3 September 2015

How GOV.UK Verify Has Stopped Short Of Delivering the Perfect Citizen Experience

Make it easy for people to self-serve online and that is what the vast majority of people will elect to do. Public sector organisations have invested millions in putting key services online and have also spent a significant amount of money making us aware of them. For these organisations it means that they can reduce costs associated with delivering ‘manned’ service and for the citizen it means they can get access to the information and resources they need 24/7.

If you have used any of these services you will know that it is something of a mixed bag when it comes to the user experience. Renewing car tax for example is a relatively straight-forward process that saves a visit to the Post Office, but dealing with certain elements of the HMRC website offers an altogether different experience. Then, if you have to pick up the phone and choose the wrong time of day to do so you can expect an excruciatingly long wait. A quick search on Twitter and you will see what people have to say.

One of the problems people have when dealing with public sector organisations is the fact that we do not need to engage with them very often, but when we do it is inevitably for something important. As a result of this infrequent usage I for one without fail will fall at the first hurdle - passing through the Gateway.

The Government Gateway account is something you must sign-up for to access HMRC online services and it is essentially a username and password. However, it isn’t a username of my choosing and it consists of 12 randomly generated numbers. So, when I need to file my tax return it isn’t getting my accounts in order that creates the stress, but trying to remember where I jotted down the username and password when my account was first activated (which was some years ago). It is frustrating and can be more than a little concerning, especially if filing a return at the eleventh hour to avoid a penalty!

As a citizen I have no choice. Yet, as a customer shopping online I know the power of the pound in my pocket and if I am not getting the service experience I expect then I can vote with my feet. These commercial organisations know this and there is a groundswell of activity at the moment to improve how customers can login and authenticate themselves. But just because government organisations do not have to change it doesn’t mean that they should not evolve their identity verification and authentication processes.

Step forward the much debated and anticipated replacement to the Government Gateway. The GOV.UK Verify initiative is being closely observed by governments around the world, as a new way to improve the verification of a citizen’s identity (replacing archaic face-to-face and postal methods used currently).  In many respects GOV.UK Verify is a great idea. It gives the user a choice of which specialist third-party organisation they can use to initially validate their identity (it should take around 15 minutes) and after this one-time-only process the user then simply logs in. But for me it is here at the authentication stage that this fantastic innovative project falls down, as it reverts to the standard username and password, which is my bugbear with the current Gateway.

I had hoped that such a trailblazing and forward-looking project would have looked beyond passwords, especially given the raft of compelling one and two factor authentication alternatives that are being adopted in private sector (and indeed some public sector) organisations right now.

I of course appreciate and value the prospect that GOV.UK Verify will hopefully improve the protection of my data from the increasingly resourceful professional cybercriminals or opportunists. And, I also look favourably on the new front-end interface (it could not have been much worse!). However, from a user experience perspective (and I am taking as a citizen/customer rather than an authentication expert) it does not satisfy my expectation for a fast and secure authentication experience.

I cannot help but feel that they have stopped just one step too short, and if they had taken this single step they could have made an exciting project a truly ground-breaking initiative that would set the standard for not only other public sector organisations but private sector businesses to follow.  My hope is that as the service is rolled-out and bugs are ironed out there will be a planned phasing out of the password in favour of something that will enhance and does not inhibit the customer experience.

Author: Fred Astfeldt

25 August 2015

Case study: The City of St. Petersburg

Known as “The Sunshine City”, St.Petersburg, Florida in the US averages 361 days of sunshine each
year. It covers 61.7 sq. miles and has a population of approximately a quarter of a million people making it the 5th largest city in Florida. St. Petersburg has emerged as a top destination for the arts with the Dali Museum, the Dale Chihuly world renowned glass collection, and six art districts. It is the job of the city’s 2,500+ employees to provide the essential services and support that keeps the city running smoothly.

The challenge

The city has a growing number of employees that need to access resources on the city network, whilst working away from the office. To help them, the city implemented a remote access solution from VMware and mobile device management from AirWatch. However, with many of the software applications not available in mobile versions, it was causing a problem for those logging on via tablets and smartphones.

The solution was to use VMware View, which would give employees remote access to the desktop applications they needed from their mobile devices. However, this increased the security risk, as Brian Campbell, Information Technology Security Officer at the City of St. Petersburg explains: “The only security requirement offered by VMware View to gain access to the users' desktop was their security credentials of user ID and password. Whilst we have stringent polices for user ID creation and robust password management, we recognised that it simply was not enough.”

Mr. Campbell uses the example of a mobile device being inadvertently infected with a key-logger, which could capture the login credentials and potentially be used to infiltrate the system and cause disruption.

The city decided that an additional layer of security was needed and a two-factor authentication (2FA) solution would be the most prudent way forward. The city’s Information Security team investigated, demonstrated and discounted a number of the market leading solutions. Mr. Campbell explains: “The solutions we looked at were not straightforward, elegant, nor in a small enough form factor to make us feel comfortable in choosing any of them. That is until we found PINgrid from Winfrasoft.”

Initially the simplicity of PINgrid made the team wary, but also intrigued enough to embark upon rigorous and thorough testing to scrutinise every aspect of the solution. The result was zero failures. “We had to know if a solution so simple could meet our high expectations,” Adds Mr Campbell. “During the testing phase we were in frequent contact with the Winfrasoft team and their responses to our questions were always immediate and positive. Not only were we impressed with the solution were also impressed with their customer service.”

Having found its 2FA solution, the city invested in user licenses for PINgrid for the members of staff who are authorised to have remote access, and today it is fully integrated with the VMware solution.

The benefits

To use PINgrid all an employee with remote access rights needs to do is download the app (available from all major app stores) on to their mobile device. Meanwhile, the Information Security team creates their account which in turn triggers an email to be sent to the employee, which includes their initial PINgrid pattern. The entire process takes a matter of minutes.

Now, all the user needs to do to login is to access VMware View but before they enter their username and password they are prompted for a One Time Code. This code is obtained by simply opening the PINgrid app and entering the corresponding digits that appear in their pattern.

“For staff choosing to install the app on their personal devices we ensured that they understood that the PINgrid app is essentially a standalone number generator requiring no Internet access, no “phone home” requirement, and giving them reassurance that it is completely independent and that they could use it with confidence,” notes Campbell.

“We have found that the beauty of PINgrid is in its simplicity,” remarks Mr. Campbell. “It has been easy to deploy and the roll-out required virtually no user training, even though we offered it to everyone, only around 5% of the users requested assistance” Campbell concludes: “PINgrid is absolutely the solution we were looking for but didn’t expect to find. It works perfectly, is consistent and we have no complaints or problems at all. We are very pleased indeed.”

17 July 2015

VIDEO: Winfrasoft CEO, Steven Hope Explains Why the Time Has Not Yet Come for Biometrics

Last week our CEO, Steven Hope, joined leading privacy, identity and security experts from across  Europe to present at Building Trust on a Hyperconnected World, an event hosted by EEMA and OASIS at the EMEA headquarters of CA Technologies, Ditton Manor.

In the session entitled ‘Biometrics: the time has come?’, Steven was joined by Professor JJ Nietfield from the University Medical Centre in Utrecht, the Chair of the OASIS IBOPS Technical Committee, Abbie Barbir and Executive Director of EEMA, David Goodman. During his presentation and the panel debate which followed, Steven shared his perspective on the hype surrounding the use of biometrics. He explained that whilst the technology does have the potential to have a place in the identification and authentication process, there is a reason why it has not yet taken off in the way many experts had expected.

Steven argued that the proliferation of biometrics on the latest smart devices is focused on delivering a convenient user experience, and is not about delivering tight security, despite the worrying efforts of some large organisations (especially those in the banking sector) trying to find ways to exploit the likes of TouchID for authentication purposes. He also observed how the word ‘biometrics’ has wrongly become synonymous with security, and explained how smart devices operating consumer-grade biometric sensors, could not and should not be expected to deliver the accuracy and reliability of high-end biometrics equipment used in the commercial world.

You can watch Steven's full presentation here...

14 July 2015

Passwords won’t be gone in the blink of an eye

I truly believe we are about to turn the corner in finally replacing password-based authentication, but I am concerned that many organisations (some vendors and some end-user businesses) are getting a little distracted with the current flavours of the month.

Last month I posted a blog explaining why emojis are not the future of authentication. This week I find myself having similar conversations about selfies, following MasterCard’s announcement that it is experimenting with a mobile app, through which the customer poses for a selfie, blinks and hey presto they are authenticated!

Many of us use emojis and take selfies everyday (as well as using social networks which is another method being considered), so on face value it would seem to make sense to try and find ways of adopting them as authentication tools. However, passwords have been with us for a long time and don’t think that they are going to go in the blink of an eye!

From an end-user perspective passwords cause us headaches, because they are overused and as we all do so much online, we need to remember so many of them. Most of us solve this problem by using the same password (or variations of it), causing organisations major headaches as we compromise their security protocols. The thing is, we all want to be secure and protected but we are also impatient and don’t want to be inconvenienced, so we look for short cuts
Now, imagine this brave new world where passwords have been replaced by the headline hitting gimmicks. As it is the start of July you want to login to your online banking to check you have been paid. To do so you are asked to provide a fingerprint (biometric). Great news you have money in your account and it is time to renew your car insurance and they want you to prove you are who you say you are with a selfie. Next you decide to do your weekly shop but before you can arrange delivery you need to use your secret combination of emojis. Three different methods to authenticate. Suddenly passwords don’t seem so bad!

For all their failings passwords are ubiquitous in our society. There is an encouraging ground swell of support to displace them, but if they are to be usurped it needs to be with something that has the potential to become just as prolific and lasting, and crucially doesn’t cause the people who use them pain.

Author: Fred Astfeldt, Winfrasoft

2 July 2015

Winfrasoft to Help Organisations Move from Passwords and Hard Token Authentication at the Security IT Summit 2015

Winfrasoft today announced that at the Security IT Summit 2015 it will be demonstrating how organisations can move away from password-based security with the award-winning PINgrid, PINpass and PINphrase. The one-day event takes place on 7th July at the Hilton London, Wembley.

At the Security IT Summit, Winfrasoft (an OATH and FIDO Alliance Member) will provide security professionals working in B2B and B2C organisations with a fresh alternative to their current authentication and transaction verification methods. Delegates will learn how they can remove the reliance on password-based authentication and pressure on the helpdesk for resets, eliminate procurement costs and administration surrounding card readers and keyring tokens, and innovate without the need to implement expensive biometrics.
- PINgrid is an award-winning and patented multi-factor authentication and transaction signing solution that is being used in the public and private sector today to transform any mobile device into a soft-token, via a simple offline app, replacing passwords with a memorable pattern that automatically generates an OTP.

 - PINpass turns any mobile device into a token by sending a six to eight digit OTP to it via SMS or email. By combining it with a PIN, or an existing Active Directory password, PINpass creates a strong 2FA solution.

- PINphrase uses Random Character Authentication.

PINgrid, PINphrase and PINpass all support implementation in 1.5 and 2FA environments.

Head of Sales at Winfrasoft, Fred Astfeldt comments: “Recently we have seen a reaction from retail banks as they start to offer customers a choice in how they authenticate themselves online, giving the option to continue with card-reader or keyring token, or to login using their memorable information. In PINphrase, Winfrasoft is the only authentication speciality with an off-the-shelf product that enables any organisation to implement this form of authentication without the need to develop it in-house.”

Astfeldt adds: “Our solutions have been rigorously tested in public and private sector organisations and have been proven to deliver strong, robust and reliable authentication. However, they have also been demonstrated to have a major impact on improving the end-user experience.”

In addition to PINgrid, PINphrase and PINpass, Winfrasoft will also be demonstrating its Enterprise Desktop Logon and Remote Desktop Agent for organisations using Microsoft’s Remote Desktop Services, Citrix and VMware. These solutions enhance secure access to the corporate network, applications and data by augmenting the username and password login with either 1.5 or 2FA.

For more information about the Security IT Summit visit: www.securityitsummit.events

Follow the event on Twitter @SecIT_Summit

18 June 2015

Why Password Vaults, and Emojis are not the Future of Authentication

The news this week that Last Pass has suffered a security breach is a reminder of why I am not a fan of the password vaults currently on the market.

Password vaults serve one purpose only and that is to make it easier for people to store their login
credentials centrally. They are not about making those credentials more secure. Yes, you will see marketing materials talking about encryption and the like, but at the end of the day all you are doing is consolidating your passwords and ‘securing’ them with just one master code.

People buy in to password vaults for convenience in fact Last Pass has the tagline ‘The last password you’ll ever need’. It is essentially the same as storing all your credit, debit and store cards, along with your driving licence and cash in a wallet. It seems like a great idea until it gets stolen.

For me, the root cause of the problem isn’t the password vault itself, but the password. Most of us tend to see the login screen as an obstacle that stands in the way of us doing what it is that we want to do. Anything that makes it quicker and easier to get through the process is welcomed with open arms. To illustrate my point, how many of you click the ‘remember this password’ when given the opportunity? I know I have.

If we are being honest most of us are willing to make some form of trade-off between security and convenience, but we should not be expected to do so. Passwords continue to haunt our lives because organisations decide to enforce their use, and in most instances it is because they do so as they don’t know what else to do. As security professionals it is our role to give these organisation choice, show them that there is a better way and crucially, put forward a compelling business case that will drive lasting change.

At the same time Last Pass has been hitting the headlines this week, so too has Tripwire for its attempt to solve the problem using Emojis. As a marking gimmick it has certainly succeeded in grabbing attention, and they seem to be heading in the right direction by trying to make login credentials easier to remember and leveraging the capabilities of mobile devices. But could such a solution viably replace every website, mobile app or corporate network that currently uses a password? Emojis might appeal to millennials logging on to a social forum, but would a silver surfer feel comfortable using them for their online banking? It may well be more secure than a password but I can’t imagine entering: smiley face, sad face, birthday cake and love heart to authorise a transaction from my corporate bank account!
Meanwhile, at the other end of the scale biometrics are promising to change the world, but unless you are a large bank with money to burn it is pretty much out of reach, and even then you have the issue of standardising on a biometric.

This is the big challenge we as an industry face if we are going to replace something as ubiquitous as a password. We need to find something that has the potential to be just as ubiquitous in the future, otherwise we will be stuck in the same old rut. 

We think we might have just the thing! www.pingrid.com 

Author: Fred Astfedlt, Winfrasoft

11 June 2015

Reducing Customer Friction with Better Authentication

Retail banks around the work are trying to get to grips with a difficult challenge. How to make their identification and authentication processes secure enough to protect them and satisfy the regulators, but at the same time balance that with the desire of customers to have a frictionless experience. This was one of the key issues that was debated at a one day conference held at the Department of Business Innovation and Skills in London last week.

Attended by experts in e-identity and authentication, those working in some of the largest banks in Europe, as well as representatives from the European Commission and the European Banking Association (EBA), the event was held a few weeks after 24 out of 28 authorities from EU member states signed up to the new EBA guidelines for online payment security. Coming in to force from 1st August 2015 these guidelines require banks to have stronger authentication whereby a customer must provide non-reusable security details. So, unsurprisingly online payments was a red hot topic of conversation.

The problem with online payments today is when consumers buy something online they reach for their debit or credit-card. However, these cards were introduced when there was no Internet and where designed to be presented at the point-of-sale. As a result banks are having to deal with huge amounts of fraud from online card payments, costing huge sums of money and draining resources.

Since their introduction cards have evolved, such chip-and-pin, and more recently contactless payment technology for low value transactions, but the later makes these cards more, rather than less susceptible to crime. So it is interesting to see how the rapid uptake of this innovation, which suggests customers are willing to trade a level of security for convenience, in much the same way as they opt for easy to remember passwords for their online accounts.

The problem for banks is that whilst customer may be happy with a trade-off, the banks and its regulators are not. However, they know that to gain and retain customers they need to find ways of delivering a more frictionless online experience. Hence, whether you are a business or a retail customer you may have seen the need to for your card reader or key-ringer number generator (otherwise known as a hard-token) diminish in favour of more convenient methods of online authentication. Of course, this is also great news for banks as the cost to administer these devices is very high indeed.

However, during the conference it was clear that banks are eager to find ways to strengthen their identification and authentication processes in a friction free manner, and worryingly many explained how they are investigating the use cases of biometrics in all its forms.

In my opinion, there are a number of significant stumbling blocks when it comes to biometrics. Not only the level of investment and management that is required, and the sophistication of biometric readers on the current crop of ‘smart devices’, but also the challenge and cost of on-boarding all new and existing customers. This is far from the frictionless experience that customers are wanting, and banks are replacing one costly technology with another! Also, these readers currently feature on the higher end devices, alienating the majority of customers. And, as one speaker was quick to point out – what happens if a customer using biometrics is a victim of fraud? Criminals will undoubtedly find a way to cheat the system. So, how does a victim then go about proving they are who they say they are?

One of the most insightful observations of the day was that banks can choose to add as many ‘layers’ of security as they wish, but if they are going to satisfy the customer they need to make the customer feel like they are using just one, any more and they feel like barriers. So, whether they are logging on or transacting via a website, on a desktop PC, a browser on a smartphone or tablet, or via an app, the process needs to be convenient, reliable and of course trusted.

This is why the username, password and memorable information approach has been well adopted as it is device agnostic. So, if you want to have stronger security (and whilst this approach it strong it could be stronger) you need to find a solution that can also work in this environment, and currently biometric readers are neither robust nor ubiquitous enough to satisfy these requirements.

However, there was unanimous consensus that using smart/mobile devices was undoubtedly the way forward. Using these devices presents a way to improve the authentication process for banks, without adversely impacting or burdening the customer. Yet, rather than biometrics, these device can be used to replace card-readers or key-ring tokens, by augmenting the username and password login in with a one-time code generated through an offline app residing on the device.

From the banks perspective this approach is relatively inexpensive when compared to hard-tokens and biometrics. It can be rolled out rapidly at a regional, national or international level and it ease the possible friction for the customer.

Another great benefit of this approach is that as well as being used for logging on to online bank accounts, it can also be used for swift online transaction verification, meaning online card payments can be afforded a far greater level of protection, which is great news for the banks who can save millions in reduced fraud incidents and the customers who are less likely to be innocent victims.

Author: Steven Hope, CEO, Winfrasoft

1 June 2015

Is Your Action Camera Watching You?

Here at Winfrasoft we think action cameras are great pieces of kit, whether you want capture for posterity the three-legged race at the school sports day, or are abseiling down a cliff. However, this morning we were as surprised as anyone to learn that the camera and the images, video and audio recorded and stored on them can be vulnerable to attack.

Today, the BBC has reported that the latest Hero4 device from the market leading action camera vendor GoPro could compromised by, yes you guess it weak password security!

In the video report, Ken Munro from Pen Test Partners explains how these cameras uses WiFi to sync with the GoPro app on the users mobile device. Those of you who have an action camera will know that from the app you can have complete control over the cameras features and functions. And it works fantastically well.

The problem is the GoPro app requires a password and as Mr Munro rightly points out, that people typically choose simple passwords. As a result, the ‘intruder’ can take full control of your camera without you knowing! In fact, they were able to crack the password in just a few seconds, using a dictionary attack. As a result the intruder can chose when the camera is switched on or off, can record (both video and audio) and they can even switch off the usual lights and sounds, so you would never know that the camera sat on the table is capturing everything. 

Of course, most criminals are not going to be interested in your adrenaline fuelled holiday adventures, but thought of someone possibly listening and watching without you knowing feels somewhat sinister and intrusive. The advice by Pen Test Partners is to make the password as strong as you can, but anyone who reads this blog regularly will know that there really isn’t such a thing. So, if you want to be 100% safe then make sure you have the WiFi setting on your camera switched off.

You can read the full story and watch the video at: http://www.bbc.co.uk/news/technology-32934083

Author: Steven Hope, Winfrasoft

27 May 2015

How to Secure Every Remote Desktop with 2FA

You may find it hard to believe but I am just about old enough to remember a time when you switched off your office PC at the end of the day and that was it. If you wanted to finish off that all important presentation you could take a laptop home, but there would be no network access. So, you hurriedly copy and pasted everything on to the desktop on a Friday afternoon. Sound familiar?

Today, thanks to great technology such as Microsoft’s Remote Desktop Services and of course many others, we can all get (and indeed expect) access to our desktop resources whether in a coffee shop, airport lounge, train or a customer site.  Logging on in this way is now second nature.  It means we are free from the shackles of the office-bound desktop and arguably a lot more productive.

But, for many organisations this freedom comes at a price and that is compromised security. Does the benefit outweigh the risk? I am not so sure, as you are only as strong as your weakest link. Being able to offer remote desktop access from a technical perspective is relatively simple and low cost (again thanks to the likes of Microsoft), but securing it adequately and effectively has traditionally been expensive and prohibitive.  I am of course talking about two-factor authentication (2FA).

As 2FA isn’t built-in to Microsoft Remote Desktop Services the only option for organisations conscious of securely protecting their desktop PCs and the network upon which they reside, from data breaches and cyber threats has been to invest in a separate solution. But, traditionally 2FA has been the preserve of key-ring token providers, which require a large (the numbers can be quite frightening) up-front investment and demand a lot of administrative resource. There is often a lot of resistance from those who will be using the token and unless you have a huge remote workforce, the numbers simply don’t stack up to make it a viable proposition.

Add in to the mix regulatory compliance policies for some sectors that demand 2FA is used. You have one camp that is forced to make the painful investment, or the other that simply cannot justify or afford it and must enforce a blanket ban on remote access. Of course, there will be a few ill-advised cases that chose to risk it.

For those not needing to adhere to regulation, the majority settle for the default username and password combination that Microsoft Remote Desktop Services offers.  However, with advances in technology, most notably the ability to place soft-tokens on to mobile devices, the costs have plummeted and it is easier than ever to manage.

From today, organisations using Microsoft Remote Desktop can strengthen with 2FA by augmenting the username and password screen with the need to enter a unique one time passcode.

Using the new Winfrasoft Remote Desktop Agent, all the user needs to do is download the PINgrid app on to their phone. From this point when logging in they simply open the app and enter the digits that appear in their PINgrid pattern.  It is also great news for the IT team as there is no need for any code changes, making it very quick and easy-to-deploy, whether you are an SME, or a large multi-national enterprise.

The Remote Desktop Agent makes strong 2FA affordable for all. So, those who need to comply with regulation but could not afford to do so, now can. Organisations of all shapes and sizes that want to secure their desktop access with 2FA have the option to do so. And, those that have had their hands tied and are using expensive hard-tokens now have a viable alternative to consider when their next license renewal is due.

For more information about Winfrasoft Remote Desktop Agent contact a member of our team on Tel+44 (0)118 336 8330, or Email: sales@winfrasoft.com

Author: Steven Hope, CEO, Winfrasoft

PRESS RELEASE: Winfrasoft Launches Remote Desktop Agent to Deliver Two-Factor Authentication For Microsoft’s Remote Desktop Services

Winfrasoft today announced the launch of its Remote Desktop Agent (RDA) that takes advantage of its award-winning PINgrid solution to deliver secure two-factor authentication (2FA) for organisations using Microsoft’s Remote Desktop Services. Quick and easy-to-deploy without the need for code changes, RDA enables IT security teams to comply with 2FA policy requirements, without slowing down the user log-in experience.

When a user attempts to log-in to their desktop remotely they are presented with the familiar username and password challenge, alongside which they are asked to enter their one-time PINgrid passcode. The user simply enters the digits included within their individual PINgrid pattern, which is displayed on their smartphone or tablet, via the PINgrid app. For organisations that want to strengthen their authentication but do not require full 2FA, RDA can be deployed directly on to the login screen as a non-obtrusive 1.5FA solution.

CEO of Winfrasoft, Steven Hope comments: “Many organisations rely on Microsoft’s Remote Desktop Services to provide employees with anywhere access to their desktop via an Internet connection. The big problem for IT security teams is that it doesn’t have two-factor authentication built-in. Our RDA solution uses PINgrid, which is trusted by public and private sector organisations around the world to deliver strong authentication.”

Remote Desktop Agent is available now.

5 May 2015

Creating a Pattern for Authentication

We all use patterns to create passwords and have our own ‘unique’ formulas that we hope will keep us secure and able to remember them. So, I was not surprised to read a story on TechWeekEurope in which Praetorian had reported that half of users’ passwords follow just 13 structures.

What did shock me thought is that there were as many as 13. How many of you use the tried and tested pattern for creating a password that begins with a capital letter at the start of a memorable word, followed by a memorable number and ending in an exclamation mark? My guess is that it is the majority of you!

It may seem to make sense that fewer structures inevitably make it easier for hackers to decipher passwords and therefore organisations should have policies for ‘strong’ passwords enforced upon them to avoid the obvious, and make it harder. However, the fact of the matter is even if there were double, quadruple or even ten times the number of structures being used, all it would do to a determined cybercriminal is slow them down a little, forcing them to use a wider variety of tools and tactics in their arsenal. It certainly would not stop or deter them.

My answer to the problem is simple. If people like using patterns to create passwords and those passwords are not secure, then remove the password from the equation altogether and use the pattern. This the foundation upon which PINgrid is based.

Of course, the obvious question to ask is what is to stop the professional cybercriminal or opportunist from simply guessing, or identifying patterns? After all, surely that is easier that passwords! So, here is the clever part. Unlike passwords the user never discloses the pattern that they have chosen. 

Using PINgrid, when the user logs in they simply type in the numbers (0-5 digits used in the grid) displayed in their memorable pattern. And, because these numbers are constantly changing it creates a huge range of possibilities. So, in a standard 6x6 configuration, PINgrid provides 2.1 billion unique pattern possibilities, scale that up to 8x8 (0-7 digits used in the grid) and the number grows to an incredible 68.7 billion.

Author: Alissa Lang, Winfrasoft

28 April 2015

Making Passwords Easy to Digest

I am all for making security easy to digest but actually eating passwords is taking thing a step too far in my book.We have all seen the movies where someone eats a piece of paper containing the evidence, but does anyone seriously think this could be the future of authentication? It seems there are people that do!

Security professionals are familiar with the ‘traditional’ authentication factors such as...
  • Something you have – A key-ring token for example
  • Something you know – The username and password combination
  • Something you are – The biometric in all its forms
However, last week some new factors were proposed…
  • Something you have eaten
  • Something you have implanted
  • Something you have injected
These concepts have been mooted in the past as a flight of fantasy, but now PayPals’ Global Head of Developer Evangelism, Jonathan Leblanc has suggested to the Wall Street Journal that ‘natural body identification’ in the form of edible, injectable and implanted devices, could well be the shape of things to come, with current biometric techniques a stepping stone. For those of you old enough to get the reference, it is all starting to sound a little ‘Logan’s Run’ to me!

Whilst I appreciate that our industry need visionaries to help break the stranglehold passwords have on our lives, it is also important that we don’t get carried away. Passwords have been used for hundreds of years in one form or another and whilst people are tired of them, I believe this type of talk is not at all helpful in moving the conversation forward.

Yes, this type of story does grab the headlines but the truth is why would anyone want to use these proposed forms of identification? Especially when there are methods available today that are proven to be practical, affordable and far less invasive. Also, whilst an ingested tablet may be able to identity you that isn’t the same as authenticating you, and in most scenarios we find ourselves in today, it isn’t just about proving that we are who we say we are, but also, that we have the permissions to do what we want to do. 
So, I hope this in years to come it will be those who suggest such crazy ideas that are eating their words and not consuming passwords!

Author: Alissa Lang, Winfrasoft

22 April 2015

Sharing Passwords on National Television

A few days ago I wrote about a recent survey which found employees would be willing to sell their passwords. However, it now seems to be about giving them away for free, by broadcasting them to the nation, in what turned out to be perhaps one of the most ironic television interviews of the year.

You may recall that the French broadcaster TV5Monde was the subject of a major hack, thought to be orchestrated by Islamic State supporters, which caused the station to stop broadcasting for over three hours. But, in what turned out to be an embarrassing interview with a reporter to discuss the incident, a representative from the station could be seen standing in-front of a wall plastered with notes revealing the passwords to accounts such as the station’s Instagram, Twitter and YouTube channels.

Of course, accidentally broadcasting passwords is very different from an employee selling them, but the fact that they were placed on the wall in the first place highlights the theme that employees do not see significance of sharing and disclosing passwords, even when an organisation is in the midst of recovering from a severe cyber-attack. Secondly, the only reason that the passwords would have posted on the wall in the first place was clearly for convenience and ease-of-use, as it means no-one needs to remember them.

The problem with passwords (well one of them) is the fact the for most people they are perceived to be a barrier that is in the way of them getting to where they want to go, and not an intrinsic and important security measure. So, it is inevitable that employees will look to find ways to make the barrier smaller, whether it is posting on the wall, displaying them on a post-it stuck to the monitor, or making them as easy to remember as possible.

So, to counteract this behaviour you need to educate employees as to the importance of security, whether it is accessing the corporate network or the Twitter account. After all in the eyes of the media a data breach is a data breach. Realistically, a hacker is unlikely to do much damage by gaining access to a social network account, but the fallout and reputational impact can be immense and hard to recover from.

Furthermore, you need to look at the password as a tool and ask, if people find them difficult to remember and how can we make it easier? Or, could we do without them altogether? Yes, this contradicts many calls to make passwords stronger and more complex, but that has been said for many years now and it isn’t working.

The time has come for a new approach that makes it easy for employees to play their part in keeping the organisation secure by removing the burden of remembering a password. For more information check out PINgrid.

Author: Alissa Lang, Winfrasoft

17 April 2015

Would your employees sell their company passwords?

We have too many passwords, it is tough to remember all of them, they are not as secure as we would hope (regardless of how ‘strong’ they are) and it costs IT helpdesks a small fortune to handle the constant stream of reset requests. These are all familiar pain-points of the password, but if a new survey is to be believed it would seem that organisations need to watch their back, as one in seven employees are willing to sell their passwords for as little as $150.

This was the finding of a global survey conducted by the identity management company SailPoint earlier this year. This says two things to me, the first is that organisations need to better educate their employees as to the ramifications of a security breech, as I am sure many people are naïve to what a determined criminal can accomplish with one single password. Secondly, if people could be tempted to disclose their password for such a relatively small sum of money, we as security professionals need to take a close look at how we can remove the temptation.

It is often said that the human factor is often the weakest link in the security chain. So clearly, the most obvious way to stop corporate passwords being sold is to remove the need for people to have them in the first place. After all if you don’t have it you can’t sell it! You may say “Easier said than done” but in truth it is simple.

The ubiquity of passwords has for too long made IT departments and security professionals wary of replacing them. This is coupled with the fact that the available alternatives, such as biometrics, have been accompanied by hefty price tags, challenging roll outs and resource intense management. However, new solutions such as PINgrid are taking the elements of password-based security that work well and replacing those that don’t.

So, if you are an employee you still login using a passcode, but it is a one-time-code generated from a pattern that you have memorised within a simple grid (either displayed on-screen, or via an app on a mobile device). Of course an employee could sell their pattern but it would be worthless as the digits within it are never repeated in the same sequence. Therefore, they would also have to sell their device along with it and I don’t know anyone who would be willing to be parted from their phones (whether their own device or a corporate owned one) for a few minutes let alone sell it (apps intact) to a total stranger! 

Author: Alissa Lang, Winfrasoft

18 March 2015

Why I Want To Bank on My Brain and not Biometrics

In an article published today by Infosecurity Magazine, Alissa Lang from Winfrasoft explains how many banks are moving away from passwords by introducing or trialing biometrics. However, Alissa puts forward a strong arguement that they do not have a place in authenticating customers, stating "I want to use my brain when I bank, and not a biometric."

You can read the full story at: http://www.infosecurity-magazine.com/opinions/why-i-want-to-bank-on-my-brain-and/

3 March 2015

The Importance of SME Security in the Supply Chain

In Europe two out of every three employees are employed by SME organisations. However, when the topic of security and cybercrime is being discussed you would be forgiven for thinking that these businesses are in the minority, as the media (and to a large extent the vendors) focus on larger and wealthier enterprises.

It would be fair to say that for the majority of SMEs security issues do not feature heavily in their day-to-day thinking. After all, they are focused on running their revenue generating operations and why would they worry about issues that seemingly only ever happen to the ‘big boys’? And even if they do appreciate the risks, few have the time to keep abreast of the latest threat landscape and ways to safeguard against them.

The problem is however that cybersecurity is very much an issue for SMEs and the impact can be devastating. For one of those large organisations that hit the headlines it can inflict harm on their brand reputation if not managed correctly and it can cost many millions of pounds to resolve, as well as impacting the bottom line, but by and large they have the resources and infrastructure to bounce back. For a vulnerable SME a basic ransomware attack could spell the end of their business.

Of course, some of these attacks on high profile organisations are targeted, and the owner of an SME may counter with the question ‘Why would a cybercriminal be interested in me?’ To answer that question take a moment to think like a criminal. They specialise in finding weak links. Some, will be opportunistic and see an open door, or window, with a wallet left on the table unguarded.  Meanwhile, others will be far more calculated in their approach. Your business may not be the ultimate target but you may present the ‘open window’ through which they can get access to the organisation that is tempting them with a big score! You are just collateral damage. What is more, that organisation you are supplying certainly won’t thank you. 

Going after the weak link in the supply chain isn’t new (you may recall the now famous Lockheed Martin incident back in 2011). For this reason supply chain security has moved up the ICT agenda for large enterprises. So, for those SMEs who can demonstrate that they will not be the weak link, it could well be the point of difference that determines winning a major contract and losing out to a competitor.

Most SMEs do have a basic level of protection, but for many the only time it is mentioned is when the annual renewal of the anti-virus software comes around.

In today’s world of multiple always on, always connected devices it is the password that provides the first line of defence. Get hold of a password and all too often the cybercriminal has the keys to the candy store – confidential information, contracts and contacts, passwords and access to systems, and in some instances that can include third parties!

The challenge for an SME and especially those on the larger side of the spectrum is being able to manage passwords adequately. When someone creates a password they do so because they think they will remember it, not because they think it will be secure. Enforce more complex or so called ‘strong’ passwords and the cost of constant reset requests will go up. Worse still so does the likelihood that they will be written down on a Post-It note and stuck on the side of a monitor (insider attacks can and do happen). Ask them to change their passwords frequently and it will inevitably be a variation on the same theme so DavidSmith1! becomes DavidSmith2!

Large security conscious organisations (and I stress that not all of them are) invest in additional layers of security, such as key-ring tokens and even biometrics, but they introduce complexity, are expensive, are resource intensive to manage and out of reach for most SMEs. What is more, many of them will revert back to password-based authentication if they fail! However, thankfully there is a new breed of innovative and affordable software-based solutions on the market that can give small and large organisations alike the same calibre of first-line defence, replacing passwords without massive change, closing what has until now been an easy door to walk through for the determined cybercriminal.

If you would like to learn more about how to safeguard your supply chain visit: www.pingrid.com

Author: Steven Hope, CEO of Winfrasoft

18 February 2015

Would you use Touch ID for your mobile banking?

You will likely have seem the news that RBS and Nat West are planning to use Apple's Touch ID. On the face of it would seem to make perfect sense to make use of this latest innovation in smartphone technology, however in my opinion Touch ID for banking is not a good idea. 

Firstly, when this technology was launched it was hacked within days and with relative ease, and that was not a big surprise. After all, it simply isn’t commercially viable to place high-quality biometrics technology on a mass-market consumer device costing a few hundred pounds.

I myself am an iPhone user and stopped using Touch ID when I challenged a friend over dinner to get access to my device. It wasn’t until I got home later in the evening that I realised he had succeeded in changing some of my settings.

We do need to move away from passwords and what they are replaced with must strike a balance between delivering security and usability if they are going to become ubiquitous. For me whilst this latest news from RBS and Nat West is great headlines grabber but is ultimately they latest gimmick on the biometrics bandwagon.

21 January 2015

Would you give your password to a stranger with a camera?

We have been saying for years that one of the biggest problems password security (if you can call it that) is that every time you use it, you give away your secret, meaning it is no longer a secret and no longer secure! 

This week the Mirror has published online a video taken from the Jimmy Kimmel show in the US that, whilst very amusing, hits home with a very strong message - passwords are simply not secure. 

Author: Alissa Lang, Winfrasoft