How to protect your sensitive information - update from Symantec
A recent report claims that a Russian criminal group has passed 1.2 billions of usernames and passwords from 420.000 websites. Breaches have reportedly infected different types of businesses ranging from Fortune 500 organizations to tiny websites. The websites that were violated were not mentioned as many of them are still vulnerable to attacks.
The Russian team reportedly managed to obtain these data using botnets to investigate whether the websites are vulnerable. The report states that when one of the infected botnet computers visits a web site, the attackers force the computer to perform a SQL injection on the site to see if it contains vulnerabilities. If the site contains vulnerabilities, then the attackers record it and return to it later to steal information from the site's database.
The attackers reportedly have not sold much of the information they have stolen, instead they have used this data to send spam messages to social networks. However, this information could be of great importance to other cybercriminals. If users re-use their passwords in other online services, then attackers will be able to use the information to endanger other accounts and obtain additional sensitive personal information about the victim.
The problem with passwords
This recorded incident proves once again how problematic the current system of passwords is. It is very easy to reuse passwords on countless websites or create passwords that can easily be predicted. As a result, if an attacker manages to access the user's login credentials by violating a website, he might potentially use the information to gain unauthorized access to many other online accounts.
Even informing users about important vulnerabilities is not enough to convince them to change their passwords. A recent report from Pew Research Center argues that fewer than four out of ten people, who know about Heartbleed vulnerability, changed their passwords in response to error.
Instead of blaming the user, it might be better to consider new steps to improve the way authentication is done when using online services. Taking into account the rapid development of technology in recent years, both in the consumer and business sectors, now is perhaps the right time for action.
Mobile authentication
The proliferation of smartphones has boosted its popularity two-factor authentication. When users log in with their passwords, they check email, SMS or mobile apps for the second temporary authentication code. This means that even if the Password of a user is exposed, the attacker needs to gain additional access to the second authentication to compromise the target account.
The next step for anyone to login securely seems to be biometric authentication. Although this kind of technology has been around for quite some time, Apple made it widely known by adding a fingerprint sensor to the iPhone 5S last year. Users can unlock their mobile phone or check their iTunes purchases by placing their finger on the 'home' button. Other smartphone makers followed and applied this feature to their devices, while in June Apple installed this feature in all its applications, helping technology to spread even further.
The biometric authentication on smartphones not only includes the fingerprint. A Samsung executive recently said the company is looking at it creating devices that detect users' iris to recognize them.
The authentication of the future
Authentication will not stop here, as researchers are constantly looking for new ways to revolutionize this approach. Last year, Regina Dugan, head of the Advanced Technology and Projects group on Google, proposed atattoo or a swallowable pill that can recognize the user.All they need to do is touch their device - or even their car - to unlock it.
A company that emerged from the University of Oxford also works on a new authentication system. Oxford Bio Chronometrics' system calculates the countless different behaviors a user exhibits when interacting with their device. This could include the way the user leans towards their mobile phone when typing, the speed they are doing scroll, the movements he makes with his mouse and even more. The system combines this information to create an “electronically Defined Natural Attributes (eDNA)” for the user, which it then uses to identify the user.
Frank Stajano, a Cambridge University scientist, says he has a different solution to the passwords problemin the form of an electronic aura. With this system the user wears an accessory or has an implant under the skin, which produces an electronic aura. This aura can be extended two to three feet around a person's body and the signal he emit will only allow the user to access the devices that belong to him. As a result, the person will be able to unlock his car with a fob key within this range, but if the key fob escapes from the boundaries of that field then it will stop working. Stajano also works on a device called pico, which stores a series of countless passwords for online services. This device will work only within the electronic aura.
Protect your information
It may take some time for these ambitious projects for authentication methods to become reality. Now, Symantec advises users to keep their online information from attackers in the following ways:
- Always use "strong" passwords and never reuse them on other websites.
- Enable two-factorauthentication on the web pages that provide it. The service provided by Symantec:Validation and ID Protection (VIP) Service allows enterprises to apply both two-factor authentication and risk-based token-less authentication.
- Consider using a password manager, such as Norton Identity Safe, which safely stores different passwords for online services.