The Risk Of Mobile Banking: Stolen Logged In Device

Online banking

Bob enjoys watching his local minor league baseball team. At a recent game, he watched the boys of summer play their arch rival.  In the bottom of the 5th, with two men on, two men out, the team’s best hitter steps to the plate. Bob planned to head to the concessions for hot dogs and beer after the inning, so he took out his phone and logged into his mobile banking app. He needed to have enough on his debit card to cover his snacks. 

Suddenly, the crack of the bat and a blast across the fence scored three runs! Bob set his phone down to stand and cheer his team. After the excitement, he looked around and discovered his phone was gone! 

Now a bad guy has complete access to his bank accounts.

Consider, what could a thief do with a stolen phone logged into your mobile banking app? Transfer funds out to another bank, set up a bill pay recipient and empty the account, or cause other problems? How long would it remain logged in? What safeguards protect the account holder and the institution? 

Just to check, take out your phone and log in to your mobile banking app and scan the functionality as if you were a hacker. How could a hacker steal money from the account? 

A logged in device remains the easiest hack into your systems. And getting a user name and password is not that difficult. The annual Verizon Databreach Investigation Report once again shows "63% of confirmed data breaches involved weak, default or stolen passwords." http://www.verizonenterprise.com/verizon-insights-lab/dbir/

Biometric user verification can significantly enhance the protection of your mobile apps. It offers the two critical features for maximum protection that simple credentials miss:  transparency to the user and continuous security.

Superior applications deliver functionality that is invisible and non-intrusive to the end user. Logging in should appear as a single step, with multi-factor protection running in the background giving a fast and secure user experience. 

Continuous security verifies the user multiple times during the session ensuring security if even the device falls into the wrong hands. While a user name and password allows access to the app, it can't guarantee the actual user identity.  Biometrics can.

Consider biometric user authentication to increase your cyber security. Don't let inferior mobile device security ruin the ball game for you.

There is NO defense against a hacker who has access to a connected, logged in device

In a large American city recently police officers raced to a home after a 911 call. At the scene, a frantic citizen shouted to them that inside the house a murder was imminent. As the officers opened the front door to enter, they were surprised by a man who ran past them. To their dismay, he jumped into a running police cruiser and sped away.  Dumbfounded, they called for backup. They found the car abandoned within 30 minutes, but the perpetrator had escaped on foot. He is still at large.

Fortunately, the car thief was no hacker, just a guy who needed a swift get away and the running prowl car was handy.

police laptop

Imagine if the perpetrator were a hacker and he stole the car with the purpose of changing arrest records or worse.  Inside the car, he would have found a laptop logged into the city’s police dispatching application, the state-wide criminal database and other highly sensitive systems. The 30 minutes he had the car would have been plenty of time to change criminal records, insert malware, viruses or ransomware, or download protected confidential information. 

Always remember that there is NO defense against a hacker who has access to a connected, logged in device. It’s the easiest way to breach your systems.

Securing network connected devices should be the first fundamental of cyber security. Doing so means managing the biggest risk to your digital assets: the end user.  

That’s right, you and me. We leave laptops and desktop PCs logged in because it’s easier than re-entering the password over and over throughout the day. We write down our passwords on a Post-it note and hide it under the keyboard. We leave secure NFC key fobs at home.  And of course, we complain about the burden the IT folks put on us in the name of security. “What’s wrong with using the last four digits of my social security number as my password!” we ask. We, the users, are the weakest link. 

To protect yourself and your organization you must employ security methods that your users will embrace. Otherwise, your most secure and sensitive information is open to anyone who can sit in front of a network device. 

Biometrics provide greater security and user adoption. Consider such tools as part of your cyber security policies and methods. Face recognition, voice command, fingerprint and palm prints, iris scan and even heart rate monitoring applications are being deployed to thwart the risk of the end user leaving an unattended logged in PC.  

Make sure your cyber security policies, methods, and tools account for internal threats as well as outside evil. After all, to some people, a running police car is an invitation, not a deterrent.

What Does NPR Know About Biometric Cyber Security? Not All That Much...

A recent post on NPR's site called "Biometrics May Ditch The Password, But Not The Hackers" misses the mark.

Biometric solutions in general and Virtual Keyring specifically, strive to merge convenience, ease of use, and stronger cyber security. No one involved in cyber security takes lightly these biometric identity verification solutions. Research continues by organizations like the FBI, NSA, Google, Apple, Microsoft and many others. 

There are three aspects of the NPR article that are misleading. First, the author seems to say that good old passwords are better than biometric solutions.  That is false. According to the 2014 Verizon Breach Report over 60% of data breaches result from weak, stolen, hacked or shared passwords. Organizations store and manage too much confidential information to protect to continue to use methods developed in the 1960s. The more sensitive and confidential the information, the higher the security barriers must be. We must replace user name/password logins with biometric solutions. There is simply too much at stake to hope that hackers can’t figure a password of ILOVEFLUFFY.

The problem is not the hackers as much as it is us, the users.  We want to use a simple, easy to remember password like 1234 for all of our applications and websites, without consequences. Common sense tells us that is not possible. 

The simple truth is, Virtual Keyring provides the convenience of an easy password with the security of a 50 character password.

Second, not all biometric solutions are equal. Consider facial recognition technologies and you will find a vast range in identity verification sophistication, encryption of and storing of data, and level accuracy.  An apt comparison would the be difference in video shot on your iPhone compared with 6K digital systems used in movies like “Interstellar” and all of the digital photography in between. Yes, it’s all digital video but there are huge variables.

Third, this short article over simplifies today's biometric technology landscape. It is a large, complex global technology trend and its uses expand daily. For example, 85% of ATMs in Japan use vein recognition, while in Brazil one third of ATMs feature palm readers. 

Of the hundreds of reported breaches data in the past 2 years, only one bank (Morgan Stanley) was a victim. And that was caused by an employee password. Banks use the most secure cyber security tools because they are required by entities such as the FDIC and state regulators to protect customer assets. NPR highlights USAA, one of the largest financial institutions in the country, serving members worldwide. The facial recognition they use is far more sophisticated than the apps used to open mobile phones. They would not use it if had not been throughly tested and proven. The risk would be too great.  Virtual Keyring’s system was developed and proven using the same standards as bank systems.

Variables such as user population, information stored, location, and devices used will determine the optimal solution for an organization.

I cannot speak to the biometrics investor mentioned in the article, but I question his business and technology skills with an investment of $100 million into a system that he doesn’t trust. The argument that hackers can ‘steal’ your biometrics is a red herring. The biometrics control access to credential security which is the real target. This ridiculous scenario imagines some North Korean geeks capturing your fingerprints and storing them is so far from the real world as to be fantasy. 

2015 Second Annual Data Breach Industry Forecast

"We expect this increase in hackers targeting online credentials such as consumer passwords and usernames
to gain keys to the castle — with the likelihood that compromising one record can often give access to all sorts of other information stored online."

How much are passwords costing your business?

Managing passwords has become a huge hassle for most people and organizations. Security best practices demand that we use strong, complex passwords and change them frequently for secure programs and applications.

However, consider the cost of this policy to your organization in lost staff productivity and increased IT support tickets.

When users are forced to change a password, there is an immediate loss of employee productivity as people struggle to remember the new password. It can take several days for users to acclimate to the new password and return to full productivity.

Inevitably, when passwords are changed the calls to the IT help desk increase as users lock their access with incorrect password attempts. Help desk tickets are hard costs for your organization.

Employees struggling to remember their passwords  are like drivers sitting in gridlock traffic. It’s a waste of time that cannot be recovered and difficult to quantify.

IT costs are another story. The average cost for a help desk password re-set average $22.50*. If your staff uses 10 secure systems that force password changes every 90 days, passwords drain thousands of dollars per year from your budget and bottom line.

It’s a never ending battle for an organization with numerous secure systems and applications. To minimize these costs you must deploy solutions that address:

Password management. Secure yet easy to use methods of storing, encrypting and updating user names and passwords.

Identity management. Storage and monitoring each user’s identity to verify their access to your secure systems.

Single sign on. Technology that controls and automatically logs into target applications with one master log in.

Biometric authorization. Facial recognition, fingerprint, and voice are the leading emerging solutions to replace passwords.  

Virtual Keyring can help. Our cutting edge facial recognition technology verifies the user and logs in to the target system using our secure password management solution. Virtual Keyring reduces IT help tickets by as much as 50%, paying for the system investment in the first year. 

Imagine using just your face as your password.

*1/4 of an hour based on $90 per hour IT staff cost.

Ex-Employees: Gone But Not Forgotten

Bianca (not her real name) begins her work day with a jog or yoga class at her gym, followed by a shower and a quick stop at the Starbucks on the corner. While waiting for her mocha cappuccino venti and blueberry muffin, she fires up her laptop and connects to the wi-fi.

There on the screen she sees it. Will it work today? ”It” is the shortcut link to a secure connection into the largest and most prestigious law firm in the city. Seem like a long time ago that she started there, fresh out of law school.

She clicks the icon, the application starts, she enters her password. And waits…Windows is thinking... connected!

She's in! She sees all of the firm’s systems and client files, as if she were sitting in the office. Easy. Convenient. Secure.

There's just one small problem. She left the firm 14 months ago.

Nearly every month I hear about gone-but-not-forgotten ex-employees. Retired, quit or fired, they have flown... but their access lives on.

If these people were terminated, why weren't ALL of their systems’ access?

Since 70% of data breaches occur due to password issues, the ex-employee is particularly risky. Consider the following examples of data breaches:

An employee was fired, holds a grudge. She recruits some hackers and gives them her password. The hackers copy and publish trade secrets and embarrassing emails or documents (Sony, December 2014).

Company laptop was included in severance package and is stolen. It contains unencrypted email and client/customer/patient information that is uploaded to black market sites. (Several health departments and universities, 2014)

 

Common sense dictates its critical to terminate ex-employee’s access is to critical systems and applications. However, it’s a problem because of numerous and varied system each person uses, high turnover positions, and lack of methodical user permission tracking.

Here are some basic steps to address the problem:

Keep a single, central log of all users, the systems and applications they can access, and when the access was granted.

Grant access only to what each employee needs. Don’t let people into systems, applications or security levels beyond their duties.

Terminated employee check list. Develop a procedure to shut off and block the ex-employee’s access the moment it becomes effective.

Audit ex-employee list. Check all employees who have left in the past 24 months to ensure all of their access is turned off and they are blocked from your network, website, applications and social media.

Protect your organization. Consider your ex-employees as hackers.