tag:blogger.com,1999:blog-82640534812266598602024-02-18T20:39:32.606-08:00Verifyoo's BlogVerifyoo specializes in next-generation identity verification, with a mission to help the world move beyond passwords. In this blog we will review the latest trends and news in the field of online identity verification. Have any questions or comments you would like to share with us? Drop us a line at: info@verifyoo.comVerifyoohttp://www.blogger.com/profile/08720745025580027428noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-8264053481226659860.post-71657341369691055782020-04-27T05:34:00.000-07:002020-04-27T08:03:56.402-07:00What's the connection between gummy-bears and biometrics?<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Biometric verification and identification have been around for a while –
in 1892 fingerprints made their debut when they were used by an Argentinian
inspector to bring justice to two sons that were murdered by their own mother.
Biometrics have been already used for a while via fixed public scanners, to
identify individuals at workplaces, airports and governmental services.</span><br />
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The first mobile device to feature a fingerprint scanner was the
Motorola Atrix, that launched in 2011. Motorola featured an optical sensor that
worked so poorly that Motorola decided to discontinue it with later models.</span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDXCYHmaBpGBpo6wqCG1RPeANwPHKf7hlmHcr9YrG_l-OO92Z68ES5DEuuT5u0me7NFpzH378ZQkIEdEdRP-Sc24EGGaWLal4l4WHxjHnZ0YicH6E6VzRiACAI03ny-mzuejF8c5zqwQQ/s1600/motorola_atrix_4g.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="320" data-original-width="440" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDXCYHmaBpGBpo6wqCG1RPeANwPHKf7hlmHcr9YrG_l-OO92Z68ES5DEuuT5u0me7NFpzH378ZQkIEdEdRP-Sc24EGGaWLal4l4WHxjHnZ0YicH6E6VzRiACAI03ny-mzuejF8c5zqwQQ/s320/motorola_atrix_4g.png" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>Motorola Atrix</b></span></div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">It wasn’t until Apple first launched the iPhone 5s, that fingerprints
started to receive massive adoption from smartphone users. The iPhone 5s
featured a capacitive scanner that was cleverly located under the home and
essentially kicked off the mobile biometrics revolution that eventually
commoditized fingerprints and facial recognition to even the most basic and
entry-level models.<o:p></o:p></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<a href="https://www.blogger.com/u/1/blogger.g?blogID=8264053481226659860" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/u/1/blogger.g?blogID=8264053481226659860" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Additional biometric modals were soon added such as facial recognition,
iris scanning, voice and more. While they do provide a smooth and password-less
verification experience, there’s a caveat. All biometrics suffer from one
fundamental flaw – unlike passwords that can be replaced, once your biometric
features have been compromised and spoofed, there is no way to replace them,
unless filling off your fingertips or getting facial reconstruction are viable
options. This is also the reason why biometric information such as fingerprints
are considered extremely private information and there is a lot of controversy
on storing nation-wide, centralized biometric depositories as they tend to draw
a lot of attention from malicious actors. Just consider the hack to India’s
biometric repository containing personal information of over a billion
citizens. Compromised individuals would never feel secure again using their
fingerprints or iris scans as a method of verification, as this data could
already be on sale for a dime-a-dozen in the dark web, paving the way to
identity theft of the compromised individuals.</span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></u>
<u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The Good<o:p></o:p></span></u></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Mobile biometrics have definitely set a new bar for user experience and
convenience compared to conventional methods such as passwords and OTPs. Great
efforts are made to prevent even the slightest of friction – the FaceID is a
great example of this. While TouchID provides an almost seamless experience, as
the user merely has to use the HOME button to unlock the device, as they have
always done. But Apple continued to invest resources to make this experience
even more seamless, when they introduced the FaceID that only requires a quick
glance and BOOM! The device is unlocked and ready for use. Similar efforts are
being made by all device manufacturers and Apple are not alone in this race.<o:p></o:p></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The frictionless factor is not the only one in play here – users are
also not required to memorize passwords when using biometrics, which removes a
lot of “mental friction” and frustration of having to manage multiple
passwords. Although this is not entirely true since mobile biometrics are
stored on device, and any time a user wishes to “bind” a new device to their
account, they are required to enter their password once more – we’ll touch on
that a bit later in the article.<o:p></o:p></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Lastly, there is the security factor – passing around biometrics is a
lot more difficult than giving away a password. Although in some cases this may
not be entirely true as we will soon describe. In addition, with mobile
biometrics there is also the PIN Code fallback, that appears after being
rejected by the biometric system. This essentially means that the security
level of mobile biometrics are equal to that of a standard, 4-digit PIN Code.<o:p></o:p></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></u>
<u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The Bad<o:p></o:p></span></u></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">So, what do we have so far? No need to memorize passwords, frictionless
experience and improved security. It seems that the industry has finally
figured it out, right? WRONG!<o:p></o:p></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Let’s start with the main limitation of mobile biometrics – since the
biometric data used is extremely sensitive, it is problematic to store it in
the cloud or in central location, therefore these technologies are purely
client-based. What this means is that the user needs to re-enroll on every
single device they use, as oppose to a one-time enrollment (which is the case
with Verifyoo). When re-enrolling on each device, for instance for banking
applications, the password is once again required and along comes with it all
the problems of password recovery and management.<o:p></o:p></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Biometrics are also susceptible to spoofing (AKA presentation attacks)
since they use visible features such as face, fingerprints or voice. One of the
most disturbing examples was demonstrated by Jan Krisller, a biometrics
specialist from Germany. Jan managed to recreate the iris features required to
successfully verify no other than Angela Merkel, the chancellor of Germany. Jan
didn’t have to work too hard, as the data was publicly available online for
anyone to download and exploit. Link to the article: <a href="https://www.scmagazineuk.com/starbugs-eyes-german-hacker-spoofs-iris-recognition/article/1479198">https://www.scmagazineuk.com/starbugs-eyes-german-hacker-spoofs-iris-recognition/article/1479198</a><o:p></o:p></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<a href="https://www.blogger.com/u/1/blogger.g?blogID=8264053481226659860" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5e7v7vhVYLiYHUEziSxUDe8Wmr2UCQA82kCyFobPdUaaMeBgvPhE68htbm5gkXUFvFq-8el6wAeaanyimjC3uj_Va1Ar3PeC4zdsHd4NTe-eplUk3IbBYL5gJD74LbcPPJd1pMLr6f6Y/s1600/angela.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="702" data-original-width="1267" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5e7v7vhVYLiYHUEziSxUDe8Wmr2UCQA82kCyFobPdUaaMeBgvPhE68htbm5gkXUFvFq-8el6wAeaanyimjC3uj_Va1Ar3PeC4zdsHd4NTe-eplUk3IbBYL5gJD74LbcPPJd1pMLr6f6Y/s400/angela.jpg" width="400" /></a></div>
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="mso-no-proof: yes;"><!--[if gte vml 1]><v:shapetype id="_x0000_t75"
coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe"
filled="f" stroked="f">
<v:stroke joinstyle="miter"/>
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0"/>
<v:f eqn="sum @0 1 0"/>
<v:f eqn="sum 0 0 @1"/>
<v:f eqn="prod @2 1 2"/>
<v:f eqn="prod @3 21600 pixelWidth"/>
<v:f eqn="prod @3 21600 pixelHeight"/>
<v:f eqn="sum @0 0 1"/>
<v:f eqn="prod @6 1 2"/>
<v:f eqn="prod @7 21600 pixelWidth"/>
<v:f eqn="sum @8 21600 0"/>
<v:f eqn="prod @7 21600 pixelHeight"/>
<v:f eqn="sum @10 21600 0"/>
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="תמונה_x0020_2" o:spid="_x0000_i1026" type="#_x0000_t75"
style='width:415pt;height:229.75pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file:///C:/Users/Roy/AppData/Local/Temp/msohtmlclip1/01/clip_image001.jpg"
o:title=""/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span><o:p></o:p></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Surprisingly, fingerprints are no different and Jan also managed to
recreate the chancellor’s fingerprint features and bypass the biometric
verification. Researchers from Japan even concluded that fingerprint features
can be easily extracted from peace-sign selfies, see the article here: </span><a href="https://www.theregister.co.uk/2017/01/12/fingerprint_photographs/" style="font-family: "Helvetica Neue", Arial, Helvetica, sans-serif;">https://www.theregister.co.uk/2017/01/12/fingerprint_photographs/</a></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXtNbE5mBIYL4PQb9EOejlVCmm4Mb_oVB1nqdi0bgq6gcyq9AEQtFxKAx-KIuAySA9nZw0d2gt5JX6SpJzuSbt3ZPkZIowxLG9ncAPnw-QleLbt5Dhjx-5yR1H1AeZ4LgDHGq9AKwg88g/s1600/%25D7%259C%25D7%259C%25D7%2590+%25D7%25A9%25D7%259D.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="798" data-original-width="1600" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXtNbE5mBIYL4PQb9EOejlVCmm4Mb_oVB1nqdi0bgq6gcyq9AEQtFxKAx-KIuAySA9nZw0d2gt5JX6SpJzuSbt3ZPkZIowxLG9ncAPnw-QleLbt5Dhjx-5yR1H1AeZ4LgDHGq9AKwg88g/s400/%25D7%259C%25D7%259C%25D7%2590+%25D7%25A9%25D7%259D.png" width="400" /></a></div>
<div style="text-align: center;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">Unsuspecting victim of fingerprint identity theft</span></div>
<div style="text-align: center;">
<br /></div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Voice can also by synthesized using pre-recorded data of the victim,
which can be used to bypass dynamic voice recognition even when it requires the
user to repeat random sets of words.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Settings aside spoofing issues, biometrics also do not require the user’s
consent during the verification process. The perfect example can be seen in
this <a href="https://www.dailydot.com/debug/touch-id-child-iphone-unlock/">article</a>,
where a 7-year old bypassed his father’s iPhone fingerprint lock while he was
sleeping, to make purchases in the iTunes Store. In this case the damage was
several hundreds of dollars, but it could have ended much worse. Facial
recognition can also be used to track and spy on individuals without their
consent.<o:p></o:p></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Nowadays with the COVID-19 epidemic biometrics are facing additional
challenges, such as facial recognition limitations – as people have been
accustomed to wearing masks. Or the mass market of public fingerprint scanners,
that took a huge blow as people refrain from physically touching surfaces in public
– see <a href="https://www.biometricupdate.com/202004/biometrics-analyst-says-outbreak-marks-death-of-most-of-touch-based-fingerprint-reader-market">article</a>.<o:p></o:p></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></u>
<u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The Ugly<o:p></o:p></span></u></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Aadhaar is India’s national biometric system as well as the largest biometric
ID system in the world. Unfortunately, it keeps getting hacked - <a href="https://www.vice.com/en_us/article/43q4jp/aadhaar-hack-insecure-biometric-id-system">https://www.vice.com/en_us/article/43q4jp/aadhaar-hack-insecure-biometric-id-system</a><o:p></o:p></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Did you know that aside from being super delicious (my own humble
opinion), gummy bears can also be used to hack fingerprints? See it live in
this YouTube video: </span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><a href="https://youtu.be/BwTR7z57wVk">https://youtu.be/BwTR7z57wVk</a><o:p></o:p></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<a href="https://www.blogger.com/u/1/blogger.g?blogID=8264053481226659860" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="https://www.blogger.com/u/1/blogger.g?blogID=8264053481226659860" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="mso-spacerun: yes;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/u/1/blogger.g?blogID=8264053481226659860" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/u/1/blogger.g?blogID=8264053481226659860" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMnX6qbpUO6Pz8xLIDaPjtipaVdBBvJ1O4BYzhvXJ2_kw_hd48LEUJwiLKQLATHLsafFLNNZwF79vtWjmZPS6csOCADmLG3kgDVSI1NaiJh-a3TbhyDKvMsUqwFHMeGUDhWcBJF-X7lYg/s1600/gummy.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="592" data-original-width="394" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMnX6qbpUO6Pz8xLIDaPjtipaVdBBvJ1O4BYzhvXJ2_kw_hd48LEUJwiLKQLATHLsafFLNNZwF79vtWjmZPS6csOCADmLG3kgDVSI1NaiJh-a3TbhyDKvMsUqwFHMeGUDhWcBJF-X7lYg/s400/gummy.jpg" width="265" /></a></div>
<div style="text-align: center;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">An iphone 6 being hacked using a gummy bear</span></div>
</div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<div style="text-align: center;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; text-align: left;"><br /></span>
<br />
<div style="text-align: justify;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; text-align: left;">But that’s not all, there’s a variety of methods to spoof fingerprints,
in this </span><a href="https://www.itworld.com/article/2823742/120606-10-ways-to-beat-fingerprint-biometrics.html" style="font-family: "helvetica neue", arial, helvetica, sans-serif; text-align: left;">article</a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; text-align: left;">
you can get a closer look on 7 different ways to beat fingerprints.</span></div>
</div>
</div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Facial recognition is no different - according to a study that was done
on 110 different devices, in 4 out of 10 facial recognition can be circumvented
using just a 2D photo or video. An example can be seen in this video of a
Samsung S10 being unlocked using a video: <a href="https://youtu.be/BGgQ9woZQOg?t=157">https://youtu.be/BGgQ9woZQOg?t=157</a><o:p></o:p></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></u>
<u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">How can Verifyoo help you?<o:p></o:p></span></u></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Verifyoo carved on its flag “Privacy, Security and Usability.” The data
used by Verifyoo’s verification systems does not include any PII (Personal
Identifiable Information) and conforms to the privacy requirements and
regulations (e.g., GDPR, California Privacy Act).<o:p></o:p></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">This allows Verifyoo to store the data centrally or on the cloud and
provide full flexibility to our clients, as they can utilize the centralized
identity to verify users from practically any mobile device or platform.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="background-color: white; color: #444444; font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">For more information visit: </span><a href="https://www.verifyoo.com/Verifyoo/" style="color: #4d469c; font-family: "helvetica neue", arial, helvetica, sans-serif;">https://www.verifyoo.com</a></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="background-color: white; color: #444444;">To schedule a demo: </span><a href="https://www.verifyoo.com/Verifyoo/#contact-section">https://www.verifyoo.com/Verifyoo/#contact-section</a></span></div>
Verifyoohttp://www.blogger.com/profile/08720745025580027428noreply@blogger.com0tag:blogger.com,1999:blog-8264053481226659860.post-46906260346819305732020-02-27T02:58:00.004-08:002020-04-27T05:33:17.248-07:00"Hi, This is Google."<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">One-Time
Passwords are the go-to solution for second factor authentication, and while
they come in different variations, they all essentially do the same thing –
prove “what you have”. The different variations include SMS based OTPs,
hardware-based tokens and soft tokens that utilize an existing piece of
hardware, such as a smartphone.</span><br />
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Two-factor
authentication is typically required and enforced by regulatory bodies, when
dealing with financial transactions or with extremely sensitive data. PSD2 for
instance, is a regulation meant to promote competition in the European banking
industry by requiring financial service providers to open their APIs to
“regulated 3<sup>rd</sup> parties”. These regulated 3<sup>rd</sup> parties are
required to enforce two-factor authentication when providing access to their
end users, when accessing their financial information.<o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Each
of the different variations of the OTP has its own pros and cons, but they
all share one commonality – they require you, the consumer, to carry something. From a security point of view, should the item fall into the wrong
hands, this paves the way to account takeover by a malicious party.<o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The
image below shows a quite original crook, using chopsticks to pickpocket
unsuspecting victims.<o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="mso-no-proof: yes;"><!--[if gte vml 1]><v:shapetype id="_x0000_t75"
coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe"
filled="f" stroked="f">
<v:stroke joinstyle="miter"/>
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0"/>
<v:f eqn="sum @0 1 0"/>
<v:f eqn="sum 0 0 @1"/>
<v:f eqn="prod @2 1 2"/>
<v:f eqn="prod @3 21600 pixelWidth"/>
<v:f eqn="prod @3 21600 pixelHeight"/>
<v:f eqn="sum @0 0 1"/>
<v:f eqn="prod @6 1 2"/>
<v:f eqn="prod @7 21600 pixelWidth"/>
<v:f eqn="sum @8 21600 0"/>
<v:f eqn="prod @7 21600 pixelHeight"/>
<v:f eqn="sum @10 21600 0"/>
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="תמונה_x0020_3" o:spid="_x0000_i1027" type="#_x0000_t75"
style='width:342pt;height:220.5pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file:///C:/Users/Roy/AppData/Local/Temp/msohtmlclip1/01/clip_image001.jpg"
o:title=""/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span><o:p></o:p></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8z39NhrR_qitBjqmQhjqscQMQ2uYzF39bM1YD6N3hE7ZiE13Wo4rv7Khol6St2n4UkHGySbzUrNIuubnOOwasUV_UeKVzuB4eFdIcUGSbY0DQPCgY_QDHORmteNB_gbeVeM8kg1M1BUI/s1600/124563907_title1n.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><img border="0" data-original-height="270" data-original-width="410" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8z39NhrR_qitBjqmQhjqscQMQ2uYzF39bM1YD6N3hE7ZiE13Wo4rv7Khol6St2n4UkHGySbzUrNIuubnOOwasUV_UeKVzuB4eFdIcUGSbY0DQPCgY_QDHORmteNB_gbeVeM8kg1M1BUI/s400/124563907_title1n.jpg" width="400" /></span></a></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></u></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The
Good</span></u></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Let’s
start with the user experience – OTPs remove the need to memorize passwords,
although they are typically coupled with another “memory-based” factor such as username
and password. OTPs also provide relatively good protection vs. replay attacks,
since the one-time code or token can only be used within a limited time span,
unlike passwords which are static and in the best case, are replaced every 2-3
months.<o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Perhaps
the biggest advantage of SMS based OTPs is that they work on any device, and
believe or not, some populations still use just “phones” as oppose to
smartphones.<o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b><br /></b></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>Fun
Fact:</b> Some Jewish Orthodox populations actually require a “Kosher” stamp on
phones that they use. For some Jewish communities, “smartphones” in general are
not considered Kosher, therefore they are required to non-smartphones, which
can only use SMS to deliver the OTP.<o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></u></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The
Bad<o:p></o:p></span></u></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The
downside is that the user needs to carry something physical – a device with the
relevant SIM card, a token, or a registered device with a soft token. <o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">A
true story – someone once shared with me that they were abroad and had to
access their bank account to do an urgent transaction. Surprise-surprise, they
forgot their password and had to go through the tedious “recovery” process.
However, since they were abroad, they could not receive SMSs (some banks
restrict sending SMSs if the person is in a foreign country, for security reasons)
and could not recover their password. In order to change their registered
number to the temporary local number, they needed their password. Quite the conundrum.
Eventually they had to call the helpdesk and waste precious time.<o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Aside
from the usability limitations, SMS OTPs suffer from an inherent security flaw
– the SS7 protocol used to send SMS has been declared by NIST and other
standardization bodies to be insecure and unfit to be used for 2FA. In this
case, hard tokens fare better from the security perspective, but who wants to
carry a token with them at all times?<o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Social
engineering is another phenomenon that has been the root cause for widespread
fraud in the financial industry. It usually goes something like this: Hackers
pull up a phony web site that is used to amass username, passwords and other
personal details from unsuspecting individuals. The malicious actor then uses
the credentials in an attempt to gain access to the targeted accounts. Once
prompted with the 2-factor authentication request, they place a specifically timed
call to the targeted user and impersonate as one of the bank’s employees,
usually claiming they need to check something with the system and ask for the OTP
that was just sent to the user. People are compliant by nature and most users
would gladly hand over their OTP on a silver platter, allowing the hacker to
circumvent the 2FA and gain access to their account.<o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikwOcq7bDuWtyv4gBlYsa0ljJX_2qO1ZukPpWk6R_Jz2UUsV4s5P-C22HTDAXGuDsTolTvmmOGfsoIGoqbDM9_LZLuUeBM8Dpn3cCPoKx0IgTLtbs9CCu0r8lRo5B8SvuiFWJ8dNirHys/s1600/hacking-email-accounts-becomes-scarily-easy-with-this-social-engineering-trick-2.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><img border="0" data-original-height="257" data-original-width="520" height="157" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikwOcq7bDuWtyv4gBlYsa0ljJX_2qO1ZukPpWk6R_Jz2UUsV4s5P-C22HTDAXGuDsTolTvmmOGfsoIGoqbDM9_LZLuUeBM8Dpn3cCPoKx0IgTLtbs9CCu0r8lRo5B8SvuiFWJ8dNirHys/s320/hacking-email-accounts-becomes-scarily-easy-with-this-social-engineering-trick-2.png" width="320" /></span></a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">This
attack has several variations, including sending an SMS stating that
someone attempted to access the account from an unknown location and in order
to properly secure the account, the user should reply with the code that they
will soon receive. After sending this message to the victim, the hacker inputs
the credentials and is prompted with the 2FA, that is bypassed using the OTP they just received.<o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Another
real-life example I came across - one of my acquaintances was robbed. The thief
snuck in, in the middle of the night and grabbed the victim's bag with all the personal
belongings including smartphone, credit cards and ID documents. Using the
credit card PIN recovery feature via SMS, the crooks managed to
withdraw thousands of dollars from the victim's bank account. Now you may be thinking, “I
lock my phone, so I’m good”. Well, the devil is in the details – in this
particular case the SMSs were actually visible, even when the phone was locked.
This is to allow for quick viewing of incoming messages, but a terrible idea
from a security perspective.</span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">So,
what can you do? First of all, change your smartphone’s settings, so that SMS
cannot be viewed when the device is locked. Secondly, make sure you follow best
practices in regard to "phishy" websites and social engineering via phone
calls, as well as training your staff accordingly.<o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></u></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The
Ugly<o:p></o:p></span></u></div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Exploiting SS7 vulnerabilities is frighteningly simple, just check out this short YouTube video that demonstrates how easily it can be done: <a href="https://youtu.be/fDJ-88e_06A">https://youtu.be/fDJ-88e_06A</a>.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHCJK_EJHEgO_yFeZTuFTTMCGHt-OkdL7qkH5wxu5rnCjc9uWVymbkz5TxKY5gXudmkGXnOoXaydcKqDU__8DBEmV5vDXzVAE53XuBEBC17wCzEGR9Gb5HySQVrews2l6cs28CnHxxtdA/s1600/ss7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><img border="0" data-original-height="657" data-original-width="1207" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHCJK_EJHEgO_yFeZTuFTTMCGHt-OkdL7qkH5wxu5rnCjc9uWVymbkz5TxKY5gXudmkGXnOoXaydcKqDU__8DBEmV5vDXzVAE53XuBEBC17wCzEGR9Gb5HySQVrews2l6cs28CnHxxtdA/s400/ss7.png" width="400" /></span></a></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">In
2011, an attack was conducted on RSA’s servers that supposedly exposed
information that could enable malicious actors to circumvent RSA's token
mechanism. Read about it here: </span><a href="https://www.theregister.co.uk/2011/03/18/rsa_breach_leaks_securid_data/" style="font-family: "helvetica neue", arial, helvetica, sans-serif;">https://www.theregister.co.uk/2011/03/18/rsa_breach_leaks_securid_data/</a></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<a href="https://www.blogger.com/u/1/blogger.g?blogID=8264053481226659860" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/u/1/blogger.g?blogID=8264053481226659860" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Several
months back, a group of Chinese hackers launched an attack targeting government
entities and managed service providers, using a combination of web server
vulnerability exploitation and lateral movement techniques. But the more
interesting part of the attack, was related to the way they managed to generate
valid RSA software tokens.<br />
Read more about this attack here: <a href="https://www.zdnet.com/article/chinese-hacker-group-caught-bypassing-2fa/">https://www.zdnet.com/article/chinese-hacker-group-caught-bypassing-2fa/</a><o:p></o:p></span></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></u></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">How
can Verifyoo help you?<o:p></o:p></span></u></div>
<div class="MsoNormal" style="direction: ltr; text-align: left; unicode-bidi: embed;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">First
and foremost, Verifyoo DrawID incorporates two factors in a single solution:
The possession factor (device) and the inherent factor (user behavior).
Therefore, replacing SMS OTPs or tokens with DrawID can immediately ramp up the
security posture and fraud resilience. Secondly, Verifyoo utilizes the push
notification infrastructure to initiate the 2FA process, which is much more
secure compared to the SS7 protocol. Lastly, using an existing infrastructure
without SMSs, means that organizations can cut down costs associated with
sending out masses of SMSs, that in some cases are received in a delay or not
received at all when the cellular reception is unstable.<o:p></o:p></span></div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">For more information visit: <a href="https://www.verifyoo.com/Verifyoo/">https://www.verifyoo.com</a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">To schedule a demo: <a href="https://www.verifyoo.com/Verifyoo/#contact-section">https://www.verifyoo.com/Verifyoo/#contact-section</a></span>Verifyoohttp://www.blogger.com/profile/08720745025580027428noreply@blogger.com0tag:blogger.com,1999:blog-8264053481226659860.post-12929042248597978492020-02-17T05:17:00.003-08:002020-04-27T05:33:27.166-07:00Introduction to Pa$$w0rds<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh27hDFZHAVqDe1NgybwZPuQy2cvv90jpp3BaOQwJAfPc9oU30g1zr7y_1wJIhB2JMFolwm1k4AVYxwEUEHUgunW-6ztmgU2c2b2rg4NFpFqKj2vQrYavclqAlV-SThreFNjLaNy9-GISM/s1600/watson.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><img border="0" data-original-height="716" data-original-width="1320" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh27hDFZHAVqDe1NgybwZPuQy2cvv90jpp3BaOQwJAfPc9oU30g1zr7y_1wJIhB2JMFolwm1k4AVYxwEUEHUgunW-6ztmgU2c2b2rg4NFpFqKj2vQrYavclqAlV-SThreFNjLaNy9-GISM/s320/watson.png" width="320" /></span></a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">When people hear the word "password", the first thing that comes to their mind is the pesky, hard to memorize code they are required to enter when accessing their online accounts. The truth is that passwords have been around for centuries, long before the first computers were introduced in the 1930s and 1940s (remember </span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">"I think there is a world market for maybe five computers"? Well, think again! But I digress).</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Passwords were used in the Roman Military by sentries as a method of access control to restricted areas, challenge-response phrases were used by the American 101st Airborne Division in World War II by presenting a challenge "flash" with the desired response being "thunder".</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">In 1961 Fernando Corbató, an MIT Professor, first implemented the password in a computer system called Compatible Time-Sharing System (CTSS) which was an operating system used by researchers. In the 1970s Robert Morris first implemented the passwords hashing mechanism as part of the UNIX operating system.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">In the mid-1990s when the internet started taking off, passwords became an integral part of our day-to-day, online life. Despite global efforts that include the largest tech giants (e.g., FIDO Alliance), passwords are still the most common method of online access control.</span></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<b><u><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The good</span></u></b></span><br />
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Although extremely outdated, passwords have one significant advantage – they can be used almost from any device, assuming a physical or virtual keyboard is present. Technologies such as one-time passwords, tokens or fingerprint provide a much better user experience, but they still require the device to be present for the verification to take place.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Another important upside of passwords is preserving user privacy, since passwords are not considered Personal Identifiable Information (PII) they can be stored in the cloud or on-prem, assuming proper security measures are taken such as hashing and salting.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Assuming we are the type of people that "look at the full half of glass", password sharing can be considered a good thing in some cases, for example if you need to grant your spouse access to your email or bank account. Although in general, it is best to grant access in such cases beforehand using proper authorization mechanisms, that grant multiple users access to a single account or resource.</span></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<u><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The bad</span></b></u></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Where should we begin? Generally speaking, passwords are a lose-lose situation both for the enterprise as well as for the end users. This includes but is not limited to poor security, poor user experience and a high operating and maintenance cost.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Security wise, passwords suffer from a multitude of attack vectors that in most cases, can be mitigated by sticking to security best practices and proper employee training.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>Data leakage:</b> There are many different reasons why hackers gain access to restricted data - from unpatched vulnerabilities in the OS, to misconfigured cloud instances. Eventually someone bad will get to our data so we need to make sure we follow security best practices. With passwords this usually means hashing, since passwords should never be stored as plain text. But hashing alone is not enough, as it opens up the hashed passwords to a "rainbow-table" attack, that basically uses a precomputed table for reversing hashes. Therefore, hashing should always be done using a "salting" mechanism, by adding a random piece of text to the password and only then hashing it. By doing so, it will significantly increase the effort required to crafting an attack at scale, when exploiting the hashed passwords that were harvested.</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjiR9DM6rRpKglr2vdjqErlg_r1iVX2fKV4pv-nIOQZ5Zpx3fZAQgP9xXc2PQhTwZBxtqx6E-5UcqQRylEJNNsqhuWoEfmyliW1_ftoxkuNtLQC53Do0YjjR7I-SYh61LZUklAHlsRax4/s1600/salting.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><img border="0" data-original-height="520" data-original-width="1600" height="129" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjiR9DM6rRpKglr2vdjqErlg_r1iVX2fKV4pv-nIOQZ5Zpx3fZAQgP9xXc2PQhTwZBxtqx6E-5UcqQRylEJNNsqhuWoEfmyliW1_ftoxkuNtLQC53Do0YjjR7I-SYh61LZUklAHlsRax4/s400/salting.png" width="400" /></span></a></div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>Phishing websites:</b> An extremely common attack vector, typically done by sending a link and redirecting the user to a "fake" website, that in most cases looks identical to the naked eye. The unsuspecting user inputs their credentials and poof… Their username and password are suddenly for sale on the dark web, for a dime-a-dozen. There a many elaborate and highly sophisticated tools to handle these attacks, from automatically taking down these websites to tools based on computer-vision that distinguish between a real and fake website. But in many cases, nothing beats the good old employee training and guidance, which are an integral part of the anti-phishing arsenal. Now you might say something like, "But hey, I got 2FA, I'm safe!". Well guess again, especially if you're using SMS OTPs. More on that on the next chapters.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGfLQ4L1cbTkmmiOAGhORqo0YEHevAhtX_IbiNm2wKLpdSKJtqeE7ZMSI-K2Nl8bhiZt_EaAfcWf5BnFOr3C5I9695jJwqGJJAu_Jc2Nx3EdAiIPouGfDxSAVLLL570cEHmoKNjdQzGL8/s1600/a0d8360ffc770bc002e7deb211efddea.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><img border="0" data-original-height="360" data-original-width="540" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGfLQ4L1cbTkmmiOAGhORqo0YEHevAhtX_IbiNm2wKLpdSKJtqeE7ZMSI-K2Nl8bhiZt_EaAfcWf5BnFOr3C5I9695jJwqGJJAu_Jc2Nx3EdAiIPouGfDxSAVLLL570cEHmoKNjdQzGL8/s400/a0d8360ffc770bc002e7deb211efddea.jpg" width="400" /></span></a></div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>Weak and re-used passwords:</b> Some websites go to such great lengths with the password complexity requirements, that it can take several minutes just to come up with a password, let alone memorize it without writing it down. Eventually we are humans and we were not programmed to memorize random letters, which is why most users use easy to memorize passwords and also re-use them across accounts. Now, I feel pretty comfortable with Google safeguarding my password using proper salting etc., (should I?) But what about that questionable eCommerce website I signed up to, using the same password? It just so happens that they did not properly configure their cloud's security settings and forgot to "spice" up their passwords. You get the picture. In other cases, people use easy to remember passwords, the three most common passwords are: “qwerty”, “password” and “111111”. This opens them up to dictionary attacks, which is essentially a database containing a predetermined set of commonly used passwords.</span></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">So, what can you? Don't re-use passwords, require your users to generate complex passwords and don't forget to turn on 2FA!</span></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Setting aside security, passwords also fall short in user-experience and can lead to lost business and transaction abandonment by frustrated users that are required to manage numerous accounts. Eventually these users will have to go through the tedious "account recovery" process that is also extremely insecure. As the cherry on top, add the high operating costs of managing and resetting passwords - a Forrester research estimates that the average cost of a single password reset done by help desk is about $70, while Gartner estimates that 20% to 50% of all help desk calls are for password resets.</span></span><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQqid13OF7lKX78wn-1PloM1OYoBPxdpAnKU4i-ZPxsN6l29IyM8UwqJCicFqIyLI6cqDdlX4jcnwHIw3D3TxjdvFGbAwSVsnwpT6o8kVZg89OdI66a-KQQacDVDaF3y3bDdbx996CJUo/s1600/270px-Phishing_attempt1.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"></span></a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><u><b><br /></b></u>
<u><b>The ugly</b></u></span><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQqid13OF7lKX78wn-1PloM1OYoBPxdpAnKU4i-ZPxsN6l29IyM8UwqJCicFqIyLI6cqDdlX4jcnwHIw3D3TxjdvFGbAwSVsnwpT6o8kVZg89OdI66a-KQQacDVDaF3y3bDdbx996CJUo/s1600/270px-Phishing_attempt1.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="1522" data-original-width="748" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQqid13OF7lKX78wn-1PloM1OYoBPxdpAnKU4i-ZPxsN6l29IyM8UwqJCicFqIyLI6cqDdlX4jcnwHIw3D3TxjdvFGbAwSVsnwpT6o8kVZg89OdI66a-KQQacDVDaF3y3bDdbx996CJUo/s320/270px-Phishing_attempt1.png" width="157" /></a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">A recent phishing campaign targeting Apple, redirected users to a phony website that mimics Apple's account management platform, in an attempt to harvest credentials. Another recent phishing campaign is targeting the UK, in an attempt to execute mass credential harvesting.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">In 2012, reports stated that 6.46 million hashed passwords of LinkedIn accounts leaked online, and you guessed it, they were "unsalted".</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Another notable data leakage was 7 million compromised Minecraft accounts, that were also "unsalted". Before you start thinking, "What's the worst thing that can happen with hijacked Minecraft accounts?", consider the fact that some of these passwords may have been re-used in additional accounts.</span></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">To sum it up, according to the Verizon Data Breach Investigations Report, 81% of breaches are related to weak or compromised passwords.</span></span><br />
<a href="https://www.blogger.com/u/1/blogger.g?blogID=8264053481226659860" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/u/1/blogger.g?blogID=8264053481226659860" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<u><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">How can Verifyoo help you?</span></b></u></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Verifyoo's DrawID solution "eats the cake and keeps it whole" by keeping the main benefit of passwords without the weaknesses – enabling users to safely verify themselves from any device, without memorizing passwords. Aside from providing organizations and consumers a much more sec</span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">ure method of verification, Verifyoo also reduces the friction caused by forgotten passwords. Password friction not only leads to massive transaction abandonment by frustrated users, but also incurs high operating costs of resetting these passwords using frequent help-desk calls, knowledge-based questions and other means that have proven to be inefficient and insecure.</span></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Read the next article in the series here: <a href="https://verifyoo.blogspot.com/2020/02/one-time-passwords.html">https://verifyoo.blogspot.com/2020/02/one-time-passwords.html</a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">For more information visit: <a href="https://www.verifyoo.com/">https://www.verifyoo.com</a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">To schedule a demo: </span><a href="https://www.verifyoo.com/Verifyoo/#contact-section" style="font-family: "helvetica neue", arial, helvetica, sans-serif;">https://www.verifyoo.com/Verifyoo/#contact-section</a></div>
Verifyoohttp://www.blogger.com/profile/08720745025580027428noreply@blogger.com9tag:blogger.com,1999:blog-8264053481226659860.post-16987718443723090172020-02-16T04:22:00.002-08:002020-04-27T05:33:37.385-07:00Passwords, biometrics and everything in between - Introduction<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Online user verification has come a long way since 1961, when Fernando Corbató first introduced the password we have come to know and "love". The password was used by Corbató for providing researchers access to the in MIT - see illustration below.</span><br />
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzVzlCTP3Bx2WhMRw9E21mbaOJiA9ic88g_Zype8ZbyyuMzCHFnXGuxiDZq-m-xhXJKUY9BRdD3MrAOD2kLQhNbqz8CQl9jmYtp-z9vfvsgKjlzQiew0OZ9RvlxU6GUyrt8A8F67fb_3Q/s1600/Ken_Thompson_%2528sitting%2529_and_Dennis_Ritchie_at_PDP-11_%25282876612463%2529+%25281%2529.jpg" imageanchor="1" style="display: inline !important; margin-left: 1em; margin-right: 1em;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><img border="0" data-original-height="1282" data-original-width="1600" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzVzlCTP3Bx2WhMRw9E21mbaOJiA9ic88g_Zype8ZbyyuMzCHFnXGuxiDZq-m-xhXJKUY9BRdD3MrAOD2kLQhNbqz8CQl9jmYtp-z9vfvsgKjlzQiew0OZ9RvlxU6GUyrt8A8F67fb_3Q/s400/Ken_Thompson_%2528sitting%2529_and_Dennis_Ritchie_at_PDP-11_%25282876612463%2529+%25281%2529.jpg" width="400" /></span></a></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzVzlCTP3Bx2WhMRw9E21mbaOJiA9ic88g_Zype8ZbyyuMzCHFnXGuxiDZq-m-xhXJKUY9BRdD3MrAOD2kLQhNbqz8CQl9jmYtp-z9vfvsgKjlzQiew0OZ9RvlxU6GUyrt8A8F67fb_3Q/s1600/Ken_Thompson_%2528sitting%2529_and_Dennis_Ritchie_at_PDP-11_%25282876612463%2529+%25281%2529.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzVzlCTP3Bx2WhMRw9E21mbaOJiA9ic88g_Zype8ZbyyuMzCHFnXGuxiDZq-m-xhXJKUY9BRdD3MrAOD2kLQhNbqz8CQl9jmYtp-z9vfvsgKjlzQiew0OZ9RvlxU6GUyrt8A8F67fb_3Q/s1600/Ken_Thompson_%2528sitting%2529_and_Dennis_Ritchie_at_PDP-11_%25282876612463%2529+%25281%2529.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a></div>
<div>
<div>
<a href="https://www.blogger.com/u/1/blogger.g?blogID=8264053481226659860" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="https://www.blogger.com/u/1/blogger.g?blogID=8264053481226659860" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">In 2013 Apple released the iPhone 5s, that was actually not the first smartphone to feature a fingerprint sensor but was the first device that was widely acclaimed and brought biometrics to the masses. The rest of the device manufacturers were soon to follow and nowadays fingerprint sensors are abundantly featured in low and high-end devices alike.</span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">In this blog series we will try to make sense of all of the different verification methods, to review their pros and cons and to also suggest how and where Verifyoo can fit in to overcome these gaps and limitations.</span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Ready? Let's get started!</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Check out the first article - <a href="https://verifyoo.blogspot.com/2020/02/when-people-hear-word-password-first.html">https://verifyoo.blogspot.com/2020/02/when-people-hear-word-password-first.html</a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">For more information visit: <a href="https://www.verifyoo.com/Verifyoo/">https://www.verifyoo.com</a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">To schedule a demo: <a href="https://www.verifyoo.com/Verifyoo/#contact-section">https://www.verifyoo.com/Verifyoo/#contact-section</a></span></div>
</div>
</div>
</div>
Verifyoohttp://www.blogger.com/profile/08720745025580027428noreply@blogger.com1