PORTLAND, Ore. — The stock market took an immediate nose dive earlier this week after the Associated Press erroneously tweeted that President Obama had been injured during a bombing at the White House. Turns out that hackers assaulted AP reporters with phishing emails, redirecting clicks to a spoofing website that looked like Twitter, but really just stole their passwords, resulting in the phony tweet.
According to the Government Accounting Office, over the last five-years, such cyber attacks grew by 650 percent and cost our economy almost $400 billion annually -- that cited by U.S. Congresswoman Marsha Blackburn regarding her legislation proposed earlier this month which called for "Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology" -- SECURE IT 2013. Blackburn's bill gives authority and legal protections to government agencies and Internet providers when they share information that would otherwise violate privacy or antitrust laws. The bill also provides for education -- such as instructing users not to click on links in emails -- as well as punishment for cyber-criminals ranging from 3 to 20 years in prison.
However, according to authentication vendors, SECURE IT is like closing the stable door after the horse is already out. The problem of password theft would be moot if people adopted authentication technologies that are already available but underutilized. Legislation may provide policy changes that help educate users, track down bad guys and punish them when convicted, but adopting already available authentication technologies will prevent cyber thievery from occurring in the first place.
"Unfortunately, we are getting political policy proposals instead of substantive ones," said Tony Busseri, CEO of cyber-security provider, Route1 Inc. (Glen Allen, Vir.). "If we depend on people to follow proper procedures, then breaches are inevitable. Instead we need to adopt available technologies that provide a substantive answer to breaches, instead of defining new policies to deal with their aftermath."
Each year major data breaches are triggered by the same mistake that AP reporters were enticed into making -- clicking on an email link that redirected them to a spoofing website masquerading as the real thing. The known solution to such password thievery is two-factor authentication. Route1, for instance, provides a hardware key that plugs into a USB port like a thumb-drive, but instead harbors a secure smart-card that acts as the second factor -- accepting passwords only if the hardware key is plugged in. And for government employees, the system works with a reader for their existing identity smart-cards.
Route1's MobiKEY is the second factor in its two-factor authentication scheme, which only authorizes access to secure data if the username/password match with the MobiKEY and PIN supplied by the user.
For civilians, Citrix, Facebook, Google, Microsoft, Oracle, Yahoo and others already offer two-factor authentication that makes a user's smart-phone the second factor. When a user logs-in with their password, a personal identification number (PIN) is instantly sent to the user's smartphone, and their password is only accepted if the user can also supply that unique PIN, thus making stolen passwords useless.
Cyber security is reall worry now a day with every passing day more and more people and organization are effected by cyber criminals. Law for cyber crimes are very strict for them its time to bring some public awarness program to protect people from identity stealing and pther financial crimes. What ever governmnet and agencies do will not work becuase public are not aware that how they can protect theirself.
Call rerouting and CSR legitimacy may be a concern. With the current PSTN, I would not be worried too much. However, re-routing and spoofying of VoIP call may be a challenge to security expert. I can't imagine what hackers can do if they hack into a SDN network.
Credit & debit card fraud detection departments at banks can take this paranoia too far at times. I recently had a card voided and a new one reissued after the bank said a store where I had recently used the card had a network security breach and my card number may or may not have been taken, although there were no suspicious transactions.
I appreciate that the bank doesn't want the liability of reimbursement if there were some fraudulent use, but preemptively cancelling cards that may or may not have been compromised seems a bit ridiculous. It's costly for the bank and a huge pain for the consumer who has multiple automatic payments attached to that card number. To add insult to injury, it can take up to 10 business days for the new card to arrive, and this kind of thing seems to happen several times a year.
One of the big challenges is that often, legitimate business look exactly like scam business. The scammers copy legitimate businesses. The security experts tell users what not to do, then the legitimate businesses do exactly what the security experts tell us not to do.
Case in point, credit cards. On the one hand, their fraud detection is pretty amazing. I've had a credit card company, send a voice call, text message and email all within minutes of some scam-worthy activity. That's great. What's not so great is that they immediately pepper you with personal questions of the sort that a scammer would be asking.
In that case, the second level of security is to not answer any of their incoming correspondence and make an outbound call to the number on the back of the credit card.
A phantom third level of security are the laws and policies that limit a card owners liability in the event of theft, but that's pretty much plugging the wrong side of the dike.
Bleeding edge security is in a continuous arms race with social engineers and hackers. If the social engineering is convincing enough, even digital security code cards can be defeated. Finally, we're going to need to develop better means for authentication of the "customer support representatives" (CSR) as well. Even routine calls for telephone or Internet service require the customer to reveal private information to confirm ownership of the account. How do we know the CSR is really legitimate .. or has the phone line been rerouted?
I'm in favor of multi-factor identification but would prefer something that did NOT require me to give Facebook, Google or Yahoo my mobile number. I only give that number to a small select group that I can trust not to spread it to the world.
I agree, the biggest problem with on line security is that few use or even know about better ways to do business.
There are many ways to set up secure communications between users and it is only a little effort to make it more difficult for the criminals to use the links.
Unfortunately, most people will not bother until they have been victims, but by then it is too late.
Just my opinion.
Join our online Radio Show on Friday 11th July starting at 2:00pm Eastern, when EETimes editor of all things fun and interesting, Max Maxfield, and embedded systems expert, Jack Ganssle, will debate as to just what is, and is not, and embedded system.