Multi Factor “MFA” Authentication: 2005-2010

October 16th, 2010

It is with deep regret that we report the passing of Multi Factor Authentication, affectionately referred to as “MFA” by its friends and loved ones. MFA succumbed after a courageous battle with cyber cancer. After fighting off the dreadful phishing disease, and making strides against MITM (Man in the Middle), MFA was stricken with MITB, also known as Man in the Browser. This terrible disease quickly overcame all medical efforts to keep MFA alive.

MFA rose to prominence when its adoptive benefactors, the FFIEC, made it a household name in October of 2005 with the issuance of FIL 103-2005. Throughout the course of its life, MFA strived to protect the innocent against identity theft and cybercrime. MFA is survived by its brothers and sisters, Device Recognition, One Time Passwords, Tokens, and Biometrics – all of which are also suffering from the same disease in the online world. MFA also leaves behind a child, Transaction Authorization, who may someday mature to defeat the disease that has taken the life of its well-loved father.

Services will be held privately at most Financial Institutions and Authentication Vendors who so faithfully provided and cared for MFA up until its final days. In lieu of flowers, send money… offline.

Humorous perhaps, but true. Front door authentication and multi-factor authentication is dead. This doesn’t mean that we can remove the carcass from the doorstep, but we can stop feeding it. Even in death, MFA still provides capability in defeating the ever present phishing and many identity theft cyber-attacks. If nothing else, it leaves something out there for the bad guys to trip over.

If you are a financial or ecommerce organization and don’t have MFA, uh… you should. But it’s time to stop investing in it by vendors and consumers. “Man in the Browser” Trojans are spreading like an epidemic in the US, carried over from Europe, Australia and the Far East. As most US banks are learning, MFA does little to defend against Zeus, Gozi, Bugat, Carberp, SpyEye, and the swarm of evolving malware that has potentially led to more financial fraud attacks in 2010 than any other year. So what now? Banks are relying on Fraud Detection and intelligence more than ever. Customer Endpoint Security is marching as fast as it can, but won’t be able to catch up as long as consumers are not forced to download the products. Anti-Virus is playing the catch up game, and by definition and method, will never win.

The fight against this surge in malware is a 2-front battle:
(1) Consumers need help to defend against infection, and
(2) financial and ecommerce organizations need help defending against the attack.

How do we keep the customer device clean? How do we educate consumers to browse safely, keep their A/V, OS, Browsers and applications like Adobe up to date? And the biggest challenge – how do we educate and service them once they have been infected? This is the new face of fraud prevention and resolution, and I haven’t seen a consistent or effective method yet. There are several technologies, processes and policies that have promise and will make a difference – but the FI’s need to step up and standardize adoption.

To protect against attack, FI’s are looking at analytics and patterns, building strategies to detect, but the variants are evolving too quickly to keep up. This is a stop-gap measure at best. If this is the only solution, Fraud Detection and Resolution departments will have to staff almost as many FTE’s as the customer call centers, which is hardly cost effective. There needs to be a radical paradigm shift in the US banking industry approach to preventing the attack. MITB bypasses all customer authentication in-channel. Deal with it. Focus on the transaction phase. Take the weakness of the online channel out of the battle for the fraudsters. Go Out of Band (OOB), and off the internet for authorization. If you are asking customers to enter their OOB response into the web channel, that isn’t going to work. Expand the challenge, response and confirmation processes to integrate Out of Band and interact with the transaction engine, not the web browser. Instead of having your web application send the confirmation, have the money movement engine do it. Have the consumer confirm what REALLY happened, not what they saw on their browser. Force the customer response from that out of band environment before the transaction takes place.

Attack both fronts with smart technology choices, consumer education and tools. Until the US financial institutions shift to this type of thinking and consumers adopt it, MITB will continue to be a contagious and deadly disease.

STUXNET: Smart Bomb on a Stick?

September 30th, 2010

I need to write about this, because it is very important to get the message out. I don’t want to take anything away from my colleagues who have recently written on it, like my friend Sam Curry at RSA – whose blog entry on Stuxnet really gets to the heart of the threat and that “worlds have collided.”

I want to take a slightly different approach to the threat. Sam and others are absolutely correct, this is a “big deal” when a piece of malicious code can control programmable logic controllers, i.e. the things that make the world go around – from nuclear power stations to traffic lights to subway routing systems. What concerns me most about Stuxnet was its targeting. If you’ve read the news, Stuxnet is believed to have been implemented in a targeted fashion against Iran’s uranium enrichment facility in Natanz and potentially the reactor complex at Bushehr. 60% of the known infections are in Iran, with critical systems basically brought to a standstill.

Now, let’s make the hypothetical leap that some nation-state(s) did not want Iran to develop these nuclear capabilities. There is clear evidence in the past, if you remember your history, that when certain nation-states did not like the nuclear progress of another country, it would physically bomb that capability off the map. Ask the residents of Osirak, Iraq what they remember about June 7th, 1981. The burning question is if Stuxnet was a cyber-version of Operation Opera. I am not going to say that Israel or the US was behind Stuxnet. I’ll let others do that. I would rather focus on the strategy itself.

In war, collateral damage is an unfortunate but expected consequence. Even laser and GPS guided smart bombs can throw shrapnel into the house next door and kill innocent victims. The problem is, Stuxnet is not as smart as 2000lbs of guided steel and explosives. When targeting a system from a cyber-warfare perspective, it’s hard to know what defenses and controls are really in place, and who might be innocently standing by. When attacking a nuclear facility’s control systems, the risks are enormous. What I am saying is that I would prefer an Osirak to a Chernobyl any day of the week.

Unfortunately, like the first atomic bomb detonation, the beast is now unleashed. Luckily, the sheer complexity of Stuxnet would be hard to produce outside of the resources of a nation-state or well-funded organization. But I can guarantee there are people trying now that we should probably be concerned about. This could be a bit of “FUD” on my part – but no matter how I look at it – this new threat scares the heck out of me. Consider what is now possible when you step on your next train or subway, or when you drive through a traffic light.

The Value of Fraud Intelligence

September 20th, 2010

When I was in the Army as a Military Intelligence Voice Interceptor / Linguist, I participated in a Joint Readiness Training exercise. Our small team was attached to an infantry company as they set up a perimeter near “enemy territory.” The company commander and his staff had no idea what to do with us, and honestly, would rather have us not intruding on his party. We were sent off to a section on the line, and while dealing with the monotony of digging our positions and rotating shifts in an observation post, we set up our equipment and “did our intelligence thing.” Soon, we knew what the “enemy” was up to and what they were planning. In fact, we knew that in about 10 minutes they were going to launch an artillery attack on the company’s command center. I was sent to warn the leadership and jogged over to the HQ position. I gave my warning directly to the Company Commander and his aides, only to be rebuked with, “Who the hell are you Sgt.? Get the **** out of my area!” Mutterings of “damn intel pukes…” followed me back to our position. My contrite “Yes, Sir” and hasty retreat hid my inward gratitude for what was about to happen to this guy.

Sure enough, minutes later the artillery simulators began to fall, and the entire headquarters staff was determined as “dead.” The company was completely leaderless, since all officers and NCO’s were gathering in the area for coffee. We “dumb intel pukes” packed up our gear and moved out, since there was really no point in staying. As we passed the HQ area, all the “dead” were being corralled into trucks to take them to the staging area to be “recycled.” I caught the commander’s eye as he was sitting unceremoniously in the back of a truck and in that moment I know he’d learned a valuable lesson about the value of intelligence. You never know how important intelligence is until it saves your life.

In online fraud it is almost impossible to determine the “value” of intelligence. In business practice we determine which initiatives we will invest in based on concepts like business cases, ROI, and shareholder value. But how do you put a dollar figure on intelligence? If it’s your first time investing in such a capability, you have no idea if value will emerge. Even year over year, the value of the intelligence is unknown until you get it. One year you may see no value, but the next year it saves your company from substantial loss or risk.

My argument is that fraud intelligence is a “table stakes” proposition, and you should dedicate a percentage of your annual budget on it. The percentage amount should fluctuate depending what systems or processes you must implement to manage the information you may (or may not) receive. Set aside funds for your source data as well. Take for granted that you will have to spend to both uncover your own intelligence from internal data sources, and you pay 3rd parties for intelligence that you cannot gain yourself. And no, you can’t rely on your own data for all intelligence. That is information from what has already happened. Great for trending, but is only half the story.

Here’s an example of the business value of intelligence. A large national bank is seeing fraud losses spike in its call centers. They have recently implemented a new online protection capability and assume the spike is a result of a channel shift. Luckily, they have invested in 3rd party intelligence capabilities and receive a report of a new document found in the fraud underground. The title of this document was, “How to Get Past Bank X’s Call Center Authentication.” It contained screenshots of internal systems and links to sources of where to get the authenticators that would be presented! Had this company not had this intelligence it is very possible they would have spent quite a bit of money but not fixed the real problem, not to mention the continued losses in the channel.

Knowing what and how the fraudsters are implementing fraud targeting your organization or the industry as a whole is critical. Being aware of a capability before it hits you gives you a little more time to react. Being able to analyze patterns and information to make predictions on future and current threats is a little bit of science, and a lot of art. Invest in it.

The Online Fraud Battlefield

September 12th, 2010

Yes, I see the challenges we face in Online Security as a battle. The industry takes a step to protect customers, and the bad guys come up with a way to get past our defenses. We all equate this fight as an arms race, but let’s take a broader view…

This is a war that, in my opinion, has 3 fronts.
• Customer Education
• Fraudster Value Chain Disruption
• Customer Information Protection

Customer Education is a continuous front, and we can’t let up. As consumers become more educated, they become deputies in protecting their own information. An educated customer is more likely to notice a fraudulent attempt to gain personal information or financial access than we are in many cases. They protect their information zealously, which limits their likelihood of becoming a victim in the first place. They are more careful of what they post in the online / social network environments, and they understand their role in protecting themselves. Too many institutions are worried about letting customers know they are vulnerable. But education can be liberating. Letting the customers know about the threats now is better than having them find out on the backend. Does your company do all it can to educate its customers about how to interact safely in an ecommerce world?

Fraudster Value Chain Disruption is a fancy way of saying offense. A good defense is great for the individual institution, but a good offense is vital to the industry and community as a whole. Unfortunately, it’s not one organization that gets attacked every time. If one organization’s defense changes, the bad guys just probe the other institutions. It would be nice to think that malware like Zeus only targeted one institution, but have you seen the most recent config for Zeus? Yeah, it’s pretty much everyone. So, how can we attack? One of the key areas is at the cashout point, or money mule. There is a reason that all of the compromised identities and accounts haven’t been drained… the funnel tightens at the point where the dollars become real. What if all banks and ecommerce sites shared a common list of money mules and re-shippers? What if law enforcement prosecuted money mules and re-shippers, regardless if they were “conned” or not? Here is where industry cooperation has to drive the attack.

Customer Information Protection is the 3rd front that contains the concepts of network security, data breach protection, customer authentication, etc. It’s like the Russian front of WWII in many ways. It’s also where so much of the defense in the industry has rested, and made quite a few vendors very rich. Diversity in solutions at the organization level is good here. Each organization is different in how it protects its information, which makes the bad guys work. However, it takes diligence at each organization to keep track of what’s happening around them. Don’t ever let yourself be the “second victim” of a vulnerability. If you see a partner with a vulnerability, let them know. Finally, make sure you know your “true perimeter.” How many organizations get “shot” at a 3rd party vendor, or worse – one of your 3rd party’s 3rd party!

Bottom line… Everyone should ensure customer education is a top priority. If you aren’t telling your customers how to protect themselves, you are wrong. Cooperation between organizations is critical for Offense – without it each company will come up with great ideas that never reach full potential. And finally, differentiation in defense is good, but help and learn from the guy in the foxhole next to you.

A New “Tipping Point” for Data Security? The Smell of Data Breaches

August 4th, 2009

Author:  Kimberly Getgen Bargero

Reading Time:  2 Minutes

I live in San Francisco and really enjoy partaking in all things tourist-related. It was during this year’s RSA Conference that I uncovered a new hidden tourist attraction – the San Francisco Cable Car Museum – a real gem that could teach us a lesson about selling data protection strategies to business managers.

Anyone who has visited or has the good fortune to live in San Francisco will tell you that it’s the cable car that single-handedly puts San Francisco on the map (well, that and the occasional earthquake).  If you’ve visited, you’ve probably had the opportunity to ride up and down the vast hills of the city on one of these cable cars.

According to the legend, the idea for the cable car was brought to San Francisco by Andrew Smith Hallidie back in 1869 after witnessing horses being whipped while they struggled on the wet cobblestones. The horses slipped and were dragged to their death inspiring Smith Hallidie to improve this horse-drawn system of transport.  While this treatment of horses may have seemed inhumane, it alone was not enough for the idea of the cable car to really take off.  What was the real advantage?  Eradicating the smell of the horses, hay and manure that was littering city.  Removing the smell – and not necessarily saving the horses – turned out to be a key selling feature of the cable car.

Later in this century the expense of the cable car was challenged and an argument was made to discontinue it for the more cost-effective bus system. In response, a public campaign showed the value of cable cars to San Francisco was far greater than their operational cost.  The value of the cable car won and today remains the world’s last permanently operational manually-operated cable car system.

Keep this example in mind the next time you need to sell your data protection strategy to your management.  I encourage you to think about what will “smell the most” when you fail to protect data. What will be the tipping point to sell your data security strategy? Cost of a data breach? Lost business from destroyed customer trust? The key selling point will most likely be different for different organizations — and could be something unique to your business.  Be sure to include an analysis of the potential costs of a breach and lost business from destroyed customer trust (the real smell that gets management’s attention).  To help you get started, we’ve created some worksheets that are available in our Data Breach Prep Kit.

At the end of the day, its up to us to sell the value of data protection and build the business case to show the value of protecting customers is far greater than the operational cost of protecting data.  By the way, the operational costs of data breach are growing, so now more than ever it makes sense to protect customer data.  If you’ve been discouraged from past discussions with your management, I encourage to take another look at the costs again.  And, if you want a “cheat sheet” for building a case for data protection, here is a recent webcast I did for ISC2 that you can watch at your convenience.  Best of luck!

Do You Need a Trust Catalyst?

February 21st, 2008

Author:  Kimberly Getgen Bargero

Length: 525 Words

Reading time: Less than 3 minutes

A recent survey revealed there are as many as 21 people in the decision making process for the typical high-tech sale at an organization of 1,000 employees or more. But it is not just the number of decision makers, it is also estimated that the sales process is growing longer – about 30% longer than it was just four years. If you’ve had a hard time explaining to your CEO or Board why deals are taking so long to close, you might want to share this article.

So, why the long sales process? High-tech product trials are complex, long and grueling. Pitching the value to management is more competitive than ever.  And, most significant of all when it comes to recommending a new technology or selling a new security strategy inside a big company, reputations are put on the line. Even if your idea is better, you are going against an even tougher competitor: the status quo.  Using caution (and not always innovation) is now king. Buying off on new ideas is done by committee and companies are looking for long-term, relationships with high-tech vendors they can trust. No one wants to put their neck on the line for an unknown, unfamiliar company.

Which leads us to an important question for those of you selling security products in this new economy.  How is your trust relationship with your customers? When was the last time you checked? When was the last time we made their job easier in the selling process instead of more complicated? Hint: Buying dinner, drinks and a movie doesn’t count… that is unless you are just dating them. When was the last time you showed you were committed to a long-term relationship by giving your customer something they really needed. Like, something that made them better at their job, a thought leadership piece they could share with their management or a service they could really use to justify the cost of migrating off an older system? Something that not only made them better at their job, it made them look smarter to their management and made their job of selling security to those 20 other decision makers easier? Gimmicks that worked in years past aren’t going to fly in the new economy. You need a trust catalyst. And, trust misappropriated can be your worst single point of failure (I don’t care how great your product is!). That’s why trusted advisors are 70% more likely to sell their ideas in a committee-driven environment.

This blog is about the process of selling security. We will offer discussions on how to become the trusted advisor in this process and from time to time, we will post polling questions on the issues about the impact of trust in this process (you can email me if you have anything specific to ask at ). I will ask guest authors to discuss what’s working and pitfalls to avoid. I hope you enjoy and look forward to hearing your thoughts!