with Terri Schlichenmeyer

With millions of names, addresses, social security and credit card account numbers stolen over the last 18 months, what is being done to thwart these breaches?

Sarbanes-Oxley and Gramm-Leach-Bliley Acts attempt to hold businesses accountable for the privacy of their clients. When there’s a breach, businesses must disclose it in a timely manner.

Let’s start with some basics. Most systems require a User ID. It identifies you to the system or the network — that’s it. Adding a password to the user ID authenticates you are who you say you are.

It’s analogous to traveling. When you attempt to cross an international border, you need a passport, issued by your government after verifying who you are, where you live, your citizenship and an expiration date along with your picture.

This trust is established when you are awarded a passport, so the friendly fellow at the crossing compares your ID to who he sees can believe you are who you claim to be. There are flaws, but it’s pretty good validation of us honest folk.

The user is you, and the password is your passport.

In Information Technology, the people managing the “authentication” make you choose an eight character password that includes upper case, lower case, number and symbol as part of the password … making the password impossible to remember. So you write it on a note and stick it to your monitor or inside a desk drawer. If you do not write it down, inevitably, you will forget it. Then the system locks you out with a Denial of Service.

DoS is the tactic some hackers use to disrupt business. It’s a very expensive problem overall.

But the leading cause of DoS isn’t hackers but difficult passwords or passwords too easy to lose control of. People share them with other people. People write them down, and unauthorized people read them. People send them in e-mails that are intercepted. People use them to log in remotely, and their communications are eavesdropped. They may be fairly easy to guess. The password no longer works as an authentication token because you can't be sure who is typing in that password.

For many years there has been different ways of authenticating to a system(proving you are who you say you are) in many different ways knowing the user name, password or even phrase) has lead to an entire industry of companies making a better way to authorize you.

You can now drive through a special gate at a toll booth if you have established yourself with a “smartpass,” you can swipe your card to enter a parking ramp, you can enter your apartment or house if you know the access code — but these all make you “KNOW” something. Many buildings security systems not only “authenticate” you, but at any time can tell where you are in that building and if you belong there.

Many companies are trying to make this whole process universal and easy to keep your identity safe. There are myriad ways of attempting this, including federal government plans for the “Universal Identification Card” which has strong points and troubling privacy concerns as well.

First, a quick review of definitions:

• Identification: identifies the user to the system/network.

• Authentication: verifies the user is who he/she claims to be.

• The modes of authentication:

Something you know (password, PIN)

Something you have (card, token, key)

Something you are (fingerprint, face, retina or iris pattern)

Something you do/behavioral (signature, voice pattern, key stroke pattern)

Stronger authentication uses more than one mode. The fact is, you are supposed to have access to the systems or network to perform your job functions, or to be productive. Adding one of these other modes that can make the authentication process easier is a good thing.

Two-factor authentication mitigates this problem. If your password is issued by an electronic key “fob” and includes a number that changes every minute, or a unique reply to a random challenge, then it’s harder to intercept. You can’t write down the ever-changing part. An intercepted password won’t be valid the next time it’s needed. And a two-factor password is harder to guess.

But someone always can give his password and token to a secretary; no solution is perfect.

These tokens have been around for as long as I can remember, but only recently have they received attention. Some large banks are issuing tokens to valued customers, and more are contemplating doing it more cost effectivelly.

Guidelines released in October 2005 require financial institutions to have multi-factor authentication in place for customers by the end of 2006 for their e-commerce transactions. You will see several variations of this, all involving having some type of challenge along with your password. This and/or a small piece of software on the computer being used will be a very good thing to protect online financial accounts.We are finally waking up to the fact that passwords don't provide adequate security, and hope two-factor authentication will fix our problems.

Unfortunately, the nature of attacks is changing. The first threats were eavesdropping and password guessing. Today, the main threats are phishing and Trojan horses.

Two rampant attacks are associated with those threats.

• Man-in-the-Middle attack. Here, an attacker puts up a fake bank Web site and entices users. The user types in his/her password, and the attacker in turn uses it to access the bank’s real Web site. Done right, the user never realizes it is not the bank Web site. Then the attacker either disconnects the user and makes fraudulent transactions, or can pass along the user's banking transactions, making fraudulent transactions at the same time.

• Trojan attack. First the attacker installs a Trojan on user’s computer. When the user logs into the bank Web site, the attacker piggybacks on the session via the Trojan making fraudulent transactions.

Two-factor authentication doesn’t solve everything. In “man-in-the-middle,” the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. With a trojan, the attacker is relying on the user to log in.

The real threat is impersonation fraud, and the tactics change in response to the defenses. Two-factor authentication will force criminals to modify their tactics and keep our heads spinning as we get educated on their tactics.

An attacker using a man-in-the-middle attack is happy to have the user deal with the authentication portion of the log-in, since he can’t do it himself. And a Trojan attacker doesn’t care, because he’s relying on the user to log in.

Two-factor authentication is hardly useless. It works for local login, and it works within some corporate networks. But it won’t work for authentication over the Internet. Financial institutions will probably spend millions outfitting their users with two-factor authentication tokens or server technology. Some will pay the Web-based online transaction broker too much to implement two-factor. Adopters of this technology may experience a drop in fraud for a while as determined attackers move to easier targets, but in the end there will be a

negligible drop in the amount of fraud and identity theft.

We need to get used to having more technology to prove we are who we say we are. We got used to the long security lines at the airport, I think we will do what is asked to help ensure our privacy and security.

In the world of online transactions and financial management, the plane has taken off and we need to have those passports current and ready to travel the Cyber way.

Brian Fitzgerald is president of CcureIT (see-cure-eye-tee) in Moose Lake. He assesses risk, creates common sense IT policies, helps to integrate policy into business practices and tests technology to ensure security of data and other assets. He is a member of Northland Technology Consortium, Information Systems Audit and Control Assn., Information Systems Security Assn. and InfraGard ®. You can reach him at info@CcureIT.com or 800.996.8251.>

• Workplace inequity gets another look -8/10/2010
• The Body Language Handbook -7/13/2010
• The Body Language Handbook -6/29/2010
• 'The Winner's Brain' -6/8/2010
• Catch up on reading with a new summer release -5/18/2010