Identity Theft Revisited
Just yesterday, I touched upon the topic of Identity Theft and Cybercrimes, and just today, I came across a news feature which addresses it again. Hmm, ID Theft seems to be making a resurgence in the press lately . . . Anyways, this solution addressed the issue of online banking, and mobile commerce (yet, another buzzword for it seems to be “M-Commerce”, you don’t hear too much of that lately). This solution is designed to protect against a certain type of Cybercrime known as a “Brute Force Attack”.
Under this scheme, an attacker keeps guessing your password until he or she can finally get into your financial account, with a theoretical amount of endless combinations and permutations. Thus, that is how it got its name. So, here are the details of this new solution: “When a user first registers with a website, mobile application or other online service using Confident Technologies' image-based authentication, they choose a few secret categories of things to remember -- such as dogs, flowers and cars. Each time authentication is needed, the website presents the user with a grid of random pictures -- called the Confident ImageShield. The user must correctly identify the pictures that fit their secret categories to form a one-time password and authenticate . . . If the website or online service has enabled the Confident KillSwitch feature, the user can establish one or more "no pass" categories in addition to their secret authentication categories during registration. If a hacker or a bot attempts to access the account by guessing login credentials or using a brute-force attack, and selects an image that fits one of the user's "no pass" categories, Confident KillSwitch can automatically alert the business or account owner that unauthorized access is being attempted. The technology can immediately lock all access to the online account, or can present increasingly difficult ImageShield challenges while gathering important information including the IP address, geographic location and behavioral biometrics of the would-be attacker, and whether it's an attempt to compromise a single account or part of a broader attack on the organization or even across multiple organizations.” (SOURCE: http://www.findbiometrics.com/industry-news/i/9200/).
My Take
The basic premise of this solution, to the best of my understanding, is for the financial entity to be able to block out, or in other words, lock out a user’s online account if there has been a failed attempt after about three or four times. There is really nothing new about this theory, heck even back in the days of Windows NT Version 4.0, this was a common security protocol. But even despite this, businesses and organizations across Corporate America are still extremely negligent about this basic Security feature.
For example, “ . . . research conducted at Cambridge University revealed that more than 84 percent of top websites including Amazon, eBay and WordPress, do not limit the number of failed login attempts — leaving the sites wide open to brute-force attacks and the guessing or harvesting of usernames and passwords.” (SOURCE: http://www.findbiometrics.com/industry-news/i/9200/). So, as you can see from the above quote, this Security solution tries to take this old theory even one step further, by offering also what is known as “image based authentication”. Let me illustrate with my own online banking account. Whenever I first login, I am first asked to present my username. Then once my username has been identified, I am prompted to enter my password.
But before I can do that, a certain picture is presented to me, which is a graphic of something very familiar. For example, it can be animal, car, airplane, plant, etc. I have to actually confirm that this is the image I have selected for my login process when I first signed up for online banking. And, if I am unable to associate the correct description for that picture after three attempts, my account is automatically locked out, and I have to call customer service to have it unlocked. So, in this regard, the Security solution as described above really, is not much more different than my own online banking account. But where the big difference is though it seems, is that this Security solution takes a very proactive approach in determining the profile of the attack, and where it is actually originating from.
For example, “The data collected by Confident KillSwitch can also be fed into the company's risk engine, fraud-detection platforms, or other adaptive security systems to further enhance the decisions made by those systems and help the organization proactively defend against the attacks.” (SOURCE: http://www.findbiometrics.com/industry-news/i/9200/). Also, this Security solution is offered as an SaaS, thus making it very affordable to SME owners who wish to implement this type of enterprise grade protection. But ultimately in the end, Brute Force Attacks and Dictionary Attacks (this is where a hacker takes certain pages of a dictionary, and uses that to guess the various passwords), will always be there until passwords are used as the primary means of verifying the identity of an end user.
In this regard, the only other solution is Biometrics, as everybody has some sort of unique biological or behavioral marker, which really, cannot be guessed in the end. But this not the perfect solution either, as you are relying upon just one means of Security. So, it means we are back to using passwords again, thus exacerbating the cat and mouse game even further.
Comments