at AT&T stores nationwide. In addition, Amber Alert GPS is making it more affordable than ever for families nationwide to purchase a smart locator. For a limited time, families who purchase an Amber Alert GPS smart locator from AT&T will receive $100 bill credit from AT&T when they activate a new line of service – at less than $30 dollars for the smart locator, it’s a great way for families to stay connected and safe.

AAGPS02

Using your Mobile to protect you from criminals

The Good:

5WYour mobile phone number is almost as good as your fingerprint: very unique to you, and as a second factor authentication device via text message, acts as access control through which to access certain web sites.

SMS two factor authentication as it’s know is the sending of unique one time pass codes that turns your mobile phone into a recipient of a onetime password or “OTP”. Generally there’s no software to install and it’s just a matter of registering your device with the website. OTPs are sent to smartphones upon entering your username, than a password or after you click a button on the site requesting the SMS OTP

A fraudster trying to infiltrate your account would need not only your password and user name, but would also need to physically have your phone. This is a great layer of security. SMS two factor authentication can be used with site like Facebook, Twitter, your bank, Gmail, Paypal and others.

Web sites link your mobile number with your account for your protection. So next time an online company wants to send you a “code” via your smartphone, don’t get annoyed; feel secure instead, because that’s how the company knows you are you. In fact, companies will likely brand you as a highly suspicious user if you refuse to include your mobile device’s number as part of your registration.

The Bad:

Keep your guard up because fraudsters won’t be stopped from trying to succeed at their plans, however, and they know that the smartphone poses unique vulnerabilities to the user. For instance, people are more likely to click on a malicious e-mail link because the phone’s small screen makes it harder to detect suspicious web site addresses. Criminals are forever trying to get passwords and hack into accounts and wreak havoc. As technology continues to evolve in favor of the honest user, so does the technology of crime.

Your role is to always try to stay one step ahead of the criminals. There are ways you can protect yourself and never let crooks get ahead of you:

  • Never use the same password for more than one account or web site, even though it’s more convenient to have one password for multiple sites. Every app and web site should have a unique password.
  • Every access point you encounter should be safeguarded with a WiFi VPN service such as Hotspot Shield VPN that encrypts your wireless internet and surfing activities. This way, when you peruse cyberspace at hotels, airports and coffee houses, all of your activities are protected from hijackers.
  • Ignore password request e-mails or security alerts, especially on your smartphone, as they are almost always fraudulent.
  • Do you know if your phone (or iPad) is uploading your private data to cyberspace? Find out by installing an app security scanner.
  • Never use third-party apps on your device (or “jailbreak” it). Never let your kids use your phone, either.
  • Your device should be kept up to date with the latest operating system. System updates usually include security enhancements.
  • When installing Android apps, read their security notices. Understand how your sensitive data will be exposed with these apps—before you hit “Okay.”

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Data Breaches hurt Businesses’ Brand

That very newsworthy data breach that’s still in the news struck 110 million customers, not the more commonly reported 40 million; that’s one-third of the U.S. population.

4HThere was also another, but less publicized, breach of huge proportions that occurred to a major retailer in mid-December of 2013. And some reports say another 6 or more retailers may be affected in a similar breach.

The major-news retailer that got kicked in the butt by cyber criminals has run full page newspaper ads apologizing for not effectively protecting customers’ data, and hoping to win back consumers’ trust and loyalty. Kind of sounds like the Tylenol poisoning scare in the 1980s when the drug maker went on a massive ad campaign to win back consumers’ trust.

But with each new revelation of more data being compromised and growing concern of additional fraud, has come more media and customer scrutiny resulting in compounded brand damage.

Trust and Security

Feeling secure and trusting the brand is a major force behind consumer loyalty. Prior to that massive December breach, the retailer was right up there with its huge competitors as far as meeting reasonable consumer expectations.

That data breach has severely tainted the retailer’s customers’ trust. The 2014 Customer Loyalty Engagement Index accesses the retailer’s brand engagement level to be about 6 percent.

Sales have plummeted since the breach hit the news. Recovery is expected to be slow and arduous, and social media is fueling the sensationalism. It can take years to build up trust, but just a few hours of news “going viral” to crush it.

All is not lost.

The adage “What doesn’t kill us makes us stronger” plays a vital role when companies embrace their failures, learn from them and do right by their customers. The next few months will have a serious impact on the future of the breached companies and every retailer who accepts credit cards for payment.

Now is the time to beat the drum of customer security and bring awareness to how your company protects customer data. Move up http://i.forbesimg.com t Move down

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

What is an Alarm Duress Code?

Ever consider the idea that a home intruder may force you to turn off your home alarm? Ever think that there’s a way you could secretly signal this to the authorities when you turn off the alarm while your captor is watching?

3HThere is: the alarm duress code. This code is entered on the keypad, sending a silent signal to the monitoring station of the system provider. This does not disable the system. But to your captor, you’re simply obeying his command to disable the system. He may not even know there’s even a such thing as an alarm duress code, and thus won’t have a clue what you’re really doing.

Most ADT systems’ default duress code is 2580. Call your provider if you don’t have ADT to see if it has a duress code. If you don’t yet have a security system installed, inquire about this with the technician as well as the company.

Duress codes are effective. However, they also provide peace of mind for any homeowner.

The problem with default duress codes is that if a burglar/home invader knows it, he’ll know you are signaling distress. So find out if your system has a default duress code. The user’s manual usually won’t tell you; the technician’s manual usually has this information. If there’s a default code, immediately change it. Of course, if there’s none, take measures to get one.

Other Kinds of Duress Codes

A duress code need not be electronic. It can be by voice if you’re on the phone. Your captor actually may permit you to make a call (such as to get a PIN). Of course, you’ll already have your secret word or phrase confirmed with those you trust.

The code must not be obvious to the captor, but so well-confirmed that there’s no doubt you’re in trouble. For example, everyone knows you hate sushi: “I’m about to order sushi and I forgot my cash.”

Any duress code should be simple enough to always remember, but not “discoverable.” Make sure everyone has it memorized; it should never be written down anywhere.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Consumers worried about Identity Theft over Privacy

A recent poll of 1,000 Internet users reveals that they’re very concerned about security threats to their personal and financial information. Users also believe that the feds should step up more to protect them.2P

  • 80% are concerned that hackers will get into information they share.
  • 16% are on edge that businesses will use data they share online to send out unsolicited ads to them.
  • 75% are nervous their personal data will be hocked by hackers.
  • 54% worry their browsing history will be monitored for targeted advertising.
  • 57% have signed up for a two-step sign-in process.
  • 83% have required a password to unlock their devices at some point.

This small survey is indicative of the awareness that users have over security and their belief that the federal government needs to take more action.

Nevertheless, the respondents showed a proactive approach to protection, e.g., 73% don’t allow services to retain their credit card information; 65% set their browsers to disable cookies; 68% adjust privacy settings for online accounts; and 76% use a different password for different services.

But consumers give up privacy for “free”.

“The poll also shows that respondents have a lower level of concern about targeted online advertising as evidence by the fact that most would rather have a free Internet with targeted advertising than a paid service but with no advertising.  Twice as many say they prefer free online services supported by targeted ads (61%) over online services that they pay for but come with no targeted ads (33%)”

This is good news for companies providing free identity theft protection to their customers. On one hand customers want security; on the other hand they want “free”. So when offering up free identity theft protection, a consumer is getting their cake and eating it too!

CCIA

The Computer & Communications Industry Association is nonprofit and represents a large cross section of communications, computer and Internet industry businesses. CCIA promotes innovation and the preservation of fair competition throughout industry. Over 600,000 people are employed by CCIA, and yearly revenue exceeds $200 billion.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

FTC: Tech Support Scams are baaaaack!

They’re back, and they’re scarier than fangy blood sucking ghosts: tech support scammers. They want to suck you dry of your last penny.

9DA tech support scam may go as follows: You receive a call from someone informing you that your computer is infected with a really bad virus and needs prompt attention. The crook tells you he needs remote access to your computer, then proceeds to “fix” a problem that never existed, and you get charged a fee for it. Worse, when they are logged into your device, they install spyware so they can see everything you do on the PC all day long.

There’s a new type of this scam out now, where you get a call and they tell you you’ll get a refund if you’ve previously paid for tech support services. This scam has several variations, but here is the way it unfolds:

  • They ask if you were happy with the service. If you say no, they’ll then claim they can get your money back.
  • Another claim is that the company is going belly up, and as a result, they’re giving out refunds to individuals who already paid.
  • When enough of these phone calls are made, a certain percentage of the recipients will respond exactly the way the fraudsters want them to: The victims will give out their credit card number or bank account information after being told that this is necessary to process the refund.
  • The scammer may tell you to create a Western Union account in order to receive the refund. Gee, they may even offer to assist you in filling out the forms (how nice of them!) if you hand over remote access to your computer. But they won’t be putting money in your account; they’ll be taking money from it.

Solutions

  • Get a complaint filed at ftc.gov/complaint.
  • If you used a credit card, contact your credit card company and request that they reverse the charge.
  • Hang up on anyone who offers a refund if you provide your credit card or bank information or Western Union account number.
  • Better yet, why bother even answering a call in the first place if you don’t recognize the caller’s number? And if the caller’s number appears to be from “your” bank or credit card company or from Microsoft or anyone you alredy know and trust, still don’t answer; if it’s legitimate, they’ll leave a message. Even still, don’t call back the number they give you. If they leave a message, contact the institution via the number that’s on your statements to find out if the caller was legitimate.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Analyze Security to reduce Threats

A deep analysis into security (security analytics programs) unveils some riveting areas that need to be addressed if business users are serious about reducing threats of data breaches.

1DReveal data leaks. Convinced your business is “data leak proof”? See what stones that security analytics turn over. Don’t be surprised if the leaks that are discovered have been ongoing, as this is a common finding. You can’t fix a problem that you don’t know exists.

An evolution of questions. Analytics programs can create questions that the business owner never thought to wonder about. Analytics can reveal trends and make them visible under the business owner’s nose.

Once these questions and trends are out of the closet, decision makers in the organization can have a guideline and even come up with additional questions for how to reduce the risk of threats.

Connections between data sources. Kind of along the same concept described in the previous point, security analytics programs can bring forth associations between sources of data that the IT security team many not have unearthed by itself.

Think of data from different sources being poured into a big funnel, and then what comes out the other end are obvious patterns and associations between all that data, even though it was “poured” from differing sources. When “mixed” together, the data reveals connections among it.

Uncovering these associations is important so that businesses can have a better understanding of disparate segments of their network, various departmental information, etc.

Discovery of operational IT issues. Take the previous points a step further and you get a revelation of patterns and connections in the IT operations realm—associations that can help mitigate problems with workflow and efficiency.

In other words, an issue with IT operations could be something that’s causing a drain on productivity, or, something that’s not creating a problem per se, but can be improved to spark productivity.

Uncover policy violations. Analytics can turn up policy violations you had no idea were occurring. Not all violations are malicious, but once they’re uncovered, they cannot be covered up; the next step is to do something about it.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.