Not a good week for NatWest innovative banking services. 

NatWest Get Cash fraud  (Get Cash Pulled)

A combination of a simple phishing attack and a fundamentally insecure service led to many users of the Get Cash service ( a sub set of the NatWest mobile banking app – powered by Monitise) being defrauded of cash from their accounts.   

The system allows users to get cash from an ATM by keying in a ‘secure cash code’ into the terminal.    The assumption is that once you have logged in to your app you are legit and so you ping the system for the code.   A user name and password level of security – that’s it!.   No better than 99% of all apps on the Net today.   

Needless to say the service was shut down once the fraud started becoming rampant.   

Does the drive for customer convenience completely outweigh basic security rules. ?   The problem with this kind of solution and others that rely on the presentation of self reported credentials i.e. user name and password are that these stateful artifacts are vulnerable to interception and re-use by a non-legitimate party i.e. the hacker, in this case through a phishing attack.  The system does not know that the credentials being presented are being done so by the ‘wrong’ person.   

Any security system worth its salt (pun intended) thus needs to rid itself of the baggage of years and years of ‘traditional’ security solutions such as certificates, tokens, java-script scraping, cookies passwords, keys and OOB.  All shared secrets - incarnations of ‘security by obscurity’.  (The problem with Passwords ) (The end of passwords)

Modern day hackers can crack passwords in seconds and bypass the defences laid by these solutions.   The conundrum for CIO’s and CSO’s is to find the balance between usability and efficacy.   As I stated in a previous blog – I am sure that most sites and custodians of your security are actually indifferent to your privacy and your security, hence the weakness of the solutions implemented.   Here is an example of just how weak the ‘latest’ technologies are :  
(The failure of RFID ) 

Imagine if there were solutions that harnessed the ubiquity of SSO’s but were also strong in the 2FA sense.   In order to have universal appeal new solutions need to work in the BYOD / mobile domain.  No more needs to be said about the proliferation of smart mobile devices.   Effective solutions need to be easy for decision-makers to get and try out.  Gone are the days of lengthy POC’s and trials.   In the same way that consumers can try out tracks on iTunes and return unwanted products to sites like Zappos,  so security solutions should  be as easy to try out for free and get if they work and cancel if they don’t.   I think that professional services will take a big hit in the enterprise arena.   No longer required with SAAS. 

We have already seen RSA take a big hit last year when its own defences were breached.   We are now at the stage that the Lance Armstrong’s of the security industry (i.e. those who have pulled the wool over the eyes of their customers for many years ) are going to be exposed as their solutions fail on an ever increasing basis.   

It is time for security to come clean.  Only those solutions that are truly innovative will succeed.   When someone like the founder of Wikipedia says that a security failure could bring down a company like Facebook  (Security breach could bring down Facebook) maybe its time to wake up. 

con·text/ˈkäntekst/

The circumstances that form the setting for an event, statement, or idea, and in terms of which it can be fully understood and assessed.

authenticate [ɔːˈθɛntɪˌkeɪt]
vb (tr)
 to establish as genuine or valid

What does context have to do with authentication?

When you log on to a web site and enter your user name and password so as to ‘authenticate’ yourself all you are presenting are self reported credentials to the site.  If you present the correct credentials then the site accepts you as - who you say you are.   It takes you at face value.  It identifies you.  Liken it to a knight of old arriving at castle and announcing himself.   When you log on to a web site and it asks you to log in with a user name and password – you are in effect – announcing yourself – identifying yourself.  

What happens if someone steals your password?   Then they can log on as you – the site is none the wiser – the thief has presented the correct credentials.  The credentials  are by definition – static.   They remain valid whether you do so from one of many devices unless of course the site is using a device recognition credential – a cookie,  a Javascript based device identification or certificate solution.    But again that credential is also static as it is re-used again and again no matter what the ‘context’.

A hacker can harvest your credentials by one of many methods be they social engineering, key logging, Trojans,  Man in the Middle or Browser  attacks and so on.  The hacker can re-use those credentials in a different ‘context’ (e.g. from another device in another country) but still be regarded as ‘valid’ by the site.

This is where most so called authentication solutions even two factor authentication solutions fail.   They ‘work’  irrespective of the context.  Even when an OOB OTP is sent via SMS and the PIN is entered into the browser the same vulnerability exists.  A hacker can intercept the PIN and replay the session in real time posing as the ‘real’ person.  In other words the OOB pin can be used on a different browser or even session, device or IP address from which they were requested.   In other words – a different context.

So why is context so important.?   Context is a function of three elements:

• time (i.e. the moment of authentication – when it happens, the session  ) ;

• Method/mode is the context of origination and transmission – things that dial into the location of the source i.e. the device.   Hence the popularity of some device based solutions.  Most of which fail because they rely on persistent data ( cookies or Javascript or  downloaded software ) because they are easy to fool or copy.

• Meaning is the literal value, or meaning of the credentials.  This is usually the total sum of the traditional login:  User name and password;   sometimes ‘beefed’ up perhaps with a time element (timeout) and source (ssl handle, cookie).    This is the value of the token or OTP/OOB, the value of the challenge response, etc., i.e. the "thing you know".   The site controls the value, the user must know it, get it and repeat  it back.  ( A shared secret ) which is usually the only unique element to the mix, as the other two are re-used, or known.

The timing of the event is important because the session commences only when all of the key players/participants in the authentication puzzle come together in context  for the act of ‘authentication’.   The key constituents are: the user,  the device,  the site and  the session.

Only when all of these parties (the correct /valid parties) come together i.e. in the right context - can true authentication take place.  None of these elements or even values associated with them like U/P, cookies,  JVscript  fingerprint or certificate should be able to be used in isolation in another session.  In other words in another context differentiated by time or device.  They all need to come together dynamically and uniquely for each session ( context)  to ensure integrity.

So a proper authentication solution is one where all elements (and more) are combined into a single context - whereby any of the elements in isolation, or out of context, are meaningless. In addition any element inspected in isolation should not be the key to unlocking or accessing (or guessing) any of  the others. They should be dissociative.

Finally none of the elements from this or any other context are re-used, at least in their native form.   It's okay to re-use a password, or re-challenge the device , but it has to be different by nature of it's membership in the context, and not meaningful outside of that (which is the source for most MITM, MITB, social engineering, phishing/ pharming, etc).

In April this year,  Epsilon Data Management LLC  (one of the world's largest providers of marketing-email services) , a division of Alliance Data Systems Corp issued a statement,

"On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only."




When it's all said and done, the Epsilon hack may be the largest name and email address breach in the history of the Internet.  Epsilon handles more than 40 billion emails annually and more than 2,200 global brands. If you are thinking you are safe because you opted-out of marketing emails, think again
(http://blogs.computerworld.com/18079/epsilon_breach_hack_of_the_century)

Epsilon required their customers to log on to their systems using a user name and password with which to ‘authenticate’ themselves.  This was clearly inadequate as a hacker managed to breach their system and obtain a treasure trove of customer information.   
What this meant was that the customers of Epsilons customers i.e. the big  brands,  were ( and still are ) exposed to spear phishing attacks.  They can be targeted by the hackers with e-mails that will look like they legitimately come from those global brands which include the likes of :


Currently ( 6 months later ) Epsilon announced ( from their website ):
“ Further, Epsilon has enhanced user security by implementing two-factor authentication. Two-factor authentication is a security process that requires two means of identification to gain system access, adding significant additional protections beyond conventional strong password requirements. Two-factor authentication, currently in place for employees, will be extended to all clients in Q3 2011. “ 



At the time of writing  (19 Sep 2011) Epsilon clients are still only using a username and password to log-in. 

(https://portals.epsilon.com/c_links.nsf/names.nsf?Login)


Makes you wonder - doesn't it ?  

In many countries around the World, access to the Internet is seen as a basic right, and so it should be.    Those countries which have done so to date include :  Estonia, France,  Spain,  Greece  and Finland,  which was actually the first to do so in June 2010.  (http://www.publicserviceeurope.com/article/642/internet-access-should-be-a-human-right)  I

In fact the United Nations recently declared Internet access as a human right. (http://www.itproportal.com/2011/06/04/un-declares-internet-access-as-a-human-right/)

Obviously the next challenge is to build the infrastructure and provide the means of access.    But that is the subject of a separate discussion.

So the “World”  has woken up to the importance of closing the digital divide and has also realized the importance of the Internet, and access to it,  to the functioning of society.   Amongst the many momentous events of the last twelve months which have included epochal scenes such as the Arab Spring, the new Financial crisis ( Greece / Euro) and most recently the London riots - what has also made headlines globally has been the spate of cyber attacks and hacking which have damaged (and embarrassed) some very large corporations like Sony and RSA and large Governmental and NGO’s like the CIA and the NATO.    This has been coupled with the emergence of online activism dubbed ‘hacktivism’  (the online equivalent of protesting in Tahrir square) – lead by the likes of Anonymous and Lulzsec.   These high profile events and the associated media coverage has raised the issue of online safety, security (and privacy) and exposed just how vulnerable users of the Internet ( i.e. all of us ) are,   to becoming victims of cybercrime ranging from phishing,  pharming, ID theft and,  in the case of businesses, DDoS.

So it is all very well giving people access to the Internet.  Once they have access they need to be safe.   There is the risk that we create another ‘ digital divide’ .  This time the divide between those who can afford adequate online security and those who cannot.   We have called this the ‘security divide’.   There are those who are well informed about online security (most people reading this article would fall into that category) and those who haven’t a clue (the majority of people out there.)    But there are also those who do understand the issues but cannot afford the prices being charged by most security vendors.

In the spirit of trying to bridge the ‘ security divide’ we have embarked on a program of making LiveEnsureTM available,  to those organizations (who themselves have become soft targets for hackers ) like charities,  not-for-profits,  social enterprises and indeed small start-ups,  for free.

We have called this initiative ‘ security sans frontiers’.   If your organization requires its users to log-in or if it takes donations online  (in other words if you need to protect your users by ensuring your site does not get hacked) and you think your organization qualifies then please sign up at http://www.liveensure.com today.   Access to the Internet is and should be a basic human right but so too should safe access to the Internet be.