Latch: How to protect digital identities. (Ide lV)

In my last talks he has given me to do a trick question to the audience I know for a fact that they will not know how to answer any of these – or I am mistaken -. It is as simple as “How many of you know exactly the number of digital identities that have internet services?”. Try to answer you this question, see if you can remember all identities since you opened your first Internet connection in which left more or less any personal data.

Also happen if the number is high, you may have opted for the idea of ​​repeating a password – especially those services that seem insignificant – or have a method of password generation as the one with Dan Kaminsky when they took all their internet accounts.

The second question I ask attendees to one of my rants with the hat is: “How many of you have protected over 10% of your digital identities with a second authentication factor?” In my statistical technology environments to fly-arm is about 1% of the audience raises his hand with this question.

The conclusion is simple: follow depending on passwords

In the end, if we derive toward a more advanced reflection of the problems, we found that little or no user is able to remember all the digital identities that has been created, that most of them only protection is based on a password and there is a high probability that any password that is not robust enough or a method of generating passwords is built inferible after knowing the first repeat password.

The accounts are hacked or yes

In the end, we are accustomed to see news on the Internet you have hacked all the accounts of a website and have fallen identities who knows where. Cases like the Sony PlayStation Network, Adobe scandal, Linkedin or passwords to files published on Dropbox with Yahoo! identities are everywhere on the Internet.

Not only passwords fall when a site for a serious intrusion hacks, can also occur simply because the user has had the misfortune to enter within infected by a botnet that has stolen your identity team, either from your own computer or a computer at an Internet cafe poorly managed.

That it may also occur in smartphones, where the malware is already advanced enough to take all the passwords entering it, or just a malicious app may want to take your credentials – something for which the passwords were created services environments Single Sign-ON -. In fact, as we saw in the series of articles devoted to find the haunts of identity thieves, just do a little hacking with indexed search engine to locate stolen identities dumps of all types of malware.

It may also happen that the website does not have a good policy against brute force login based on values ​​instead of password. That is, brute force password secure and keep changing the user name until you can get inside. Or it may be that the password which seemed so complicated and difficult to figure out not be so, as evidenced by the online service that Microsoft has been predicting the next letter of the password as the’re introducing.

If you’re going to instances in which the attacks are directed it is even worse. Periodically incidents leave accounts of celebrities or journalists on Twitter who have been hacked – many with phishing schemes for mobile terminals – and I get requests daily to steal identities, such as the offender Tuenti which took a lesson malignant. These requests are on the dark path of Internet end up encountering a scammer or someone that really makes them work and someone suffer.

These targeted attacks, if carried out to the email account that makes keystone, things could be infinitely worse. A clear example of this was the hack who suffered Mat Honan, Wired reporter, where an attacker managed to fool an Apple Genius by telephone, giving the last digits of your credit card information that was public at Amazon. The Genius will reset the password of the account Apple ID, and after being robbed all the data to its terminals will formateron iPhone, iPad and MacBook. Hardly’ve Been Hacked, he said.

Risk factors for having a stolen identity

Within the potential impact of poor management of digital identities directly affects how many risk factors you have applied to your digital life. I speak not help downloads software from sources untrustworthy on your computer or have an antivirus on your smpartphone not an AV rogue, but things that people often do and affecting the totality of their identity Internet – which is simply the sum of their identities -.

Uncontrolled creation of identities on the Internet is one of the risk factors to consider. Today you can avoid creating uncontrolled accounts using things like OpenID and OAuth for authentication on many systems. Of course you have to control which parts of your account access is granted with the permission of apps or services but largely avoid uncontrolled identity.

Reusing passwords and what is worse, reuse complete identity was discharged with the same username and password on different Internet services, is perhaps one of the greatest sins to avoid.

The use password managers – protected with a master key as it should be – it’s a good idea to stop using simple passwords memorized or estimated, and switch to using complex passwords, plus you know exactly all the identities that you will created throughout your life. These apps are also available for mobile devices and can always go with you.

Do not want to forget the famous password recovery questions or tracks to remember which password was entered in a given system. If you have not been adequate precaution, these may be the easiest points to lose an online identity … anywhere where you have created an account.

Even if you use a good password manager, you’re never safe for anyone to be able to get to the database of a website or find a bug in the authentication system and finally taking a digital identity that belongs to you and to be avoided always use your keystone – that to which you have linked all your digital identities “to recover the password via e-mail” – in more sites than is strictly necessary – remember the case of Mat Honan -.

And the last option, not having a Second Factor to help you pass the pass has something and have not yet needed to gain access to your digital identity, but … Are second factor systems are convenient or useful to users?

Second Factor Alternatives for protecting digital identities

If we look at the number of solutions to make a second factor, there are many alternatives that can be used, but almost all are based on the concept of OTP (One-Time Password). These single-use passwords must be added by the usual password to the service to be protected using an alternative channel. This channel may be the system of SMS messages from mobile phone, a smartphone app by connecting from another device or hardware token that is showing what values ​​must be entered in each moment are.

The SMS-based solutions have the problem that the company has a cost in terms of sending messages, plus it is not always easy to deploy in all countries. Without going any further, the 2FA Apple ID has been deployed via SMS several months in many countries, but in Spain and more than half the world is not yet available, so that identities are no second factor in these countries.

Something similar to what happens to Apple’s with Microsoft. Long since deployed the system via SMS OTP in the United States and other countries ago, but has not yet been able to deploy it in many parts of the world, leaving the measure without the efficiency we need Internet users.

For the world of online banking, where the OTP SMS are used to validate transactions, many cybercrime schemes are based on getting a Trojan installed on the mobile terminal. Do not forget that in the end, if it manages to steal information from the user account perhaps get to know the telephone number associated with the account, and Online Fraud schemes have the infrastructure to send the appropriate Trojan in each case. Examples of these are the now famous and ancient Zeus MitMo (Man in the Mobile).

As a twist to the use of OTP SMS messages sent by some companies as proposed with Swivel Secure PINsafe not only send SMS OTP, but do obfuscated and that the user knows a sequence as (1342) which is the order in which there to get the numbers to compose SMS OTP correct. If MitMo intercepts the SMS with the OTP can not get the correct value if the sequence that the user has in his head is not known – if not forget -.

An alternative to SMS messages is to use the sync tokens, like the famous RSA tokens. The idea is that the hardware token has a number generation algorithm that is also available on the server. No need for internet connection. Ie completely off-line, the token is showing the value that the user should enter to get past the challenge of the second factor that will put the server.

This works reasonably well, but has several factors to consider. First, the cost of the equipment is expensive and requires maintenance. Secondly, many of them are lost or stolen, or worse, simply forget at home. Keep in mind this is an extra gadget you need to take more over, and it is becoming more complicated checklist of things to bear every time you leave the house. I could not finish the quote RSA itself suffered an intrusion into their business to steal, as speculated, the algorithms of generating the numbers on the tokens, which they explained very “briefly”.

To solve this problem of costs, some companies propose to replace the hardware tokens for a smarphone app that does the same function. The security risk in these cases is that someone is able to reversear the app and enter the generating algorithm of OTP values, so that others prefer to use a service-based Internet scheme that sends the values ​​to both the app as server via the Internet.

An example of this is Google Authenticator, where a user can integrate this service with an app associated with your account and before entering her, for example, look at the Gmail app from Google Authenticator the value to enter.

As a final variation to all these systems aim to complete the security of a password with a second factor, I can not forget the famous matrix coordinates where the user has a list of values ​​that will be requested at some time as a way to extra checks confirmation or challenge to a particular operation. Unfortunately, we have seen many cases where users will introduce the entire array coordinate the Trojan – so no breakfast or anything – and even send it by fax photocopied.

Solutions aimed at the user

Thinking about why almost nobody uses these services on a voluntary basis, and it is almost an imposition by the company or organization that manages the identity, we should mention that most of these systems are only for geeks or are slightly uncomfortable. No Penny thought when designing the security functionality second factor. This has to be much easier for everyone to use.

Reality has taught us that no matter whether a measure is super safe if it is not used for almost any user or very few. A security measure second factor that increases by 30% the security of a user account on a service where there are 1000 users and to be adopted by 90% of users will be much more effective than a security measure to increase safety but only 60% is taken by 10%. The eternal security versus usability rant brought to the opt-in solutions of second factor.

Figure 1: User is concerned about their digital identities to naptime

We have to think of the users, and look for something that’s easy to handle them, because in the end, what people want to enjoy their free time and enjoy a siesta. “How many of you are like crazy to get the weekend and napping on the couch with the remote control of the TV in your lap?” Users do not want to know about security, they want to feel relaxed and safe to rest at ease. More tomorrow.

Malignant Greetings!

************************************************** **********************************
– Latch: How to protect digital identities (I to IV)
– Latch: How to protect digital identities (II of IV)
– Latch: How to protect digital identities (III of IV)




Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de

Estás comentando usando tu cuenta de Cerrar sesión /  Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión /  Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión /  Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión /  Cambiar )

Conectando a %s