4 Easy Steps To Protect Your Identity

Four major areas of your daily life that are frequently used as gateways into your private data, Protect those areas!

It's no secret that the damage caused by a single identity fraud event can take years to fix. Many consumers don't even discover they have been affected until months after the attack occurs. In fact, identity fraud is the fastest growing crime in the world, costing billions of dollars annually.

So what should we do? The ubiquity and anonymity of the Internet, coupled with old-fashioned method of stealing identity via "dumpster-diving" makes this problem unmanageable for average folks, right? Wrong. 

There are four major areas of your daily life that are frequently used as gateways into your private data. Paying attention to them can help you stay safe from the bad guys. 

Tactic #1: Guard Your Mail. 

Pay attention to your physical mailbox to reduce the chance of being victimized. The mail system has been vulnerable since the days of wagon trains and stage-coaches.

Action Steps:
1) Never use the red flag on your mailbox. It notifies potential thieves that there may be something of value left unattended in the box.

2) Lock your mailbox if possible. Fraudsters look for checks, parcels and other valuables in unattended mailboxes.

3) Place your outgoing mail in a mailbox inside post offices whenever possible. Outdoor mailboxes are magnets for mail thieves and mischief-makers.

Tactic #2: Guard Your Unique Personal Information. 

Your personal data points are often referred to by the acronym SNAPD, which stands for SSN, Name, Address, Phone, and Date of birth. Our SNAPD elements are the "coins of the realm" in the financial underworld and your Social Security Number (SSN) is the Holy Grail.

Action Steps:

1) Never share your SSN, name, address, phone numbers, or date of birth with others unless absolutely necessary.

2) Only share your SNAPD information when it is mandatory. Healthcare, government and financial services organizations will often require these details, but you would be amazed how little NPPI (Non-Public Personal Information) you can share without causing a fuss.

3) Paper shredders are crucial. All SNAPD info (at home and in the office) should be disposed of in a nice cross-cut shredder.

Tactic #3: Guard Your Payment Tools. 

You would never think of leaving any significant amount of cash out in the open and unguarded, so why leave your checks, credit or debit cards exposed? Check fraud is an old yet extremely prevalent practice. Credit and debit cards look similar but are governed by different laws, responsibilities, and remedies. It should be obvious that your debit card puts your immediate personal assets at risk as opposed to the risks associated with credit card fraud. 

Action Steps: 

1) Guard your checkbook, credit, and debit cards and closely examine your monthly statement for unauthorized charges (even tiny ones). By promptly reporting any discrepancies, your financial institution can help investigate, minimize or correct any damage done.

2) Regularly review your credit report.

Tactic #4: Protect Your Computer(s). 

Apply protection controls to not only your desktop, notebook or tablet device, but also your smartphone. According to a study from the Pew Research Center's Internet & American Life Project, 56% of Americans now own a smartphone, a new demographic referred to as "The Mobile Majority". 

Action Steps: 

1) Install and frequently update anti-virus, anti-malware protection for all devices including smartphones.

2) Create passwords with at least 9 alphanumeric digits, and change them every 6 months. Consider using encryption on all your devices.

3) Exercise good data privacy habits by locking your devices, surfing and downloading safely, and guarding the physical security of each machine.

Must-Watch Film On Cyber Crime Awareness

Every social media user should watch this movie!

How To Control "Tagging" on Facebook?

Tame the "Tagging"

Being "tagged" on Facebook means another user has added content and publically associated you with that content. A friend may post a picture of you at the beach. By tagging you, that photo will show up on your profile (if your settings allow).

There is a setting in Facebook that allows users to approve any tags before they are posted to their timeline. This blog post on Business2Community does a great job of showing readers exactly how to set Facebook to alert them to requests for tags.

This isn't just a good way to easily give friends permission to tag you; it's an excellent way to keep track of the content in which you've been tagged. Who needs to have someone else associate them with things to which they have no legitimate connection?

The post goes on to explain the difference between Facebook Profiles (now known as "Timelines") and Facebook Pages. There are some unique features about Pages that make these tags post differently, so if you manage a Product, Brand or Person Facebook Page, this will be an especially good article for you. 

For more emerging tagging concerns, see: 

• Tags becoming easier to find
• Disabling tag suggestions
• Difficulty in removing damaging content

Protecting Your Personal Info Online

Try Spokeo to find out how much your information is available online!

If you want a good litmus test for how much of your personal information is available on the Internet, try Spokeo.com. The site even compiles personal information on children. Spooky.

Thankfully, you can easily opt out of Spokeo. This won't remove all of your information from the Internet, obviously. But it will make it less simple for someone to find your information all in one place. Hayley Kaplan put together a great step-by-step process on her "What is Privacy?" blog to make it even easier.

This is one example of a great way your company or organization can contribute to the greater privacy good. If you have tips or tricks on how to opt-out of your own or another entity's data-collection processes, publish them and make them easy for your customer or client community to find and follow.

NIST Issues Credential Revocation Guide

Revocation Model for Federated Identities

Organizations can't easily revoke authentication credentials when they employ more than one identify provider. With multiple identity providers and unique requirements for organizations to federate them, no one approach exists to manage them.

To address this dilemma, the National Institute of Standards and Technology has issued NIST Interagency Report 7817: A Credential Reliability and Revocation Model for Federated Identities.

IR 7817 describes and classifies different types of identity providers serving federations. For each classification, the document identifies perceived improvements when the credentials are used in authentication services and recommends countermeasures to eliminate some identified gaps.

With the countermeasures as the basis, the document suggests a Universal Credential Reliability and Revocation Services model that strives to improve authentication services for federations.

Here's how NIST explains the challenge:

Identity providers establish and manage their user community's digital identities. Users employ these identities, in the form of digital credentials, to authenticate service providers. The digital identity technology deployed by an identity provider for its users varies and often dictates a specific authentication solution in order for the service provider to authenticate the user.

A federated community accommodates two or more identity providers along with the specific authentication solution. With the diverse set of identity providers and the unique business requirements for organizations to federate, there is no uniform approach in the federation process. Similarly, there is no uniform method to revoke credentials or their associated attributes.

In the absence of a uniform method, IR 7817 investigates credential and attribute revocation with a particular focus on identifying missing requirements for revocation. As a by-product of the analysis and recommendations, the report suggests a model for credential reliability and revocation services that serves to address some of the missing requirements.

How To Protect From ATM Traps

Avoid Getting Ripped Off at the ATM

Crooks around the globe are using new (and improving) technology to steal your information right at the ATM - and right under your nose. With a variety of devices - from tiny surveillance cameras to look-alike keypads to card readers - these criminals are able to get at your account number, your PIN and really any other kind of details they'd like (even what you look like or the kind of car you drive).

Because these criminals are no dummies, they often target ATMs off the beaten path, in places rarely checked by the network operator or without much traffic or people around. If you must use an ATM in a desolate location, be aware of anything that looks hinky. That scratched up card reader or loose keypad may just be evidence of a planted skimming device. Abandon the machine and try to find another.

Credit: Lam Thuy Vo and Jess Jiang / NPR

Quite a few financial institutions have built mobile apps designed to help you locate ATMs. Consider downloading one (from the financial institution itself!) if you need to find ATMs in out-of-the-way locations.

No Minimum Age Limit for Identity Theft

Never Too Young to be Scammed

Young children have become increasingly at risk for identity theft. In fact, ID theft among victims age five and younger has doubled - just since 2011. According to the 2012 Child Identity Theft report from AllClear ID, children are 35 times more likely to be victims of identity theft than adults.

The impact of identity theft on a child's life can be devastating, affecting the ability to get a loan, scholarship, apartment, credit card or job. For specific ways to protect your child's identity, read the Federal Trade Commission (FTC) fact sheet, "Safeguard Your Child's Future."

It contains instructions for checking your child's credit report, placing an initial fraud alert, requesting a credit freeze, and filing a report with the FTC.

Techniques to Protect Yourself on Social Networks

Security tips from ISACA Journal

Vigilance continues to spearhead the security and, thus, the privacy of the information. It can be broken down into a few techniques that are simple but could make all the difference:

Choice of “friends” and contacts—Users should be extremely careful in their choice of friends on these networks. It is common practice to accept contact from friends of friends who are frequently complete strangers. This can lead to one’s private life being exposed to potentially harmful individuals.

Restricting private content to close friends and family only—Social networking sites are increasingly allowing their users to configure restrictions on access to their information. It is, therefore, important to use these restrictions and to ensure that they are properly configured, given that our information is public by default.

Careful choice of information to be broadcast—The key to the protection of privacy is, in fact, what information one broadcasts. Name, surname, date of birth, place of birth, photos, videos, comments and opinions should be carefully screened prior to being posted. Keep in mind that information posted on a network may one day be used against its author.

Awareness—Every sector of the population should be made aware of the need to protect themselves against the risk that the use of social networks may entail. In the business world, this awareness must form part of the IT security program.

Finally, social networks are a great way to express oneself and share with others. They help users lift the barriers of space and time and communicate with the world. However, there is another side associated with the proven dangers of user privacy violation.

These dangers are even more of a threat now thanks to the increasingly widespread trend of registering on several sites using a single user account. In response to this situation, each Internet user must remain vigilant and governments must put more pressure on the operators of these sites to safeguard the security of Internet users.

Read Guy-Hermann Ngambeket Ndiandukue’s full article, “Social Networks and Privacy—Threats and Protection,” in the current issue of the ISACA Journal, in which you will also find additional coverage of timely and relevant issues affecting the ISACA professional communities.

10 Simple Things To Protect Your Privacy

Some of the easiest things you can do to protect your privacy

These are the really, really simple things you should be doing to keep casual intruders from invading your privacy.

1. Password protect your devices: your smartphone, your iPad, your computer, your tablet, etc. Some open bookers tell me it’s “annoying” to take two seconds to type in a password before they can use their phone. Choosing not to password protect these devices is the digital equivalent of leaving your home or car unlocked.

If you’re lucky, no one will take advantage of the access. Or maybe the contents will be ravaged and your favorite speakers and/or secrets stolen. If you’re not paranoid enough, spend some time reading entries in Reddit Relationships, where many an Internet user goes to discuss issues of the heart. 

2. Put a Google Alert on your name. This is an incredibly easy way to stay on top of what’s being said about you online. It takes less than a minute to do. Go here. Enter your name, and variations of your name, with quotation marks around it. Boom. You’re done.

3. Sign out of Facebook, Twitter, Gmail, etc. when you’re done with your emailing, social networking, tweeting, and other forms of time-wasting. Not only will this slightly reduce the amount of tracking of you as you surf the Web, this prevents someone who later sits down at your computer from loading one of these up and getting snoopy. If you’re using someone else’s or a public computer, this is especially important. Yes, people actually forget to do this, with terribles outcomes.

4. Don’t give out your personal details when asked. Obviously, if a sketchy dude in a bar asks for your phone number, you say no. But when the asker is a uniform-wearing employee at Best Buy, many a consumer hands over their digits when asked. Stores often use this info to help profile you and your purchase. You can say no. If you feel badly about it, just pretend the employee is the sketchy dude in the bar.

5. Encrypt your computer. The word “encrypt” may sound like a betrayal of the simplicity I promised in the headline, but this is actually quite easy to do, especially if you’re a MacHead. Encrypting your computer means that someone has to have your password (or encryption key) in order to peek at its contents should they get access to your hard drive. On a Mac, you just go to your settings, choose “Security and Privacy,” go to “FileVault,” choose the “Turn on FileVault” option. Boom goes the encryption dynamite. PC folk need to use Bitlocker.

6. Gmailers, turn on 2-step authentication in Gmail. The biggest takeaway from the epic hack of Wired’s Mat Honan was that it probably wouldn’t have happened if he’d turned on “2-step verification” in Gmail. This simple little step turns your phone into a security fob — in order for your Gmail account to be accessed from a new device, a person (hopefully you) needs a code that’s sent to your phone. This means that even if someone gets your password somehow, they won’t be able to use it to sign into your account from a strange computer. Google says that millions of people use this tool, and that “thousands more enroll each day.” Be one of those people. The downside: It’s annoying if your phone battery dies or if you’re traveling abroad. The upside: you can print a piece of paper to take with you. Alternately, you can turn it off when you’re going to be abroad or phone-less. Or you can leave it permanently turned off, and increase your risk of getting epically hacked. Decision’s yours.

7. Pay in cash for embarrassing items. Don’t want a purchase to be easily tracked back to you? You’ve seen the movies! Use cash. One data mining CEO says this is how he pays for hamburgers and junk food these days.

8. Change Your Facebook settings to “Friends Only.” You’d think with the many Facebook privacy stories over the years that everyone would have their accounts locked down and boarded up like Florida houses before a hurricane. Not so. There are still plenty of Facebookers that are as exposed on the platform as Katy Perry at a water park. Visit your Facebook privacy settings. Make sure this “default privacy” setting isn’t set to public, and if it’s set to “Custom,” make sure you know and are comfortable with any “Networks” you’re sharing with.

9. Clear your browser history and cookies on a regular basis. When’s the last time you did that? If you just shrugged, consider changing your browser settings so that this is automatically cleared every session. Go to the “privacy” setting in your Browser’s “Options.” Tell it to “never remember your history.” This will reduce the amount you’re tracked online. Consider a browser add-on like TACO to further reduce tracking of your online behavior.

10. Use an IP masker. When you visit a website, you leave a footprint behind in the form of IP information. If you want to visit someone’s blog without their necessarily knowing it’s you — say if you’re checking out a biz competitor, a love interest, or an ex — you should consider masking your computer’s fingerprint, which at the very least gives away your approximate location and service provider. To do this, you can download Tor or use an easy browser-based option like HideMyAss.com. 

Ignoring these is like sending your personal information out onto the trapeze without a safety net. It might do fine… or it could get ugly.

Source from Forbes.

Yahoo password breach shows we're all really lazy

Hackers at It Again


By entering database commands into online forms, attackers tricked Yahoo's back-end servers into releasing more than 450,000 user credentials. These hackers took it one step farther and published the credentials online.


Wonder if yours was among the credentials circulated? You can find out here.


If you find your email and password in this database, change your password immediately... and not only on Yahoo, but anywhere else you have used that password.


Social engineers are notorious for uncovering a victim's entire web profile, which could include potentially costly exposure (e.g. your online banking). Even if you don't see your password listed, it's a good security practice to regularly change your passwords in case someone has uncovered it some other way.


Also, never use the same password on social media sites as other types of sites, such as your employer's systems, online retail stores, banking, and so on.

Nothing for Free Especially Mobile Apps

Mobile App Developers Scoop Up Vast Amounts of Data


Many of my friends use a large number of free apps, and I'm vigilant in reminding them: "Nothing in life is free."


I challenge them to consider: What information are you giving in exchange for the "super cool" app? What is the app's owner doing with that information?


Be careful what you freely give away to unknown suppliers who tempt you with tantalizing fun and games.


Here's a good article with a high-level overview that points to some good research on the topic.

How to Spot a Fake LinkedIn Profile

Scams on Linkedin Exposed. How gullible job-seekers are beguiled!


LinkedIn is no stranger to fraud, having recently survived a heavily scrutinized password breach.


Unfortunately, it's largely up to you to protect yourself from falling into the snare of a scam artist posing as a legitimate professional connection. Understand that once you are linked with a fraudsters there is no telling what type of scams they will try to pull on you.


They may also victimize your other connections if you allow your linked connections to see one another (you can change your settings to prevent this). Because some LinkedIn users are in the practice of accepting all invitations, it's incredibly important to look out for scammers.


John Thomas of Bloglerati has put together an excellent collection of fake profiles on his Facebook page, along with the following red flags for spotting fake LinkedIn profiles:

• Lower case first and last name
• Stock photo for profile picture
• Minimal info in profile
• Belongs to a large number of groups
• Generic company name
• Rhythmic names, like Sam Smith or Joe Johnson

Enable Do Not Track Feature In Web Browsers

How to enable the “Do Not Track feature” in a web browser, you are using?


You may not be aware about the all the modern web browser you are using, is tracking your every single details which might not be put to a good use, good or bad, not sure, but how would it feel if someone follows your every single click, every web page you are surfing, every single details you are entering somewhere and what it could mean, even I’m not sure.


But there are some features and settings which might put a stop on all these activities, a simple setting, a user have to tweak in order to enable the Do Not Track Feature. Most of the modern web browser supports “Do Not Track” Feature, it’s just you’ve to enable for it to work.


Let’s start with Google Chrome.


Unfortunately, there’s no built-in setting which you can enable Do Not Track feature in Google Chrome, but there are so many Google Chrome Extensions which you can use to add “Do Not Track” feature to it. So, simply use this Google Chrome extension to avoid any kind of web tracking. Just make sure you are using the latest Google Chrome web browser, at-least 17 or later. Add it, enable it, and you are free from spying.


Enable Do Not Track Feature In Mozilla Firefox

We don’t need any Add-on to enable Do Not Track feature in Mozilla Firefox. Just follow this quick tweak in Mozilla Firefox privacy settings and you are done. That’s the beauty of it.

• Click on Firefox button.

• Move over to Options.

• Under the Privacy Tab, check that box beside that says “Tell websites I do not want to be tracked”. Ok, and there you are, a free bird.

Enable Do Not Track Feature In Internet Explorer

To add that feature in Internet Explorer, visit this Do Not Track Test Page, and under the heading that says “To express your preference not to be tracked in IE9”, click on that link. Make sure you are clicking that using Internet Explorer 9.

Protecting Your Privacy on (and off) Facebook

Minimum Qualifications: Facebook Password

In the past couple of weeks, media caught wind of a hiring practice large numbers of employers have put into place. They are requesting Facebook passwords from their applicants to consider them for open positions, and asking current employees to hand over their passwords (even with their own "do not share passwords" policies in place). 

There are at least six good reasons employers should NOT do this. I recently wrote about it here on The Privacy Professor Blog. 

Whatcha Doing Outside of Facebook? 

Thanks to the clever programmers at Facebook, the social media giant - now public and more responsible than ever for reporting accurate user numbers - knows exactly when you open one of their emails. 

This is particularly interesting because, as PandoDaily points out, it indicates a desire to track its users' behavior even when they are not logged into Facebook. As they point out, you can exterminate Facebook's email bugs by reading your email outside of Internet Explorer and Outlook. 

Don't Judge a 'Friend' by His Photo 

Bogus Facebook accounts are a growing problem impacting a wide range of people, from high schoolers battling "mean girls" to NATO officials in charge of national security. There are, fortunately, several ways to spot a fake, and here's an excellent article outlining exactly how.

Starting from Scratch

Often you'll hear identity and privacy experts advise that you close down your Facebook account if it becomes hacked. But what if your account is years old, housing countless contacts, memories, photos and videos? Fortunately, there is a way to back up all of that information, so it will be at the ready should you ever need to rebuild your Facebook account or if you simply want to keep all those past posts.

Free Security eBook [Compliance and Beyond]

Toward a Consensus on Identity Management Best Practices

I would like to recommend a Web Security eBook [Compliance and Beyond: Toward a Consensus on Identity Management Best Practices] to learn best practices for identity management and IT security for the Energy industry.

For more than a decade, government and industry bodies around the world have issued a growing number of regulations for the energy industry designed -- in whole or in part -- to ensure the security, integrity and confidentiality of personal and corporate data. Combined, these individual regulatory guidelines outline what constitutes best practices in identity management and IT security.

It's limited time offer, PDF version.

Free Download: http://tinyurl.com/7kbgm8w

Signcryption: New Technology & Standard to improve Cyber Security

Signcryption is a technology that protects confidentiality and authenticity, seamlessly and simultaneously

For example, when you log in to your online bank account, signcryption prevents your username and password from being seen by unauthorized individuals. At the same time, it confirms your identity for the bank.

UNC Charlotte professor Yuliang Zheng invented the revolutionary new technology and he continues his research in the College of Computing and Informatics. After nearly a three-year process, his research efforts have been formally recognized as an international standard by the International Organization of Standardization (ISO).

News of the ISO adoption comes amidst daily reports of cyber attack and cyber crime around the world. Zheng says the application will also enhance the security and privacy of cloud computing.

“The adoption of signryption as an international standard is significant in several ways,” he said. “It will now be the standard worldwide for protecting confidentiality and authenticity during transmissions of digital information.”

“This will also allow smaller devices, such as smartphones and PDAs, 3G and 4G mobile communications, as well as emerging technologies, such as radio frequency identifiers (RFID) and wireless sensor networks, to perform high-level security functions,” Zheng said.

“And, by performing these two functions simultaneously, we can save resources, be it an individual’s time or be it energy, as it will take less time to perform the task.”

Borders Sells Personal Information

'About Face' Could Violate Your Privacy

Once spirited rivals, Borders and long-time competitor Barnes & Noble are now doing business together. That business? Your personal information.

If you were a Borders customer who allowed the national bookstore to store your personal information, there is a good chance that information may soon belong to Barnes & Noble. And we're not just talking your name and address. We're talking things like your credit card number - and even more personal yet - your purchase history.

If sharing this information with yet another store in general, or with Barnes & Noble in particular, doesn't sit well with you -- or you do not want your purchase history to become part of perpetual history by being passed along to another bookseller -- be sure to opt out by visiting the Barnes & Noble website.

But hurry. You only have until Nov. 2, 2011 to tell them no.

Researchers Unveil Flaws in Skype

Pilfering Personal Identifiable Information (PII) via Skype

It's so easy that a child could uncover personally identifiable information of millions upon millions of Internet phone users, if the child is a sophisticated, high-school-age hacker.

That's how researchers from the Polytechnic Institute of New York University describe an easily exploitable flaw in Skype and other IP-based phone systems that could potentially disclose the identifies, locations and digital files of hundreds of millions of users, according to a new paper, "I Know Where You are and What You are Sharing."

A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user and use the information for purposes of stalking, blackmail or fraud.

"A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user - from private citizens to celebrities and politicians - and use the information for purposes of stalking, blackmail or fraud," Keith Ross, an NYU-Poly computer science professor who headed the research team, says in a statement issued by the school.

The flaw, for instance, could allow marketers to link effortlessly information such as name, age, address, profession and employer from social media sites such as Facebook and Linkedin in order to build inexpensive profiles, costing them pennies for each individual profile, a bargain.

Though researchers studied only Skype, they say their findings also apply to other IP-based phone systems. Their findings will be presented next month at the Internet Measurement Conference 2011 in Berlin.

Using commercial geo-location mapping services, researchers found they could construct a detailed account of a user's daily activities even if the user had not turned on Skype for 72 hours. Skype and its new owner Microsoft were informed of the researchers' findings. Skype's response wasn't clear on specific steps it has taken to address the vulnerabilities the researchers discovered.

The researchers, however, contend there's a fairly straightforward and inexpensive fix to prevent hackers from taking the critical first step in this security breach, that of obtaining users' IP addresses through inconspicuous calling. By redesigning the Skype protocol, a user's IP address would never be revealed unless the call is accepted. That, researchers say, would offer substantially greater privacy.

Change your Facebook privacy settings to avoid strangers looking at your updates!

Stop strangers from stalking your wall posts, photos, videos etc.

Regardless of what you think about the "updates" Facebook regularly unleashes on its users, one thing is for sure: they'll keep coming. The latest changes are disturbing for reasons other than minor discomfort with the way your news feed page looks now.

One can be flat-out intrusive and invites peepers into your personal life if you, and your friends, do not have privacy settings to keep out such voyeurs! If you have not yet, change your Facebook settings now so that strangers can't view your personal information. What's more, make sure your kids' setting are changed as well; there are way too many creeps who are trolling FB pages for young victims.

New to Facebook - Subscribers

Subscribers are basically folks who want to see all your public posts in their newstream, without actually having you agree to be their friend. You can turn off the ability for people to stalk...er, subscribe to you if you do not want this.

This is pretty much like those who "follow" others on Twitter. Except, of course, Twitter is a much different type of information-sharing community. And, on FB, your friends' settings can also make some of your comments to them public and viewable by subscribers even if none of your settings are "public".

Most of the folks I know who use FB do so to be able to interact with people they actually know since so many more types of information are shared on FB as opposed to a community where communications are made 140 characters at a time.

So, if you are not comfortable having someone you've never heard of before, or someone you know but who you would rather not know, stalking you and your wall posts, photos, videos, etc. on FB, you can turn off the ability for folks to "subscribe" to you.

Most of you will have had "subscribers" turned on when FB switched to this new format. To disallow folks from subscribing to you do the following:

1. Go to your profile (click your name at the top right portion of the screen to get there)
2. Click Subscribers link on the left menu
3. Click the Edit Settings button in the top right part of your screen
4. Click "Off" in the drop down menu to the right of "Subscribers"

Note: when you hide or decline a friend request, that person can still subscribe to your public updates if you have allowed subscribers. So, if you don't want people you don't know seeing all your posts automatically within their newstream, including your comments to others, turn off subscribers.

No news is bad news for two-factor logins

Assume SecurID is broken?

It's been a week since RSA dropped a vaguely worded bombshell on 30,000 customers that the soundness of the SecurID system they used to secure their corporate and governmental networks was compromised after hackers stole confidential information concerning the two-factor authentication product.

For seven days, reporters, researchers, and customers have called on RSA, and its parent corporation EMC, to specify what data was lifted – or at the very least to say if it included details that could allow government or corporate spies to predict the one-time passwords that SecurID tokens generate every 60 seconds. And for seven days, the company has resolutely refused to answer. Instead, RSA has parroted Security 101 how-tos about strong passwords, support-desk best practices, and the dangers of clicking on email attachments.

Officials from RSA and EMC have steadfastly refused to give yes or no answers to two questions that have profound consequences for the 40 million or so accounts that are protected by SecurID: Were the individual seed values used to generate a new pseudo-random number exposed and, similarly, was the mechanism that maps a token's serial number to its seed leaked?

Without the answers to those two basic questions, RSA customers can't make educated decisions about whether to continue relying on SecurID to prevent unauthorized logins to their sensitive networks. After all, if the breach on RSA's servers exposed the seeds and the mapping mechanism, SecurID customers have lost one of the factors offered by the two-factor authentication product.

An RSA spokesman released an updated statement earlier this week that said in part: “Our investigation to date has revealed that the attack resulted in certain information being extracted from RSA’s systems. Even with this information being extracted, RSA SecurID technology continues to be an effective authentication solution for customers.” (Notice the statement didn't say “an effective two-factor authentication solution.”)

The statement went on to say that revealing additional details “could enable others to try to compromise our customers’ RSA SecurID implementations, so we are not disclosing further information.”

Translation: Yes, we were hacked, and yes, the hackers made off with confidential information that compromises the security of a product you've spent huge amounts of money on, but you'll just have to trust us that you're still safe.

In the wake of this information blackout, the prudent thing for customers to do is to assume that SecurID seeds have been lifted, and to also assume that the mechanism that maps a particular token's serial number to its individual seed has also been taken. That means if attackers can trick individual SecurID users into giving out the number printed on the back of their token, its two-factor protection has been broken. The same applies if a company's database of serial numbers is breached.

That assumption would be consistent with an advisory RSA sent to customers on Monday urging them to strengthen the personal identification numbers that are used along with a user ID and the one-time password, since the PIN would be the single factor of authentication left.

SecurID's two-factor authentication may not be broken, but until RSA comes clean and provides some yes or no answers to two simple questions, it's better to assume it is. The network security you preserve may be your own.