I heard about a million dollar website idea (that you SHOULD NOT DO because you will go to prison). The idea is to create a website called www.freetendollars.com (I checked and the name is still available). The website asks users to create an account with an email and password and in turn they will receive ten dollars in the mail. That’s it.
So how do you make a million dollars? Simple, you take that email and password and use it to break into the victim’s bank account and steal their money. If you do not have enough information you wait until they try to relog in to www.freetendollars.com, perhaps to find out where their ten dollars is, and whatever password they try tell them it is wrong. Then just wait as they try every iteration of password they can remember. When that is done prompt them for security questions that they never answered but probably forgot about. Before you know it you will have their bank account password, home security alarm code, first dog’s name, and street they grew up on. The beauty is that you never even sent them ten dollars!
How often will this work? Roughly 60% of the time based on studies showing the number of people who reuse passwords on multiple sites. It is not just current passwords that are an issue but even old passwords can come back to haunt us. Just ask Mark Zuckerberg whose LinkedIn password from 2012 recently allowed hackers to access his current Twitter and Pintrest accounts. The truth is that even when we change our passwords we usually only change one number or character. A study by UNC found that “for 17% of the accounts they studied, knowing a user’s previous password allowed them to guess their next password in fewer than 5 guesses.”
To combat password risk, industry has made an effort to consolidate the number of places where your password is kept. Single Sign On technologies, based on protocols like SAML and OAuth, have spread rapidly including the ubiquitous “Connect with Facebook” button. While this does reduce the number of attack vectors it doesn’t solve the problem. We have also seen a move to Public Key Infrastructure (PKI) with some truly amazing technologies like storing public keys in the Bitcoin blockchain. But the basic problem still remains that relying on only one form of identification is risky especially when your private key is stored in a smartcard, phone, or other object your 4 year old can put in the toilet.
The best solution is Multi Factor Authentication (MFA). MFA consists of something you know (e.g., password, pin), something you have (e.g., smartcard, phone) and something you are (e.g., fingerprint). By providing 2 out of the 3 factors users are securely authenticated. While there are logistical issues with moving to MFA I believe they have more to do with the infrastructure than with users. One good example is the delay given to gas stations to install hardware for chip and pin credit card readers. For software applications it should be simpler but there is still the cost of software redesigns.
What we really need is technology that MFA enables applications and devices that are not MFA capable today. This is currently available in the TELEGRID-developed SMRTe, a Unified Authentication and Authorization Manager that sits in front of applications and devices and enables MFA. With the SMRTe we can securely authenticate users with MFA without the logistical headache of rewriting code.
Eric Sharret is Vice President of Business Development at TELEGRID.
Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc. TELEGRID Technologies, Inc. will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.