Multi-Factor Authentication Critical to Secure ALL Paths to Customer Financial Data
While PhoneFactor has been widely deployed as a means to protect banking customers from online fraud, banks are also adopting PhoneFactor to secure another critical access point – remote employee logins. Like other industries, banks are impacted by the shift toward remote access driven by an increasingly mobile workforce and growing adoption of cloud computing. And due to the large amount of personal and financial data banks collect, they are a primary target in the battle against today’s sophisticated and well organized cybercriminals.
Banks must meet rigorous compliance standards as well as fulfill the high security expectations of their customers. Multi-factor authentication has become the gold standard for protecting not only customer transactions, but also remote employee access. Many of the same reasons that PhoneFactor is ideal for online banking (ease of use, strong security, and affordability) also apply to employee implementations.
PhoneFactor recently announced the addition of several new banking institutions to its rapidly growing client list. Heartland Financial USA, OceanFirst Bank, Northway Bank, and the Credit Union Association of New York have all selected PhoneFactor to enable multi-factor authentication for remote access. Securing employee logins with PhoneFactor’s easy, out-of-band phone and sms text authentication methods allows these banks to provide air tight security and still keep costs down. Read More
 |
 |
 |
 |
« Previous PageNext Page »
Case Closed: SSL/TLS Authentication Gap
It was one year ago this week that I began in earnest a coding project to prove or disprove my suspicion of an exploitable weakness in TLS renegotiation. I fully expected to fail in this endeavor as this protocol was generally regarded as having stood the test of time. Even after I had a working demo in hand I scarcely believed it, halfway expecting to be interpreting some result wrongly or to be pointing out a non-issue which had always been obvious to everyone else.
Nevertheless, Steve and I decided to begin the process of disclosing this bug to respected members of the security community, vendors, and other code owners with the expectation of widening the circle over time. Although our sentiments typically favor aggressive disclosure timelines, it was clear that the complex dependencies and the multi-vendor nature of this bug made that approach unrealistic. We reasoned that the most well-engineered solution would have the best chance of emerging from a coordinated process. So for the next few months, we offered our help in working out tentative agreement on a proposed solution and giving some vendors a little head start in their implementation efforts.
A few months later, the vulnerability was independently rediscovered and publicly described. In retrospect, this was a classic case of “sometimes you get what you need” though it was hard for everyone to accept at the time. Now that the cat was out of the bag, the protocol standardization efforts could be conducted with the usual open, public processes of the IETF. After a great deal of discussion, the proposed solution was eventually accepted with just a few missing details filled in (RFC 5746).
At this point, we were a bit surprised at the absence of a great rush to patch vulnerable software with support for the protocol extension which fixed renegotiation (perhaps we were still a bit idealistic). We’d expected open source TLS implementations to take an early lead. But in fact, most distributors had patched their software to simply disable renegotiation outright and now seemed to be in no hurry to re-enable it securely (this logic is flawed for subtle reasons). Sometimes open-source TLS libraries implemented support for the fix which stalled in the pipelines of their downstream distributors. It was the commercial browser vendor Opera that first implemented secure renegotiation in a major product, and many other vendors have followed along since.
Microsoft’s case was particularly challenging. They have invested heavily into web-based technologies and consequently have one of the largest varieties of products speaking TLS. Their commitment to platform support going back years and multiple OS versions meant that, in some cases, older designs had to be given significant architectural upgrades. Through a combination of conservative design and accident, Microsoft clients and servers tended to not be willing to perform TLS renegotiation without reason. Thus in many cases, a Microsoft client talking to a Microsoft server would not be susceptible to the bug (although they still needed to be patched for the greater TLS ecosystem). To their credit, Microsoft never used this argument to advocate delay.
Last Tuesday, just nine months since the public disclosure of the TLS renegotiation vulnerability, Microsoft pushed down a patch via their Windows Update channel which added support for the protocol extension to all their operating systems and applications, beating several smaller vendors in the process.
At a time when vendors are often criticized for slow responses to seemingly small but severe defects, the industry has proven it can work together to fix a very challenging bug in an interoperable protocol in record time. I think now is a good a time as any to claim victory.
- Marsh Ray
« Previous PageNext Page »
Governments Employ New Tactics to Fight Cyber Security Threats
Governments face a tremendous challenge in addressing cyber security threats. The scope of the problem is enormous, and extends beyond even the broadest definition of cyber warfare to include:
- Fighting Cyber Crime – In addition to setting policy and regulatory mandates (FFIEC, HIPAA, HITECH) to ensure appropriate measures are taken to protect its citizens, the US government itself processes and stores a vast amount of personal information, everything from healthcare records to tax returns. A single breach could result in large scale identity theft and fraud.
- Protecting Our National Infrastructure – A disruption to the US financial, energy, transportation, or healthcare systems could result in significant damage, affecting the everyday life of citizens.
- Preventing Espionage – Both the recent theft and posting of thousands of Afghan War military documents on WikiLeaks.org and The Washington Post’s series “Top Secret America” pointing out the breadth and complexity of the US intelligence operations, illustrate how vulnerable the government is to espionage from internal and external sources.
While cyber warfare has moved to the forefront of the discussion recently, all three are absolutely vital to US national and personal security.
As government agencies scramble to lock down the growing volume of data they are entrusted with while also supporting information sharing among their own staff and across agencies, they are increasingly looking to technologies like PhoneFactor to get the job done. PhoneFactor announced this week the addition of the US Department of State, the District of Columbia government, and the Federal Railroad Administration to its client roster. These organizations join a growing list of federal, state, and local government agencies adopting PhoneFactor to meet their rigorous security requirements while also supporting their need for scalability and affordability. (PhoneFactor Announcement)
- Sarah
« Previous PageNext Page »
PhoneFactor Publishes New Whitepaper on Online Banking Fraud
Incidents of online banking fraud have risen to unprecedented levels, while retail and commercial banking customers are growing increasingly dependent on their trusted service providers to insulate them from the malicious threats that continue to increase in number and severity.
 |
A recent study released by the Ponemon Institute and Guardian Analytics (2010 Business Banking Trust Study) demonstrates the scope of the problem:
|
PhoneFactor recently published a new whitepaper, Combating Online Fraud with Out-of-Band Authentication, which examines how these threats affect online banking, customer perceptions about risk and financial responsibility, and the role of out-of-band authentication in protecting against them.
The whitepaper can be downloaded at http://www.phonefactor.com/two-factor-resources/whitepapers/download-online-banking-fraud.
-Sarah
« Previous PageNext Page »
New Partnerships and Products Help Banks Protect Customers from Online Fraud
PhoneFactor has extended its reach into the banking industry by partnering with Fiserv, the leading global provider of financial services technology solutions, providing online banking and bill payment services to thousands of financial institutions, and launching the Universal Banking Gateway. Both will allow PhoneFactor to easily integrate with online banking applications to provide much-needed out-of-band user authentication.
PhoneFactor recently announced a partnership with Fiserv to provide authentication through the Corillian® Online banking solution. The new phone-based authentication option will be integrated into Intelligent Authentication™ from Fiserv, a strong multi-factor user authentication tool that is available to financial institutions that use Corillian Online.
The Universal Banking Gateway enables rapid implementation with any online banking platform. The Gateway adds a critical authentication layer to secure online banking logins and transactions without requiring direct integration with the online banking application.
PhoneFactor works by confirming online banking logins, ACH, wire transfers and bill pay processes through an out-of-band phone call or text message. Because the authentication is confirmed through the telephone network, it protects against escalating threats from man-in-the-middle attacks and online banking trojans.
Read the full announcements here:
PhoneFactor and Fiserv Partner for Phone-Based Multi-Factor Authentication
PhoneFactor Launches Universal Banking Gateway
-Sarah
« Previous PageNext Page »
ATM Fraud in Broad Daylight
Before you hit play and watch this news story, just know that the Bad Guy didn’t even have to try as hard as he did. This crime is easier to commit than this news segment shows, and there are places a whole lot more vulnerable than an ATM vestibule in the middle of the day.
It’s an important case because we rely more and more heavily on ATM/Debit and Credit Cards as we move toward a cashless society. And they’re all vulnerable to the type of attack detailed here. New card skimmers are showing up that get the mag stripe data. Some are coupled with small cameras that watch you enter your PIN. The info is sent to a Bad Guy via a wireless network, and the Bad Guy makes a new mag stripe card, drives across town, withdraws money out of another ATM or makes a purchase at a retail store (no PIN is required if the transaction is run as a credit card purchase), and disappears into the sunset. You’ll never see your money again.
Roll ‘em:
Basically, the Bad Guy just needs a few seconds to attach a skimmer to the ATM and attach a camera to a convenient location in view of the keypad. Everything can be pre-programmed, so this whole operation can be done in the blink of an eye. The system works by wirelessly transmitting all of the information to the crook, at a safe distance from the ATM.
The point is it’s easy to read magnetic stripes, it’s easy to re-encode magnetic stripes, and it’s easy to buy a bunch of blank credit-card-sized magnetic stripe cards and encode those stripes with stolen numbers. Since merchants don’t verify that you have a genuine— or even genuine-looking— card anymore, a Bad Guy can copy your card and use it at any gas station, any ATM, or any self-service kiosk, and probably not get caught.
Numerous incidents of ATM skimming have been reported recently, including:
- NetworkWorld: ATM skimming equipment seized at Brisbane Internat’l Airport
- BankInfoSecurity: Ohio Skimming Scam Nets $50K
- The Washington Post: Bank expert discusses ATM skimming — and how to detect it
So, what can be done about this?
There are a few things consumers can do to dramatically improve security in their life, like monitoring their transactions, using known ATM machines and keeping an eye out for changes, etc. But just like passwords are no longer considered a sufficient means of protecting access to online accounts due to things like phishing, relying on a magnetic stripe on a credit card is just not enough to protect your financial transactions. Adding a second method to verify that the account owner is, in fact, the person conducting the transaction would offer material benefit.
PhoneFactor’s Transaction Verification is an easy, effective means of protecting consumers. PhoneFactor simply calls the card holder to verify the transaction before dispensing the cash or completing the transaction. It works for online transactions as well as in person transactions as ATMs and retail locations.
- Steve
« Previous PageNext Page »
PhoneFactor Unveils Out-Of-Band SMS Authentication
PhoneFactor has expanded its two-factor authentication platform to include support for out-of-band authentication via SMS text messaging. Here’s how it works:
Step 1
Enter your username and password just like you do today.
Step 2
Instantly, PhoneFactor sends you a text message with a one-time passcode. To authenticate, simply text the passcode back to PhoneFactor.
That’s it! Because the one-time passcode is both sent and confirmed through SMS, the process is completely out-of-band.
Now users can choose the two-factor method they prefer, phone call or SMS text message, all with the same level of out-of-band security and convenience. This enables the ultimate flexibility for your users and a single platform for your IT team to manage.
Learn more about sms authentication. Or try it yourself in our Online Demo.
- Sarah
« Previous PageNext Page »
See PhoneFactor’s New Products at RSA Booth 1757
PhoneFactor will be showcasing two new products at the 2010 RSA Conference! Stop by PhoneFactor Booth #1757 to learn more about these exciting additions to our out-of-band authentication platform.
- We recently launched Biometric Voice Authentication, making three-factor authentication both easy and cost-effective. PhoneFactor’s Biometric Voice Authentication delivers the strongest level of authentication without the overhead typically associated with biometrics. The user’s voiceprint is simply confirmed during the PhoneFactor authentication call.
- We will also be unveiling another exciting addition to the PhoneFactor platform during show.
And don’t miss PhoneFactor CTO Steve Dispensa’s panel discussion on responsible disclosure.
Responsible Disclosure: It’s Their Fault!
Wednesday, March 3rd, 10:40 AM, Orange Room 305
« Previous PageNext Page »
PhoneFactor CTO Steve Dispensa to Speak at RSA 2010
Steve Dispensa, CTO and Co-Founder of PhoneFactor, will be participating in a panel discussion on responsible disclosure at RSA 2010. Steve will be joined by representatives from Adobe, PayPal, Continental Airlines, and The Metasploit Project and moderator Martin McKeay for a discussion on the role researchers, vendors, and customers play in the responsible disclosure debate.
Don’t miss – Responsible Disclosure: It’s Their Fault!
Wednesday, March 3rd, 10:40 AM, Orange Room 305
Catch a sneak peak of the discussion with Martin McKeay and Steve Dispensa.
Listen Online | Download Podcast <8:51>
And be sure to stop by the PhoneFactor booth Booth #1757.
- Sarah
« Previous PageNext Page »
Steve Dispensa and Marsh Ray to Present ShmooCon 2010 Keynote
PhoneFactor CTO Steve Dispensa and Sr. Software Engineer Marsh Ray are headed to DC this week where they will be presenting the keynote address at the ShmooCon conference. The keynote Closing the TLS Authentication Gap will detail the technical aspects of the SSL/TLS authentication vulnerability they made public last fall and the story behind the disclosure process. More information about the keynote is available at: http://www.shmoocon.org/presentations-all.html#tls.
- Sarah
« Previous PageNext Page »
