I believe that in order to answer this question properly we must make three comparisons:

1. The average loss for a home burglary versus the average loss for an identity theft
2. The probability of a home burglary versus the probability of an identity theft
3. The cost of a home security system versus the cost of identity theft protection

In its report on Crime in the United States, the FBI found that in 2014 the average dollar loss per burglary offense was $2,251.  This is higher than the average dollar loss for identity theft over the same time frame which was $1,343 according to the Department of Justice.

Click to Subscribe

However, when considering the number of occurrences, identity theft is far more likely than a burglary.  The DoJ reported 17.6 million cases of identity theft, or 7% of all US residents above the age of 16, in 2014.  This was 10 times more than the 1.7 million burglaries that were reported over the same time period by the FBI.

In terms of cost it is difficult to gauge exact figures based on the multitude of offerings for both home security systems and identity theft protection.  However, it seems that identity theft protection is the same or less per month than a home security system.

I understand that a home security system also provides the intangible value of personal protection and that there is no value that you can put on peace of mind.  However, I could counter that the majority of burglaries happen between the hours of 10AM and 3PM, when the homeowner is not home, and therefore personal protection has no inherent value.

So, should I protect my possessions or my identity? Based on this very simple statistical comparison it seems that, if I had to choose, I should protect my digital identity before I protect my physical possessions.  What would you pay to protect?

Eric Sharret is Vice President of Business Development at TELEGRID.  TELEGRID has unique expertise in secure authentication, PKI and Multi-Factor Authentication (MFA).

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Should I protect my possessions or my identity? appeared first on TELEGRID.

Last month the Department of Defense Chief Information Officer Terry Halvorsen made a bold call for the replacement of Common Access Cards within the next two years.  Common Access Cards, or CACs, are credit-card-sized smartcards used to provide Two-Factor Authentication (2FA) to DoD networks.  This method of access requires two out of three of the following items:

• Something the user knows
• Something the user has
• Something the user is

A CAC – “something a user has” – in conjunction with a PIN – “something a user knows” – provides the required 2FA.  The issue Mr. Halvorsen has with CACs is that they do not work well in a tactical environment.  As he said, “It’s really hard to issue CAC cards … when people are dropping mortar shells on you and you need to get in your systems.”

So what will we use instead of CACs?  Mr. Halvorsen mentions Biometrics as part of the solution.  Biometrics, or “something the user is”, includes physical characteristics like fingerprints or behavioral characteristics like how many times a user misspells Halvorsen in a blog post (purely hypothetical).  I discussed some of the security concerns surrounding Biometrics in a previous post but the biggest issue seems to be with public key cryptography.  In public key cryptography the user maintains a secured private key and shares a public key with the world.  The private key is stored on the CAC and is unlocked with a PIN as part of the DoD Public Key Infrastructure (PKI).

Click to Subscribe

If there is no more CAC, does that mean there is no more private key?  We can derive passwords from Biometrics, for instance fingerprints have enough entropy for the equivalent strength of a 13 character password, but it is not public key cryptography.  If there is no more public key cryptography how can the DoD maintain its PKI?

I believe this highlights a very interesting debate on the difference between authentication and encryption.  If we look back at the earliest days of authentication, passwords were often sent in the clear (e.g., Password Authentication Protocol (PAP)).  It was assumed that the channel would be encrypted and all information, including passwords, would be encrypted by the channel.  Authentication was merely used for authorization and accounting.  It was not until we moved from point-to-point networks to the Internet that we combined authentication and encryption in PKI.  Is Mr. Halvorsen telling us that we no longer need PKI?

I do not believe this is the case because at a luncheon following the CAC elimination comment Mr. Halvorsen made a point of recognizing the need for PKI.  As he said, “I want to make it clear, when we replace the CAC card, it will be public-key infrastructure.”   Mr. Halvorsen suggested using Derived Credentials in conjunction with Biometrics to simplify authentication and maintain PKI.  Derived Credentials is a software-based version of the CAC contained in an electronic device such as a smartphone.  In that architecture Biometrics would unlock the electronic device while a user’s certificate and associated private key would be stored in the Derived Credentials.

Derived Credentials is intriguing because it heralds the ability to Bring Your Own Device (BYOD).  The only issue is current policy (i.e., NIST 800-157) which requires that credentials issued at Level of Assurance (LOA) 4 be kept in a hardware cryptographic module that has been validated to FIP 140-2 Level 2.  This means you may need a special hardware solution which is an issue for BYOD.

The moral of the story is that the DoD is now committed to changing how users authenticate themselves and that we should expect to see big changes in the next few years.  This will make it difficult for the Government to purchase devices or applications that have a fixed authentication mechanism.  Perhaps this is the reason we are seeing so much interest in applications that allow a flexible authentication mechanism, like TELEGRID’s SMRTe.

Eric Sharret is Vice President of Business Development at TELEGRID.

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  TELEGRID Technologies, Inc. will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Does the death of the CAC mean the death of PKI? appeared first on TELEGRID.

So how do you make a million dollars?  Simple, you take that email and password and use it to break into the victim’s bank account and steal their money.  If you do not have enough information you wait until they try to relog in to www.freetendollars.com, perhaps to find out where their ten dollars is, and whatever password they try tell them it is wrong.  Then just wait as they try every iteration of password they can remember.  When that is done prompt them for security questions that they never answered but probably forgot about.  Before you know it you will have their bank account password, home security alarm code, first dog’s name, and street they grew up on.  The beauty is that you never even sent them ten dollars!

How often will this work?  Roughly 60% of the time based on studies showing the number of people who reuse passwords on multiple sites.  It is not just current passwords that are an issue but even old passwords can come back to haunt us.  Just ask Mark Zuckerberg whose LinkedIn password from 2012 recently allowed hackers to access his current Twitter and Pintrest accounts.  The truth is that even when we change our passwords we usually only change one number or character.  A study by UNC found that “for 17% of the accounts they studied, knowing a user’s previous password allowed them to guess their next password in fewer than 5 guesses.”

Click to Subscribe

To combat password risk, industry has made an effort to consolidate the number of places where your password is kept.  Single Sign On technologies, based on protocols like SAML and OAuth, have spread rapidly including the ubiquitous “Connect with Facebook” button.  While this does reduce the number of attack vectors it doesn’t solve the problem.  We have also seen a move to Public Key Infrastructure (PKI) with some truly amazing technologies like storing public keys in the Bitcoin blockchain.  But the basic problem still remains that relying on only one form of identification is risky especially when your private key is stored in a smartcard, phone, or other object your 4 year old can put in the toilet.

The best solution is Multi Factor Authentication (MFA).  MFA consists of something you know (e.g., password, pin), something you have (e.g., smartcard, phone) and something you are (e.g., fingerprint).  By providing 2 out of the 3 factors users are securely authenticated.  While there are logistical issues with moving to MFA I believe they have more to do with the infrastructure than with users.  One good example is the delay given to gas stations to install hardware for chip and pin credit card readers.  For software applications it should be simpler but there is still the cost of software redesigns.

What we really need is technology that MFA enables applications and devices that are not MFA capable today.  This is currently available in the TELEGRID-developed SMRTe, a Unified Authentication and Authorization Manager that sits in front of applications and devices and enables MFA.  With the SMRTe we can securely authenticate users with MFA without the logistical headache of rewriting code.

Eric Sharret is Vice President of Business Development at TELEGRID.

Click to Subscribe

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  TELEGRID Technologies, Inc. will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.

The post Is Your Password Worth $10? appeared first on TELEGRID.