Welcome!

Java Authors: Miguel Valdes Faura, Pat Romanski, Liz McMillan, Trevor Parsons, Elizabeth White

Related Topics: Security, Java, SOA & WOA, .NET, Linux, Web 2.0

Security: Article

Confronting Identity Theft Head-On with Multi-Factor Authentication

Methods of identity theft have outpaced popular security measures, necessitating a new standard in data defense

The online world has become a dangerous place. According to a survey, 90 percent of all companies fell victim to a security breach in the last twelve months. Hacking and advanced persistent threats (APTs) have rendered the two-factor authentication token, now over 20 years old, essentially obsolete. Without question, a real need exists for a truly secure approach to real-time multifactor authentication to combat today's modern threats.

Remote Access Spikes Security Risk
The use of online services has exploded in the last decade as enterprises have adopted remote access as the default way to access systems and conduct business. With the pervasive use of online access to conduct business, the threat of identity theft has increased with stunning speed and complexity. Ponemon Research surveyed more than 500 corporations and found that 90 percent had been successfully hacked in the last twelve months. This finding underscores the need for major enterprises to adopt stringent, effective security methods as a means to protect against breaches. As a result, modern mobile phone-based multifactor authentication is in high demand.

Advances in Hacking
In the same way that the remote access industry has evolved, so have threats and their complexity. In the early days of online services, usernames and passwords were typically the only form of authentication. To defeat them, hackers used "brute force" attacks to guess the username or password, or "dictionary attacks" to assume a user's identity. In a dictionary attack, a computer or a hacker attempts various combinations of potential passwords until access is granted.

Systems eventually evolved to block these attempts by locking the account down after a few faulty attempts, leading hackers to develop new techniques like key loggers. Today, the most widely used attacks are pharming, phishing or a combination of the two. These terms describe methods by which users are led to a counterfeit website that looks just like the original. This tricks the user into entering his or her username and password. Some of the more advanced attacks send stolen information to the hackers in real time via a small instant message program, compromising many popular two-factor authentication tokens. As an example, Zeus malware captures a user's credentials - even advanced time-based token codes - and sends the information to the hacker.

As if that weren't enough, newer and more sophisticated methods of intercepting user interactions with online services have emerged in recent years, including man-in-the-browser, man-in-the-middle and session hijacking. Even the most secure traditional two-factor authentication token devices can no longer secure a user's identity against these new, more insidious threats. Yet many organizations are unaware that traditional tokens can be compromised, posing a significant security risk.

Many Security Technologies Fall Short
Today's ever-changing threat environment creates a never-ending battle wherein organizations must constantly evaluate the right level of investment in security. Often, the best possible protection is not financially feasible for many organizations, and thus a trade-off has to be made. To protect against identity theft schemes within budgetary constraints, organizations have sampled different technologies, including certificates, biometric scanning, identity cards and hard- and software tokens, with the latter being the most dominate technology. Certificates are often viewed as the ideal way to connect two devices with a secure, identifiable connection. The main issue is the deployment and administration of these certificates and the risks that these are copied without the user knowing it. Furthermore, the certificate authority might be compromised as well.

Biometric scanning has also enjoyed some success, often seen as a very secure alternative. However, the assumption that you always have a functioning finger or iris scanner handy has proven impractical, and the resulting scan produces a digital file that can itself be compromised. Another alternative is the identity card, which often proves impractical in a world of Bring Your Own Device ("BYOD"), where users demand access from an ever-changing variety of devices. Therefore, a new approach is needed.

A Mobile Approach to Security
Many organizations have begun using multi-factor authentication based on mobile networks to address today's modern threats while meeting a user's need for easier and more flexible solutions.

Two elements drive the adoption of the new crop of multi-factor authentication: one, the need to deliver hardened security that anticipates novel threats; and two, the need to deploy this level of security easily and at a low cost. The device used in the authentication process also needs to be connected to the network in real time and be unique to the user in question.

If the authentication engine sends a regular token via SMS, however, today's malware threats can steal the code easily. Therefore, organizations must seek strategies that operate efficiently in a message-based environment to successfully defend against modern threats. Key elements can include:

  • One-time password: To get the highest possible level of security, the one-time password (OTP) must both be generated in real time and be specific (locked) to the particular session, as opposed to tokens that use seed files where the passcodes are stored.
  • Minimal complexity: To minimize infrastructure complexity, the solution should plug into different login scenarios, such as Citrix, VMware, Cisco, Microsoft, SSL VPNs, IPsec VPNs and web logins. Other ways to minimize infrastructure overload include providing these logins in an integrated, session-based architecture.
  • Multiple defenses: To support real-time code delivery, the organization needs robust and redundant server-side architecture along with multiple delivery mechanism support, regardless of geographic location.
  • Easy management: The solution should be able to be managed easily within the existing user management infrastructure.
  • Context-specific: To maximize security, the company should leverage contextual information - such as geo-location and behavior patterns - to effectively authenticate the user.

The Security Horizon
The modern convenience of online services has brought with it the modern scourge of identity theft. Methods of identity theft have outpaced popular security measures, necessitating a new standard in data defense: session- and location-specific multi-factor authentication. This kind of real-time solution, delivered to a user's mobile phone, can provide the security organizations must have if they hope to protect their employees, users and data from modern online threats.

More Stories By Claus Rosendal

Claus Rosendal is a founding member of SMS PASSCODE A/S, where he oversees the product strategy and development in the role of Chief Technology Officer. Prior to founding SMS PASSCODE A/S, he was a co-founder of Conecto A/S, a leading consulting company within the area of mobile computing and IT security solutions with special emphasis on Citrix, Blackberry and other advanced handheld devices. Prior to founding Conecto A/S, he headed up his own IT consulting company, where he was responsible for several successful ERP implementations in different companies (C5 / SAP). Claus holds a Master Degree in computer science from University of Copenhagen.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
The Internet of Things (IoT) promises to evolve the way the world does business; however, understanding how to apply it to your company can be a mystery. Most people struggle with understanding the potential business uses or tend to get caught up in the technology, resulting in solutions that fail to meet even minimum business goals. In his session at @ThingsExpo, Jesse Shiah, CEO / President / Co-Founder of AgilePoint Inc., showed what is needed to leverage the IoT to transform your business. He discussed opportunities and challenges ahead for the IoT from a market and technical point of vie...
IoT is still a vague buzzword for many people. In his session at @ThingsExpo, Mike Kavis, Vice President & Principal Cloud Architect at Cloud Technology Partners, discussed the business value of IoT that goes far beyond the general public's perception that IoT is all about wearables and home consumer services. He also discussed how IoT is perceived by investors and how venture capitalist access this space. Other topics discussed were barriers to success, what is new, what is old, and what the future may hold. Mike Kavis is Vice President & Principal Cloud Architect at Cloud Technology Pa...
Dale Kim is the Director of Industry Solutions at MapR. His background includes a variety of technical and management roles at information technology companies. While his experience includes work with relational databases, much of his career pertains to non-relational data in the areas of search, content management, and NoSQL, and includes senior roles in technical marketing, sales engineering, and support engineering. Dale holds an MBA from Santa Clara University, and a BA in Computer Science from the University of California, Berkeley.
The Internet of Things (IoT) is rapidly in the process of breaking from its heretofore relatively obscure enterprise applications (such as plant floor control and supply chain management) and going mainstream into the consumer space. More and more creative folks are interconnecting everyday products such as household items, mobile devices, appliances and cars, and unleashing new and imaginative scenarios. We are seeing a lot of excitement around applications in home automation, personal fitness, and in-car entertainment and this excitement will bleed into other areas. On the commercial side, m...
"People are a lot more knowledgeable about APIs now. There are two types of people who work with APIs - IT people who want to use APIs for something internal and the product managers who want to do something outside APIs for people to connect to them," explained Roberto Medrano, Executive Vice President at SOA Software, in this SYS-CON.tv interview at Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
An entirely new security model is needed for the Internet of Things, or is it? Can we save some old and tested controls for this new and different environment? In his session at @ThingsExpo, New York's at the Javits Center, Davi Ottenheimer, EMC Senior Director of Trust, reviewed hands-on lessons with IoT devices and reveal a new risk balance you might not expect. Davi Ottenheimer, EMC Senior Director of Trust, has more than nineteen years' experience managing global security operations and assessments, including a decade of leading incident response and digital forensics. He is co-author of t...
Performance is the intersection of power, agility, control, and choice. If you value performance, and more specifically consistent performance, you need to look beyond simple virtualized compute. Many factors need to be considered to create a truly performant environment. In his General Session at 15th Cloud Expo, Harold Hannon, Sr. Software Architect at SoftLayer, discussed how to take advantage of a multitude of compute options and platform features to make cloud the cornerstone of your online presence.
SYS-CON Media announced that Splunk, a provider of the leading software platform for real-time Operational Intelligence, has launched an ad campaign on Big Data Journal. Splunk software and cloud services enable organizations to search, monitor, analyze and visualize machine-generated big data coming from websites, applications, servers, networks, sensors and mobile devices. The ads focus on delivering ROI - how improved uptime delivered $6M in annual ROI, improving customer operations by mining large volumes of unstructured data, and how data tracking delivers uptime when it matters most.
DevOps Summit 2015 New York, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that it is now accepting Keynote Proposals. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential.
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity.
How do APIs and IoT relate? The answer is not as simple as merely adding an API on top of a dumb device, but rather about understanding the architectural patterns for implementing an IoT fabric. There are typically two or three trends: Exposing the device to a management framework Exposing that management framework to a business centric logic Exposing that business layer and data to end users. This last trend is the IoT stack, which involves a new shift in the separation of what stuff happens, where data lives and where the interface lies. For instance, it's a mix of architectural styles ...
The Internet of Things will greatly expand the opportunities for data collection and new business models driven off of that data. In her session at @ThingsExpo, Esmeralda Swartz, CMO of MetraTech, discussed how for this to be effective you not only need to have infrastructure and operational models capable of utilizing this new phenomenon, but increasingly service providers will need to convince a skeptical public to participate. Get ready to show them the money!
The 3rd International Internet of @ThingsExpo, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that its Call for Papers is now open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than 20 years ago.
The 3rd International Internet of @ThingsExpo, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that its Call for Papers is now open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than 20 years ago.
"There is a natural synchronization between the business models, the IoT is there to support ,” explained Brendan O'Brien, Co-founder and Chief Architect of Aria Systems, in this SYS-CON.tv interview at the 15th International Cloud Expo®, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
The Internet of Things will put IT to its ultimate test by creating infinite new opportunities to digitize products and services, generate and analyze new data to improve customer satisfaction, and discover new ways to gain a competitive advantage across nearly every industry. In order to help corporate business units to capitalize on the rapidly evolving IoT opportunities, IT must stand up to a new set of challenges. In his session at @ThingsExpo, Jeff Kaplan, Managing Director of THINKstrategies, will examine why IT must finally fulfill its role in support of its SBUs or face a new round of...
The BPM world is going through some evolution or changes where traditional business process management solutions really have nowhere to go in terms of development of the road map. In this demo at 15th Cloud Expo, Kyle Hansen, Director of Professional Services at AgilePoint, shows AgilePoint’s unique approach to dealing with this market circumstance by developing a rapid application composition or development framework.

ARMONK, N.Y., Nov. 20, 2014 /PRNewswire/ --  IBM (NYSE: IBM) today announced that it is bringing a greater level of control, security and flexibility to cloud-based application development and delivery with a single-tenant version of Bluemix, IBM's platform-as-a-service. The new platform enables developers to build ap...

“The age of the Internet of Things is upon us,” stated Thomas Svensson, senior vice-president and general manager EMEA, ThingWorx, “and working with forward-thinking companies, such as Elisa, enables us to deploy our leading technology so that customers can profit from complete, end-to-end solutions.” ThingWorx, a PTC® (Nasdaq: PTC) business and Internet of Things (IoT) platform provider, announced on Monday that Elisa, Finnish provider of mobile and fixed broadband subscriptions, will deploy ThingWorx® platform technology to enable a new Elisa IoT service in Finland and Estonia.
Advanced Persistent Threats (APTs) are increasing at an unprecedented rate. The threat landscape of today is drastically different than just a few years ago. Attacks are much more organized and sophisticated. They are harder to detect and even harder to anticipate. In the foreseeable future it's going to get a whole lot harder. Everything you know today will change. Keeping up with this changing landscape is already a daunting task. Your organization needs to use the latest tools, methods and expertise to guard against those threats. But will that be enough? In the foreseeable future attacks w...