Filed under: Uncategorized | Tags: account fraud, bad actors, cybercrime, online identity fraud
Criminals and other bad actors are rapidly evolving their online identity fraud techniques to move quickly and commit their crimes. More hackers and bad actors are attacking enterprises than ever before, fueling a sense of urgency around finding timely solutions to reduce risk for online services, credit card processors, e-commerce merchants and consumers. Consequences include:
- Cybercriminals signing up for new accounts using fraudulent information including bogus user names, email addresses, and domains. This access readies attacks against online service providers and can quickly damage a trusted brand’s reputation.
- Bad Actors hijack legitimate registered customer accounts using valid customer login and password data. All for unlawful purposes such as sending high volumes of spam to distribute malicious software or phishing scams designed to defraud consumers of financial information by masquerading as a trustworthy entity.
- Organized thieves employ stolen financial assets including credit card numbers and account information to place orders for goods or services.
Online identity fraud impacts revenue and customer growth, and can seriously damage reputation, brand image, and halt expansion into new markets. The FBI classifies a stolen identity as a powerful cloak of anonymity for criminals and terrorists…and a danger to national security and private citizens alike.
Online identity fraud impacts a wide range of online service providers and other organizations:
- Providers of digital goods, those with nearly instantaneous delivery, such as computer software downloads; eGift cards; travel services; eTickets for entertainment events; music and other downloadable digital media; digital items within games and social networks, etc.
- Providers of digital services, such as cloud-based email services, CRM services (e.g., Salesforce.com), ERP services, cloud-based storage, and online broker services such as Airbnb and Uber.
- Sellers of physical goods that maintain an e-commerce site, such as Amazon, eBay, Craigslist or any of the hundreds of thousands of other online retailers worldwide.
- User-generated content sites that provide ratings and reviews, such as Yelp, OpenTable, Angie’s List, Citysearch or Yahoo! Local Listings.
- Any of the 1,000+ social networks in use worldwide – such as Facebook, Twitter or LinkedIn – that can be used by cybercriminals to distribute spam or links to malware-focused sites and, through the use of social engineering, can easily infect legitimate users.
We have just written a white paper about bad actors – and what you can do about them – which you can download here.
Years ago, a New Yorker (?) cartoon depicted a widow and her deceased husband’s boss standing at the graveside of the newly departed. The boss turned to the now-deceased employee’s wife and asked, “I know this is an awkward time, but did he ever mention source code?”
Somewhat in that vein, I had an interesting discussion at MacWorld/iWorld with Allison Sheridan who runs the NosillaCast Mac podcast, and then followed this up by attending her talk (the only talk I have attended at a conference with “death” in the title). Allison recounted the experience of Tim and Alice Verpoorten. Tim, the geek in the family, died and left his wife Alice (a non-geek) with a large amount of stuff – old Macs, routers, cables, diskettes and a variety of other material for which she had no use. Worse, Alice had no access to Tim’s email accounts, cloud-service passwords and the variety of other stuff that would have proven to be extremely useful after Tim’s demise. Long story short, Allison condensed the Verpoorten’s experience (as well as that of her and her husband who helped dispose of this stuff) to four questions to which we should all take heed:
- Who could access your passwords if something happened to you?
- What services should you continue if you were incapacitated or worse?
- How organized are your electronics?
- What could you document to protect your interests and give your family/friends a helping hand?
This raises an important issue – and a number of questions – for business and IT decision makers for those situations in which their employees leave (regardless of how they do so):
- Do these employees have corporate content stored away somewhere that is inaccessible to the company? Places like USB sticks, personal cloud storage accounts, home computers, personally smartphones and tablets, .PST files, etc.?
- What are the consequences of the company not being able to access this content – or not even knowing it exists?
- What steps are you, as a business or IT decision maker, taking today to ensure you know where your data is and that you have complete and unfettered access to it?
- Do you have a succession plan in place that defines who owns Twitter followers, Facebook posts and content that has been posted to social media?
- Have you consulted your legal counsel about your rights and obligations as an employer to ensure you have all of the data to which you’re legally entitled?
- Employees, are you operating in compliance with the law and corporate policy in the context of how and where you store company-owned data?
- Employers who hire people from other companies, do you know what these individuals are legally entitled – and not entitled – to bring with them? Are you sure you’re protected if these new employees use confidential or proprietary data from their previous employer?
These are the kinds of questions that organizations should address in order to protect against their key employees’ untimely demise or some other departure from the company. This is simply part of good information governance. Moreover, Allison’s experience is part of good life governance. We should all take steps to start pursuing both.
Filed under: Uncategorized
Robust and reliable authentication is the essential first line of security for any application or system. Make authentication too difficult and users won’t use your solution, make it too easy and bad guys will.
There are various flavors of authentication, from simple username/passwords solutions through multi-factor and risk-based authentication systems that provide very high levels of security. Here are a couple of noteworthy solutions – both of which have been available for quite some time – that should be on your short list if you’re trying to protect an application, a network or your data:
- TextPower offers an elegant solution called TextKey that provides an interesting twist on two-factor authentication. Many banks, cloud providers and others offer two-factor authentication that sends a code to your mobile phone and asks you to enter it after you’ve entered a username and password. While this scheme does provide an added layer of security, it’s still subject to man-in-the-middle or man-in-the-browser attacks and other hacking exploits. However, what TextKey does is reverse the process for using a mobile phone for authentication purposes: instead of receiving a code via mobile to enter into a browser, the secure application displays a code and asks the user to text it to the application. Because every mobile phone has a Unique Device Identifier (UDID), the mobile carrier will not send the SMS message if someone is trying to spoof the system because the sending mobile number (already stored in the application’s database) and the UDID must match. In short, authentication cannot take place simply because a bogus user cannot get their SMS through. TextKey also uses a number of other authentication criteria to provide very solid protection against hackers and others.
- Confident Technologies has developed an authentication solution that studies have proven to be quite secure despite its simplicity. Instead of a user entering a password, he or she will identify images within categories that have previously been memorized. For example, when setting up access to an application, a user will select three categories of images, such as planes, rockets and dogs. When he or she attempts to access a system, there will be a presentation of a grid of images from which the user will select the images that correspond to predetermined categories. The images will change each time access is attempted, but will always be consistent with their predetermined choices. The company also offers an image-based CAPTCHA system, far better than the text-based solutions that are widely deployed. Studies have shown that image-based authentication is easier to use than password-based systems and is more resistant to brute force attacks and dictionary attacks. In one study, users were asked to set up text-based passwords and image passwords. After 16 weeks, only 40% of users could remember the former, but 100% could remember the latter. When asked to change their passwords and images, 75% could remember their text-based passwords, but all of the subjects could remember the changed images. Add to this the fact that image-based systems are also more resistant to keystroke loggers, a serious problem for many.
Authentication is a necessary evil, but there are solutions that can offer greater security while not making life more difficult for users.
Filed under: Uncategorized | Tags: content, discovery, email, Microsoft, PST, storage
Email contains a wealth of critical business information. The importance of email to the typical information worker and his or her resulting use of email to create and manage a large proportion of business content means that using and migrating email must be risk-free, and non-intrusive to users.
Osterman Research surveys of end users have repeatedly found that the typical corporate email user spends approximately 150 minutes per day working within their email client – sending or receiving email messages, searching for content, managing contacts, managing tasks, using email as the default information filing system, etc. Moreover, email remains the primary file transport system in most organizations, used to convey important business documents like purchase orders, contracts, proposals and the like – as such, it often becomes a key repository of this content, as well.
As a result, email is the most important single source of business content in most organizations.
In Exchange environments, .PST files are commonly employed by end users for a variety of reasons: to store email locally so that mailbox-size quotas are not exceeded, to allow messages to be easily transportable between mail systems, for purposes of email backup, or because users want to maintain a personal archive of corporate information. Microsoft effectively encouraged the use of .PST files by increasing the maximum size of these files tenfold to 20 gigabytes beginning with Outlook 2003.
Because .PST files are used extensively in Exchange environments, they are a significant repository of corporate content and house much of the critical business information to which organizations must have access.
A recent survey we conducted found that 36% of users in the organizations surveyed store email locally in .PST files. Further, we found that the median size of a .PST file in these organizations is 1.3 gigabytes, the equivalent of more than 100,000 email messages. However, some users maintain much larger .PST files – one large professional services firm, for example, maintains more than 4.5Gb of .PST content per user.
Although good .PST management is essential, many organizations are not following best practices in two key areas.
- First, our research found that users store .PST files in a number of disparate locations, including their desktop machines, laptops, local file servers and cloud-based storage systems, among other locations.
- Second, our research found that only 29% of organizations back up local .PST files to a central location, despite 65% or more storing .PST files on laptops or desktops.
The immediate consequence of this highly distributed storage of .PST files is that the business content contained in these files is not accessible to those that need it, such as legal counsel, senior managers, compliance officers or information auditors – or, in many cases, to the individuals who created this information.
For more information on our .PST research, please feel free to download a just published white paper on the topic here.