PORTLAND, Ore. ó The stock market took an immediate nose dive earlier this week after the Associated Press erroneously tweeted that President Obama had been injured during a bombing at the White House. Turns out that hackers assaulted AP reporters with phishing emails, redirecting clicks to a spoofing website that looked like Twitter, but really just stole their passwords, resulting in the phony tweet.
According to the Government Accounting Office, over the last five-years, such cyber attacks grew by 650 percent and cost our economy almost $400 billion annually -- that cited by U.S. Congresswoman Marsha Blackburn regarding her legislation proposed earlier this month which called for "Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology" -- SECURE IT 2013. Blackburn's bill gives authority and legal protections to government agencies and Internet providers when they share information that would otherwise violate privacy or antitrust laws. The bill also provides for education -- such as instructing users not to click on links in emails -- as well as punishment for cyber-criminals ranging from 3 to 20 years in prison.
However, according to authentication vendors, SECURE IT is like closing the stable door after the horse is already out. The problem of password theft would be moot if people adopted authentication technologies that are already available but underutilized. Legislation may provide policy changes that help educate users, track down bad guys and punish them when convicted, but adopting already available authentication technologies will prevent cyber thievery from occurring in the first place.
"Unfortunately, we are getting political policy proposals instead of substantive ones," said Tony Busseri, CEO of cyber-security provider, Route1 Inc. (Glen Allen, Vir.). "If we depend on people to follow proper procedures, then breaches are inevitable. Instead we need to adopt available technologies that provide a substantive answer to breaches, instead of defining new policies to deal with their aftermath."
Each year major data breaches are triggered by the same mistake that AP reporters were enticed into making -- clicking on an email link that redirected them to a spoofing website masquerading as the real thing. The known solution to such password thievery is two-factor authentication. Route1, for instance, provides a hardware key that plugs into a USB port like a thumb-drive, but instead harbors a secure smart-card that acts as the second factor -- accepting passwords only if the hardware key is plugged in. And for government employees, the system works with a reader for their existing identity smart-cards.
|Route1's MobiKEY is the second factor in its two-factor authentication scheme, which only authorizes access to secure data if the username/password match with the MobiKEY and PIN supplied by the user.
For civilians, Citrix, Facebook, Google, Microsoft, Oracle, Yahoo and others already offer two-factor authentication that makes a user's smart-phone the second factor. When a user logs-in with their password, a personal identification number (PIN) is instantly sent to the user's smartphone, and their password is only accepted if the user can also supply that unique PIN, thus making stolen passwords useless.