Tag Archives: passwords

Are Passwords Finally Becoming Passé?

It looks like 2017 is continuing right where 2016 left off—with news of a massive data leak and thousands of passwords being exposed on the internet and cached by search engines.

This refers to the gaping security flaw recently discovered in the widely used Cloudflare service. It goes without saying that you should immediately change all your passwords, given how deeply embedded into the internet Cloudflare is. You also should seriously consider using a multifactor step-up capability to access your more sensitive websites and services.

Related article: Cloudflare bug spills passwords in plaintext

Your identity has become a “currency,” and criminals are able to sell it like other data. Unfortunately, many organizations are dragging their feet in adopting more advanced and secure methods for allowing customers to connect with their services. For the near term at least, passwords are here and will be here for the next few years.

See also: The 7 Keys to Strong Passwords  

In terms of security and availability, passwords are the lowest common denominator. They are cheap to deploy, users understand how to interact with them, and the risks associated with the username and password paradigm—while not fully understood—are accepted. But, there are three key factors converging that will replace these username and passwords in the future.

Many more savvy about security

First, policy- and decision-makers are becoming more sophisticated in their understanding of the risks and security profile that simple reliance on passwords presents. Recent announcements from Yahoo CEO Marissa Mayer and General Counsel Ronald Bell should be a bellwether in this regard. Following YAYB (Yet Another Yahoo Breach), Bell resigned without severance pay, and Mayer lost her annual cash bonus and equity award—which some reports estimate to be worth upward of $14 million.

Governmental regulations—such as the revised payment services directive (PSD2) in Europe—are requiring more stringent authentication requirements for financial institutions while the National Institute of Standards and Technology in the U.S. no longer recommends one-time passwords (OTPs) being delivered via SMS in its Digital Authentication Guideline. Password reliance and its associated pain is a global problem.

Advances in biometrics, other alternatives

Second, viable alternatives to the password are gaining widespread acceptance. Since the release of the fingerprint scanner on the Apple iPhone 5S, biometrics have exploded as an alternative to PINs and passwords.

Related article: China embraces FIDO Alliance standards

The FIDO Alliance has grown as an industrywide organization popularizing a set of specifications that increase privacy, increase security and increase usability while at the same time allowing the multitude of players from the authentication marketplace to ensure interoperability. Adoption of such alternatives is moving along at a solid clip with millions of users worldwide already using this technology.

Consumers demand more

Finally, users are fed up. They have learned of breach after breach after breach. The added features that complicate a password are not actually making it more secure, but they do make passwords significantly more difficult to input on the small touchscreens that are becoming our primary computing devices.

As these three forces continue to converge, passwords will be replaced in greater and greater numbers.

As a society, we need to overcome password pain and look to the future. Using a fingerprint or other biometric authentication measure helps users look beyond the failed username and password infrastructure. In time, the public will understand how flawed traditional password usage is. It’s both inconvenient and insecure.

See also: How to Make Smart Devices More Secure  

In 2017, we will see more companies erring on the side of security, removing passwords and implementing modern authentication strategies that eliminate the opportunity for large-scale password leaks and theft.

This post originally appeared on ThirdCertainty. It was written by Phil Dunkelberger. 

‘Phone Spoofing’ – Yes, It Can Happen to You

Not so long ago, a senior executive at Insurance Thought Leadership received a phone call on his smartphone in which the caller claimed to be returning a call.  The ITL executive politely let the caller know that he hadn’t called. Then came another “returned” call… and another. Each caller said he had received a call from the ITL executive’s mobile number and that the caller hadn’t left a message. All told, the ITL executive received about a call a day for about a week.

Naturally, he called his mobile provider to find out what was going on. The provider said it sounded like “phone spoofing.”

How It Works

Spoofing is effectively falsifying a piece of identifying information, like a return email address. “Phone spoofing” relates to the number that shows up on caller ID — someone appears to be calling from that number but doesn’t own that number and is really calling from somewhere else.  Spoofing is used to trick people into picking up calls they otherwise wouldn’t (and get around the National Do Not Call Registry). For a shady caller from outside the area – and often the country – a local number is less likely to raise suspicion.

The real target of the scam is the person on the receiving end of the spoofed call. In the past year, attorneys general in Arkansas, Ohio, Pennsylvania and Rhode Island (among others) have all issued warnings related to phone spoofing scams.

If the recipients do answer the calls, they’re treated to a lovely conversation with ethically challenged telemarketers, debt collectors or scammers. And, as with most sketchy callers, they don’t leave a message if the target doesn’t answer. If the recipients are curious about who called, all they have to go on is the spoofed (false) number that appeared in their caller ID. The result: numerous angry “return” calls to the wrong person. In effect, the real owner of the spoofed number is collateral damage.

Spoofing technology is unfortunately cheap and widely available. As a result, anyone with a smartphone can be a victim — though the scam works just as well on landlines.

What to Do to Protect Yourself

The Truth in Caller ID Act of 2009 prohibits anyone in the U.S. from “knowingly transmit[ting] misleading or inaccurate caller identification information with the intent to defraud, cause harm or wrongfully obtain anything of value….” The act also includes penalties of as much as $10,000 per violation, and related FCC rules note that telemarketers are supposed to display an accurate phone number that can be called during regular business hours.

That all sounds good, but… there are a couple of problems with this scenario as it plays out in the real world. The nature of phone spoofing can make it tricky to figure out who actually made the call in the first place. Moreover, many of the perpetrators are based outside the U.S., effectively placing them beyond the reach of the law. While there has been an attempt to enact an updated version that expands the law’s reach to include calls made to recipients in the U.S. from outside the U.S., it’s naturally moving at the speed of Congress. And, of course, enforcement of that law against telemarketers, etc. based overseas will present an additional hurdle.

Another issue to consider: The FCC tends to view the recipient of the call as the primary victim of a phone spoofing scam. Consequently, “the intent to defraud, cause harm, or wrongfully obtain anything of value” noted in the Truth in Caller ID Act focuses on actions taken against the recipient of the call (as opposed to real owner of the number in question).

In a somewhat related matter, in late 2013 the Federal Trade Commission (FTC) decided not to amend its Telemarketing Sales Rule to address caller ID spoofing because it didn’t believe that the proposed changes would have any effect on the problem.

As you may have guessed by now, stopping this isn’t easy. It’s fairly difficult – if not impossible – to completely eliminate the risk of having your number used in a caller ID spoofing scam. One step you can take to decrease the likelihood is to reduce the number of places in which your phone number can be found online. In effect, don’t give out your number unless you have to. This includes web contests and other online forms. And if it is required for an online purchase, don’t save that information for next time. That way it – and your credit card details – won’t be there to steal if an intruder subsequently breaks into the retailer’s network.

What to Do if It Does Happen to You?

For starters, you can file a complaint with the FCC.

But, although it’s unlikely that the information on your smartphone itself has been compromised (unless there is an additional, unrelated intrusion), your realistic options are unfortunately somewhat limited once your number is used as part of a spoofing scam.

1)    You can block incoming calls, leave a message explaining what happened and, in effect, hope it stops before too long; or

2)    You can change your number. Of course, that also means notifying friends, family and professional contacts (and perhaps changing your business cards, too).

If you don’t feel safe, you can also take the extra step of changing your passwords (which is never a bad idea).

And if you would like more information, you can check out the FCC’s Caller ID and Spoofing page.

The silver lining here is that phone spoofing doesn’t equate to your phone – or the data on it – being accessed by someone else. Of course, that doesn’t make it any less annoying or disconcerting if it happens to you.

Happy Ending

In the case of the spoofing against the ITL executive, the system worked as well as possible. The authorities, working with the carrier, tracked the spoofing back to a scam artist in Germany, and an arrest was made.

Data Breaches: Who Has Legal Liability?

Untold millions of people provide personal and private information on the Internet every day to pay their bills, to purchase a product, to post a picture and so on, even though data breaches have become practically a daily occurrence. The problem has focused attention on the lack of security by the companies that use the data, but consumers also need to take some responsibility.

The hacking of Target at the end of 2013 is the best-known of recent data breaches, but hackers know no bounds. Virtually every individual who uses the Internet—no matter who he is or what she does professionally—is at risk for a data breach.

For instance: In May 2014, three desktop computers were stolen from the California office of Bay Area Pain Medical Associates. About 2,780 patients were notified that their personal information was in a spreadsheet that could have been accessed by the thieves.

In March 2014, about 1,700 people in the employee wellness program for Virginia-based Dominion Resources had their personal records accessed by a hacker who gained entry to the systems of a subcontractor, Onsite Health Diagnostics. The personal information of their spouses and domestic partners was also hacked, if they had scheduled a health-screening appointment online.

In Encinitas, a California Public Employees’ Retirement System (CalPERS) payment document containing 615 current and former employees’ personal information—including Social Security numbers—was inadvertently made public on the city’s website from May 18, 2014, to July 3, 2014, and was accessed by 16 unauthorized individuals before the data breach was discovered.

In July 2014, Orangeburg-Calhoun Technical College in South Carolina had to notify 20,000 current and former students and faculty that their personal information—including Social Security numbers—was on a laptop that was stolen on July 7, 2014, from a staffer’s office.

In Texas, from Dec. 28, 2013, until June 20, 2014, the Houstonian Hotel Club & Spa’s payment processing systems were compromised when they were infected with malware. More than 10,000 customers had their payment card data exposed.

In April 2014, Park Hill School District in Missouri learned that before leaving the district an employee downloaded 10,210 current and former staffers’ and students’ personnel and student files that contained their personal information. The former employee made the files accessible to untold numbers on the Internet.

The Department of Managed Health Care (DMHC) discovered on May 16, 2014, that Blue Shield of California inadvertently made public the names, business addresses, business telephone numbers, medical groups, practice areas and Social Security numbers of about 18,000 doctors.

The list could go on and on, but you get the message. Data breaches can occur on any computer system, anywhere and any time.

So, who is ultimately responsible for data breaches? The company holding the data, because of its system’s vulnerability? Or the user/consumer, because we are responsible, through our passwords and PINs, for the security of all data we post? (If you read the privacy policies of the sites you use, the user is responsible.)

The answer is not an easy one.

If your information was hacked through an entity’s online systems, your answer most likely would be the entity, and you might participate in a class action. at least two dozen federal class actions have been filed against Target, alleging it did not adequately protect customer privacy. A class action has been filed against P.F. Chang’s China Bistro for a security breach that involved, according to the complaint, 7 million customers’ credit and debit card payment data stolen from its restaurants’ systems between March and May 2014. (It has been reported that the breach came to light only when a batch of card data was alleged to be up for sale at Rescator, an underground store best-known for selling customer data stolen in the Target breach.)

But is it that simple, that the sole responsibility lies with the entity that was hacked?

What about us, the consumers? Do we need to be part of the answer by accepting that we willingly create those passwords and PIN numbers and that we provide our personal and private information so we can shop on eBay (which just notified 145 million of us that a cyber attack may have compromised customers’ login information and other personal and private information) or pay bills online?

Should it be our responsibility to understand that online systems, or the strips on the back of our credit and debit cards, that store the data we provide are moving targets (no pun intended) for theft?

Saying “yes” would be the first step in the right direction. Everyone, user and organizations alike, is vulnerable, so the responsibility to protect our information lies with us all.

The second step is for each of us to do whatever we can to manage our vulnerability. Such as:

  • Making sure our anti-virus software is current, to prevent scammers from installing viruses on our computers that allow hackers to steal our personal and financial information. When the popular online ticket marketplace Stub Hub suffered a data breach, the hackers did not break directly into Stub Hub’s system; instead, they stole account information directly from the customer by downloading viruses onto each customer’s personal computer, or by collecting the information from data breaches of other websites.
  • Monitoring our bank and credit card accounts every day. If you see charges or withdrawals you did not authorize, contact the bank or credit card company immediately. (The liability is still yours until you report that your information has been compromised.)
  • Make sure your homeowner’s or renter’s insurance policy covers losses because of fraud, because, even if a class action is settled, there may be strings attached to how you can collect your share. For example: Vendini, another company that offers ticketing services to theaters and event venues, settled a class action in 2014 about compromised data. The settlement requires Vendini to pay as much as $3,000 a customer for identify theft losses. But here is the catch—you have to prove that the information used to make you a victim of identity theft actually came from Vendini’s systems.

Here is the bottom line:

The landscape on cybersecurity is shifting rapidly as data breaches are spiking. Congress, regulators and state attorneys general are taking a hard look at how companies, universities and governmental agencies are protecting consumer information from unauthorized access. Hearings have been held and new laws pushed. As a result, organizations are facing critical questions about what their responsibilities are to ensure consumers’ private and personal information is secure and in compliance with old as well as new laws.

But it is also imperative that you, the consumer, understand that you cannot depend on organizations to protect the information you provide to them. Rather, you need to take matters into your own hands and pose critical questions to yourself about how you use your own information online. You need to decide what information you are willing to turn over to be able to pay bills, make purchases or register for social media online.

It is after all, your information and your life. Think about it.

The information contained in this article is provided only as general information and may or may not reflect the most current developments legal or otherwise pertaining to the subject matter thereof. Accordingly, this information is not promised or guaranteed to be correct or complete and is not intended to create or constitute formation of an attorney-client relationship. The author expressly disclaims all liability in law or otherwise with respect to actions taken or not taken based on any or all of the content of this article.