NSTIC: 'We're trying to get rid of passwords'
The Obama administration has released a plan to protect online consumers and support innovation on National Strategy for Trusted Identities in Cyberspace. Under the proposal, a consumer would, in essence, volunteer to register with a private sector identity provider, which would securely hold personal information, much of it of a demographic nature. The identity provider would then issue a credential that could be used during an online transaction. The plan would greatly reduce the need for consumers to use and remember multiple passwords or fill out separate privacy forms for multiple online accounts.
Too Many People Reuse Logins
The username-password approach to security on the Web is woefully insecure and in need of updating. A contributing factor is the unmanageable number of passwords people must remember to access their online accounts. Many people do not even try; they just re-use the same ones for all of their accounts, making it that much easier for identity thieves. There can be little disputing that notion after Sony was embarrassed by breaches this year. An analysis of nearly 40,000 passwords stolen from Sony Pictures by the hyperactive LulzSec crew shows that people persist in re-using passwords, a dangerous practice in light of frequent Web site break-ins. If you use different passwords for each site or account, then if one is stolen, the damage is constrained to that one location. But if you apply the same password to many sites, one compromised account can have a domino effect each time a database is hacked.
Threat Landscape
Fraudsters are utilizing increasingly sophisticated and malicious techniques to thwart existing authentication controls, gain control of customer accounts, and transfer funds to money mules that facilitate the movement of those funds beyond the reach of financial institutions and law enforcement. Besides consumers, many of these schemes target small to medium-sized business customers since their account balances are generally higher than consumer accounts and their transaction activity is generally greater making it easier to hide the fraudulent transfers.
An effective tool is keylogging malware. A keylogger is a software program that records the keystrokes entered on the endpoint (desktop, laptop, tablet, smartphone) on which it is installed and transmits a record of those keystrokes to the person controlling the malware over the Internet. Keylogger can be surreptitiously installed on an endpoint by simply visiting an infected website or by clicking on an infected website banner advertisement, email attachment or fake software downloaded from smartphone app store. Keylogger files are generally small in size and adept at hiding themselves on the user's endpoint. They often go undetected by most antivirus programs. Fraudsters use keylogger to steal the logon ID, password, and challenge question answers of customers. This information alone or in conjunction with stolen browser cookies loaded on the fraudster's endpoint may enable the fraudster to log into the customer's account.
Password management tools are potent security threats. Criminals who hack into a computer can use its password manager to log in anywhere the user are registered. Websites that aggregate usernames and passwords are even more dangerous.
Other types of more sophisticated malware allow fraudsters to perpetrate man-in-the-middle (MIM) or man-in-the-browser (MIB) attacks on their victims. In a MIM/MIB attack, the fraudster inserts himself between the customer and the website and hijacks the online session. In one scenario, the fraudster is able to intercept the authentication credentials submitted by the customer and log into the customer's account. In another scenario, the fraudster does not intercept the credentials, but modifies the transaction content or inserts additional transactions not authorized by the customer which, in most cases, are funds transfers to accounts controlled by the fraudster. The fraudsters conceal their actions by directing the customer to a fraudulent website that is a mirror image of the financial institution's website or sending the customer a message claiming that the institution's website is unavailable and to try again later. Fraudsters may have the capacity to delete any trace of their attack from the log files.
MIM/MIB attacks may be used to circumvent some strong authentication methods and other controls, including one-time password (OTP) tokens. OTP tokens have been used for several years and have been considered to be one of the stronger authentication technologies in use. Since the one-time password is generally only good for 30-60 seconds after it is generated, the fraudster must intercept and use it in real time in order to compromise the customer's account.
In March 2011, RSA revealed intruders broke into its computers, exposing secret codes for its two-factor authentication SecurID token. RSA has been working closely with its customers to assure the safety of the product. But the truth is, if attacked once, and hacked once, it can certainly be done again.
A tidal wave of Automated Clearing House (ACH) and wire fraud incidents confirms that we are in a new era for malicious code. Run by organized crime, it's focused on one objective: Stealing personally identifiable information to generate money through fraudulent ACH and Wire payments.
Until NSTIC Identity’s Ecosystem and proper standards are globally adopted by industry, consumers actually continue to have fewer options in terms of how we secure our accounts than more. That means that the majority of Americans will continue using the same set of credentials over and over again, increasing their risk and exposure to possible leaks. One username and password for everything is actually very bad security hygiene, especially as it broadcasts the same credentials across many different applications.
Fight Back Using Layered Protection
Consumers are unwilling to sacrifice convenience for security, despite widespread online fraud. Web site owners seeking to improve authentication are grappling with how to accomplish this task without turning away customers. Consequently, as a result, new solutions must be found to balance security and ease of use. The challenge is figuring out how to close the gap without compromising the customer’s perception of ease of use.
Password authentication remains ubiquitous on the Web, despite over thirty years of research demonstrating its weaknesses. Countless improvements have been proposed to improve password security or replace it altogether, but none has seen any significant adoption. It seems clear that we have a collective failure to fully appreciate the incentives for the market offered by password-based authentication, and years of habit may hinder the possibility of deploying stronger authentication methods.
The Layered Protection theory suggests that efforts to replace passwords with more secure protocols or federated identity systems may fail because they do not recreate the entrenched ritual of password authentication. Layered Protection, characterized by the use of different controls at the endpoint of an authentication process, allows for a weakness in one control to be generally compensated for by the strength of a different control. Layered Protection can substantially strengthen the overall security of Internet-based services and be effective in protecting sensitive customer information, preventing identity theft, and reducing account takeovers and the resulting financial losses.
“If a criminal can commandeer your browser or your endpoint, entering password or PIN into your browser unlocks your accounts and allows criminals to steal from them. What makes defense difficult is that the compromise is likely to be at the user's endpoint. If we are able to mitigate threats by reinventing the password, making online transactions more trustworthy and better protecting privacy, we will prevent costly crime, we will give businesses and consumers new confidence,” said Greg Hauw, founder and CEO.
Ohanae pioneered the concept of layered protection at the endpoint, offering assured user identities while focusing on simplicity and value. Ohanae delivers password-based strong user authentication with built-in data privacy protection and identity theft prevention for Web applications, ‘Software + Services’, and OpenID federated single sign-on.
Ohanae ensures users that their logins cannot be guessed, phished, or stolen. With absolute simplicity, it makes online transactions safer, faster, and more private.
One passphrase to remember, yielding:
- Unique strong passwords for each account
- Eliminates the need to remember passwords
- Passwords are shielded from malicious software attacks
- Endpoint computing environment is secure
Ohanae research concludes that for many purposes the ideal privacy and identity protection model is a hybrid. Heavy-duty identity theft prevention software that marries effectively with ongoing cloud-based services like auto updates, Web reputation checks, device identification and high assurance OpenID.
Ohanae’s software deploys on desktop, laptop, tablet, smartphone, or USB mass storage device. Users need only type ** at the password input field to log in to any website or popular application, and type *+ at the new password field to generate strong passwords unique to each account.
Ohanae protects sessions seven ways: by generating strong password on-the-fly; by intercepting then neutralizing both phishing and key logging attacks; by encrypting the working sessions, then deploying its dynamic endpoint sanitization system to rigorously monitor all live user interactions and to continually protect the operating environment. The system then scrubs all session footprints after the session is ended. All files saved in the secure drive on the user device are strongly encrypted to AES256.
Universal Cloud ID is Here
Ohanae’s implementation of Universal Cloud ID (Ohanae® ID) is a credential for use during an online transaction. Ohanae® ID reduces the need for consumers to use and remember multiple passwords. Once Ohanae® ID account is activated, users may sign in and register with any sites.
Ohanae® ID is also your OpenID with high assurance, a strong password authentication system designed to replace existing password authentication mechanism; it can be combined with hardware-based strong authentication such as the Intel Identity Protection Technology (IPT), to construct a multifactor authentication system. What distinguishes Ohanae® ID from other OpenID implementations is its level of security assurance.
The Ohanae Approach to Privacy & Identity Protection
The Ohanae approach to privacy and identity protection entails a layered security strategy for the endpoints with corresponding cloud-based services, addressing increasingly sophisticated attacks. Layered security consists of multiple protection solutions working together with your existing antivirus software to achieve complete endpoint protection.
- Cloud-based device identification.
- One passphrase to remember.
- Passphrase is brute force proof.
- Kernel layer anti keylogging protection for passphrase.
- Passwords are not stored on user device.
- Type *+ at the new password field to create unique strong password for each account. (User must first perform this step on all websites to be protected by Ohanae before using ** to login.)
- Cloud based Web reputation check.
- Type ** at the password input field to login to any Web applications and popular applications.
- Local whitelist Web reputation check.
- Built-in application layer anti keylogging protection.
- Securworkplace™ -- Leaves no traces on endpoint.
- Securdrive™ -- Protects sensitive data without the reliance on device level encryption.
- High assurance OpenID federated login service.
- Multi-device synchronization with anywhere access using USB flash drives.
- Operating System supported: Windows 7, Vista, Windows XP.
- Browser supported: Internet Explorer.
- Further OS support: Windows 8, Mac OS X (Lion), iOS 5, and Android.
Makes ‘Windows + IE’ Safer in Cyberspace
Ohanae privacy and identity protection is available now for Windows PCs and USB mass storage devices. Users may download the Ohanae client from Ohanae.com.
Ohanae offers free and premium subscriptions. Our free and premium versions offer identical levels of layered protection. The free version offers Internet users up to five logins of their choice on one authorized device. The premium subscription, priced at $9.99 per year, allows the user to: activate as many as 8 authorized devices; login with no limits; run sessions with Securworkplace™ (leaves no traces), Securdrive™ (encrypted drive) and high assurance OpenID services.
About Ohanae
Ohanae makes online transactions safer, faster, and more private by ensuring users that their logins cannot be guessed, phished, or stolen with absolute simplicity.
Headquartered in Los Gatos, CA. Ohanae is a privately held company founded in Oct 2006. Ohanae was named a Red Herring top 100 global company in Jan 2009 and finalist in the most innovative company at RSA Conference 2009.
Ohanae is a registered trademark.
Contacts
Greg Hauw
Founder & CEO
Ohanae, Inc.
(650) 488 4980
greg@ohanae.com
|
