Archive for the ‘Identity’ Category

HomeIdentity

Have You Ever Been Mis-Sold Security

On March 3, 2008   /   Identity, IT security   /   Leave a comment

Information security does not need to be complicated in order to be robust, nor does simplicity equate to an inferior defence. So, have you been mis-sold security?

A lot of the hyperbole stemming from many info security vendors suggests that, in order to be secure, you’ll need to re-mortgage your company premises to upgrade to the biggest, shiniest IT security infrastructure. The simple fact of the matter is that securing business-critical information, be it customer details, financial records or strategic data, boils down to one thing – access.

Aside from the technological argument, an equally important consideration to make when strengthening IT security is cost. Because IT security has no measurable ROI, with cost justifications made instead on the ability to avoid losing money or damaging reputation, prudence is desirable when making a security investment. I for one would argue that almost all security threats could be averted with only three things; antivirus software, a firewall and some form of two-factor authentication, the latter being the most critical because if you can retain control over access you are, by default, secure.

This is why the continued use of static passwords as the last bastion of information security, and the final word in determining user privileges and administrator access, represents a significant weakness to business defences. More companies are adopting or improving ICT process, specifically by providing remote access services to help them realise operational and competitive efficiencies for their business or to meet flexible working practice regulations, This is particularly important for SMEs, which account for over 99% of all UK companies and are the real growth area for remote access services. These changes mean that companies are opening more doors to their data and so the threat posed by malicious individuals and organised criminal gangs grows exponentially. They have access to the tools and intellect needed to launch brute-force attacks, create and disseminate key loggers, as well as myriad other password cracking or harvesting methods, to which static passwords represent merely a speed bump, not a roadblock.

For this reason, the cliché that “a chain is only as strong as its weakest link” is synonymous with budget-sapping IT security projects. Relying on an archaic access control mechanism not only goes against any best practice considerations, but also is downright foolhardy. As is often the case, the financial sector realised this fact early on, particularly on the retail banking side of things, and is now adopting strong two-factor authentication (2FA). This is visible in the form of both the ubiquitous Chip&PIN, and issuing one-time-password generators to online banking customers.

With 2FA the one-time passwords, generated every single time a user needs to log in, quash any attempts made by a hacker or unauthorised user to gain access to networks, applications and vital business information as they can’t be gleaned via a keylogger and can never be guessed due to their incoherent nature.

The reason that any security measures, no matter how elaborate and innovative, are prone to failure is because they are still reliant on those easy to crack, often predictable, strings of characters. To illustrate this point it is worth taking a trip back in time to the 1950’s, when there were just five computers in operation. Aside from being protected by all manner of physical defences, should a potential saboteur get through; they would be faced with the prospect of having to guess a password. Back then this was an effective and innovative line of defence.

However, as time advances so too does the actual and perceived threat. With the advent of firearms, the sword and spear became obsolete as an army’s only tool for defence. To keep ahead of the online arms race we too need to discard untenable security measures to avoid having to learn from our mistakes.

Read more
Back to Top

Ten ways to enhance your anti-Fraud tactics

On February 29, 2008   /   Identity   /   Leave a comment

42stparamAs fraudsters continually educate themselves on ways to circumvent many traditional anti-fraud systems and establish more elaborate crime rings, banks and merchants alike need to be aware of what else they can be doing to find the right balance of security and ease-of-use in their customer transactions. Ori Eisen, Founder and Chief Innovation Officer at The 41st Parameter, shows ten ways in which organisations can boost their anti-fraud techniques.

There are many possible lines of action that companies can take to detect more fraudulent transactions. Using a combination of multiple tactics is the most effective because it creates a complex net that fraudsters would have to negotiate. Here are ten of the key approaches to fighting fraud through your organisation:

1. Check for billing and shipping address
Check if the billing and shipping addresses are different. In many cases the crook will send the good to another address than the billing address. Additionally, if a crook uses a “drop-shipment” address, you can spot that many orders are diverted to this address and place it on a negative list.

2. Increase device ID data
Instead of focusing on single data elements, such as the IP address, it is essential to construct a more comprehensive profile to establish the true identity of the device being used to complete a transaction. Visibility of the time that a transaction is made, compared to the time zone and the language settings of the device itself, can highlight inconsistencies. For example, if a device is supposed to be in France, but has Russian language settings and runs a transaction in the Pacific Time Zone, there is cause to investigate that case further.

3. Maintain standard checking systems
Address Verification Systems (AVS), Card Verification Values (CVV2) and Verify are all important security mechanisms. They cut out a lot of low level fraud, especially from one-off or unprepared fraudsters. These systems put up an important barrier that legitimate consumers do not find difficult to overcome.

4. Know that IPs can be spoofed
Monitoring IP addresses is not an entirely fraud-proof approach. More sophisticated fraudsters are able to appear from anywhere in the world by ‘spoofing’ the IP address of another computer. Where the IP address of the genuine card holder is available, they are able to make a transaction appear entirely legitimate if the IP address is a key parameter of assessing cases.

5. Check for lazy keystrokes
Flags for suspicious activity should be raised if there are instances where names, email addresses, passwords etc. are entered using keys grouped together on the keyboard. For example, if someone uses combinations of the letters “asdf”, it may be because they are saving time to rush through vast amounts of data entry. These small give-aways can be another tell-tale sign of a suspicious customer profile.

6. Be wary of anonymous email addresses
While many legitimate customers will use popular email clients such as Hotmail, Yahoo and Gmail, these are also an easy way for fraudsters to set up many new addresses. As email platforms, they are open to anyone, which means that you cannot trust a transaction simply because it has an easily created email address that matches the card holder’s name.

7. Check for ‘email tumbling’
A quick and easy way to pick out organised fraud is to spot sequential email addresses – signs of ‘email tumbling’. If you have transactions from joebloggs001@, joebloggs002@, joebloggs003@ etc, then these are signs that a fraudster is automatically generating email addresses.

8. Continue to conduct manual investigations
While automatic analysis tools will pick out links between some transactions based on data that may not be obvious to a fraud investigator, there is an important place for human reviews. While it should not constitute more than around five per cent of all fraud analysis, it is important to establish themes that a computer would not be aware of. For example, would a computer pick out the names David Beckham, Wayne Rooney and Steven Gerrard as all being linked if they were disparate in almost every other way? This is where a human eye can pick out cases that require further investigation.

9. Capitalise on discovering bad transactions
If you uncover a fraudulent transaction, it can be the key to discovering a raft of similar cases. Use every parameter of information relating to the original case that you can find, and search for any others that share the same details – even if that is only in one parameter. The similarity may be small – it could be the email, postal address, phone number, or the time zone – but as these correlations build, you will be able to pinpoint more cases that could be bad.

10. Use free mapping tools
Free-to-use mapping services, such as Google Maps, can be used to add more weight to an investigation. If someone has given a “residential” address, then you can check that it is residential and not commercial. If someone has different shipping and billing addresses, you can ascertain whether the addresses are close together. If they are miles apart, there is reason to be suspicious.

Many of these approaches will raise red flags on suspicious cases. However, focusing in on only one or two will mean that there are still many transactions that can slip through the net. The parameters that you chose to set as a business will depend on a wide range of factors – from the characteristics of your customer base to the capability of your fraud team – but within these ten steps are approaches that will cut some fraud from your business.

 

Read more
Back to Top

MOD admits massive personal data loss

On January 28, 2008   /   Identity, IT security, Money and Business   /   Leave a comment

Hot on the heels of our recent coverage about M&S losing thousands of Employees personal data files, The Ministry of Defence was forced to admit yesterday that three laptop computers containing personal details of hundreds of thousands of military recruits are missing. None of the data on the laptops was encrypted, and contained details of passport data, National Insurance and driver’s licence numbers, family details and NHS numbers for about 153,000 people who applied to join the armed forces. Richard Farnworth, General Manager, Enterprise Solutions, NEC UK comments:

“This latest announcement should certainly act as a wake up call to the Government and all holders of personal data. The security technology and processes currently in place clearly doesn’t protect against human error or malice, so the public sector needs to start following enterprise’s example for its security provisioning.

“To negate such security losses, leaks and breaches in the future, the Government should explore virtualised computing solutions, that allow laptops to purely act as ‘dummy terminals’ where all the data is stored centrally. Therefore, if a laptop is lost or stolen, important data is not able to get into the wrong hands.

“Another viable security solution for non-virtualised laptops and PCs is full disk encryption, that allows data to be encrypted at the hardware level allowing always-on data encryption. However, the need for security in the IT infrastructure is becoming more and more pervasive, encompassing the entire network and the appliances that are attached to it. Therefore, data encryption at appliance level (e.g. PCs) is important, but there is an increasing amount of appliances (e.g. mobile telephones, PDAs, BlackBerrys, virtualised solutions) accessing the network that must also be secured. Encryption, authentication and access control is especially key for these technologies, as is the encryption of the data as it travels across the network and the data protection within server, storage and SAN environments.

“Authentication and verification is continuing to become much more sophisticated and NEC is at the forefront of such developments using a range of multi-modal approaches, such as presence-based access control (e.g. NFC, RFID, and chip & pin) alongside biometric security (fingerprint, facial and eye recognition), which will become increasingly important in the years ahead.

“Ultimately, human error, disclosure or malice continue to be the biggest threats to data security, so if the Government is to avoid the negative headlines we have recently seen, they should be looking to deploy the personalised, multi-modal solutions that we would expect from Government levels of security.”

Read more
Back to Top

Extra Security

FREE Security Updates

Enter your email address:

Delivered by FeedBurner

Best Security Sites

Computers Business Directory - BTS Local TopOfBlogs