• Project Manager
• Business Development Manager...
• System Administrator -- Active...
• Technical Consultant
• Program Manager - Long Term...

Building smarter authentication

Paul Roberts, Information Age

18/08/2006 11:51:36

In March and April, small bunches of e-mail messages arrived at the offices of defence agencies and contractors in the US and Europe. To recipients, the messages seemed credible: Each was addressed to a specific worker, with a valid return address within the organisation and visual elements that made it look like internal e-mail. Too sparse and sophisticated to trip antispam filters, the messages exploited a previously unknown hole in Microsoft Word that allowed them to slip by antivirus filters.

Those recipients who were unlucky enough to open the e-mails' malicious attachments unwittingly installed a Trojan horse, which used the Internet Explorer Web browser to report back, through the network firewall, to machines in China and Taiwan.

Phishing attacks such as this one are nothing new. Online scams that lure online banking and e-commerce customers to phony Web sites and trick them into giving up sensitive account information have been a mainstay of online criminals for years. However, the increase in so-called spear-phishing attacks is new, as is the increasing sophistication of the software they use to penetrate enterprise networks.

In the past year, the number of targeted attacks against companies has increased from one or two a week to one or more a day. Although those numbers might sound laughable compared with e-mail virus and spam campaigns, which can be measured in the millions of messages, spear-phishing attacks are much more dangerous, says Paul Wood, senior analyst at MessageLabs.

"These are not headed to the kind of addresses you harvest from the Internet," Wood says. "These people have massive intelligence on organisations they want to penetrate. The messages are specific to the organisations that they're trying to get something from."

That is usually intellectual property: software source code, design documents, or schematics. In the case of a defence contractor, however, the potential harm from lost intelligence outstrips the usual costs. What's an enterprise to do?

With single-factor user names and passwords fast becoming an IT joke and traditional strong authentication products still expensive to buy and deploy, enterprises are looking for new ways to make authentication smarter, more pervasive, and easier to use.

According to the experts, IT departments everywhere may soon need to deploy protections akin to those now used by finance companies, which have struggled with fraud for centuries (see case study). In response, the once-staid authentication market is rapidly transforming. New startups, new form factors, and an influx of venture capital mean help is on the way. The challenge for enterprise IT is to make it all work before the fraudsters find their way in.

The problem with passwords As Bob Blakley sees it, it's not that passwords have outlived their usefulness. It's just that they never really worked to begin with.

"The basic problem is that there's a built-in trade-off between the human cognitive capability and password strength," says Blakley, who is chief scientist for security and privacy at IBM. If standard strong-password protocol is to use values with eight or more characters and a mixture of alphabetic and numeric values, users either settle for passwords that aren't secure or choose secure passwords they can't remember.

Sam Tuohey, CTO of Stanford Federal Credit Union, reached the same conclusion in a more empirical fashion: an audit of password strength for 45,000 customers. Tuohey's team threw standard cracking tools at the list of encrypted passwords and found that approximately 80 per cent of the values could be cracked "in about a second", Tuohey says.

For many years, simple passwords were a sufficient deterrent to relatively low levels of hacking and online crime. No longer. What was once acceptable laxity of user access is now an open invitation to sophisticated online criminals, who have quickly discovered how to make short work of passwords with phishing attacks, in combination with malicious code to harvest other sensitive data.

Changes in the threat environment are spurring rapid change in the authentication business, says Chris Young, senior vice president and general manager of consumer solutions at RSA Security.

"You've seen a movement from high-school kids who write viruses to organised criminal rings that are doing phishing and pharming and propagating Trojans that steal information purely for profit," Young says.

Stanford Federal knows that only too well. The credit union is hardly a target like Bank of America or Wells Fargo, but phishers still found it late last year and used a sophisticated and targeted scam to try to compromise customer accounts, Tuohey says.

Taking advantage of the credit union's connection to Stanford University, the phishers harvested thousands of publicly available stanford.edu addresses and sent phishing e-mails to them, spoofed to look as if they came from the credit union. Tuhoey knows of only four customers who responded to the e-mail messages and says he doesn't believe that any accounts were actually compromised in the scam. But the incident was a wake-up call.

Factors against fraud Strong authentication using additional factors such as smart cards, one-time password generators and USB tokens has been the traditional weapon of choice for organisations worried about fraud, and it's still a popular choice for many organisations. RSA claims to have 20,000 customers worldwide using its SecurID token. But strong authentication has always been pricey to deploy and maintain, and many users find them inconvenient.

That was the conclusion that Stanford Federal Credit Union reached, as well. "Sending out 45,000 tokens, then supporting them when people broke or lost them, would have been prohibitive," Tuohey says.

Stanford Federal Credit Union does use smart cards for employees who travel and work from home, but traditional smart cards wouldn't have been practical for customers who don't own readers to insert them into, Tuohey says. The credit union's solution was to turn to a friendlier form of two-factor authentication, including antifraud and Web site authentication technology from PassMark Security (now part of RSA).

PassMark's technology employs user-selected watermarks to distinguish legitimate Web pages from phishing scams, plus back-end antifraud analytics that spot suspicious log-in attempts. RSA calls this multipronged effort "adaptive authentication", but it is more commonly known as "risk-based authentication".

"It's the concept of different types of authentication based on context," RSA's Young says. "Who are you? Where are you in the session? What's your typical account behaviour?"

Among the factors that antifraud vendors consider are time of day, the IP address and kind of computer used, and geographic location. Although these measurements aren't foolproof, they're highly accurate in identifying most users, experts say.

"My wife always banks online at home," says Nico Popp, vice president of authentication services at VeriSign, which bought fraud detection company Snapcentric in February. "She's going to have a very stable cluster of behaviorus: the same kind of browser, the same ISP, and she always banks on Saturday morning. It's a very clear pattern."

If Mrs Popp tries to log in from Korea on a different machine with non-English-language settings, it should set off alarms, Popp says. On the other hand, Popp himself is more of a globetrotter; for his profile the geo-location information is less reliable. But he does always connect from the same laptop, so the device settings and session information is just as powerful, he says.

Proceed with confidence The combination of fraud detection and risk-based authentication is powerful, Popp says, because it is invisible to users under normal circumstances but springs to life when the risk associated with user behavior increases, as in the case of money transfers or sudden account changes.

But risk-based authentication is no silver bullet for enterprises, notes Stu Vaeth, chief security officer of Diversinet, a supplier of token-based strong authentication solutions. Antifraud and risk-based authentication are great at weeding out phishing and man-in-the-middle attacks, he says, but they aren't as secure as traditional two-factor authentication.

RSA's Young concurs. "It's kind of like saying that alarm systems will make door locks go away," he says. "What this will do is allow millions of consumers or enterprise users who are not using credentials like SecurID to open up their protection options."

That kind of thinking represents a major shift in the authentication market. Whereas at one time merely granting permission was seen as the essence of authentication, today's solutions are moving instead toward an idea of "confidence", IBM's Blakley says.

"People think of authentication as something to do at the beginning of a session and never do again, but authentication is a confidence building thing you have to have confidence in the identity of your transaction partner, and that confidence can erode over time," Blakley says.

For example, getting through the identity check at the front gate of NSA headquarters in Fort Meade doesn't necessarily give a visitor access to every room in the building, he adds.

At security vendor Cydelity, the idea is to monitor users' behaviour after they're logged on and flag what's risky, according to CEO Bob Ciccone. "Enterprises have typically deployed layered defences, but there's not a layer where they're watching what users do once they're in," he says.

As do other companies in the antifraud space, Cydelity considers geo-location and atypical behaviour, such as changing or disabling e-mail notification in conjunction with money transfer requests and attempts to access from suspicious locations.

Increasingly, customers are combining this kind of analytics-based risk detection with soft, two-factor alternatives to tokens and smart cards that are easier to deploy and support. For example, Diversinet's soft tokens offer strong authentication akin to traditional tokens but can be delivered over a wireless network and stored on a PDA or mobile phone.

Bharosa, meanwhile, offers a choice of form factors for its Authenticator soft two-factor authentication application, while on the back end its Tracker application monitors the origin of log-ins to avoid fraud. Metrics used include the computer or mobile device used to log in, geo-location, and behavioural profiles, says Bharosa CEO Jon Fisher.

A wide-open future According to guidance from the Federal Financial Institutions Examination Council (FFIEC) in 2005, "Single-factor authentication, as the only control mechanism, is inadequate for high-risk transactions" such as money transfers.

In June, the White House's Office of Management and Budget seconded that, directing federal agencies to comply with NIST security standards, including encryption of data on mobile devices and two-factor authentication for remote access to data.

These advisories have sent financial institutions and government agencies scrambling to shore up user authentication with additional factors. But that's not necessarily a good thing for enterprises. With vendors focused on consumer fraud protection for the government and financial verticals, enterprise-targeted products are being put on hold.

"The market opportunity is such on FFIEC that right now we're 99 per cent on that," VeriSign's Popp says. "Between fraud, identity theft, and regulations, vendors are all-hands-on-deck." But when the flood of FFIEC-compliance money dwindles, he says, companies will begin looking to tap the even larger enterprise authentication market.

Like Popp, IBM's Blakley sees a role for risk-based analysis as part of the ordinary authentication process at organisations of all stripes. "Right now people mostly do risk analysis up front. It's plausible that in the future you're going to have more dynamic assessments of risk factors, so if a system becomes aware that something squirrelly is going on, you're asked to pass an additional authentication test to increase confidence in the strength of the authentication," he says.

Customers can already combine identity analytics with business rule checks to spot relationships within enterprise user populations. Adding more authentication data into that mix will lead to even more focused offerings, Blakley says.

But the future of strong authentication may lie outside the hands of any one vendor. The open source Initiative for Open AuTHentication (OATH) now boasts more than 66 members, including smart-card vendor Axalto, BMC, IBM, USB-token maker SanDisk and VeriSign, among others. The idea is to create an ecosystem of authentication hardware and software that is based on open source components, encouraging creativity in a market that has long been dominated by a handful of large companies.

"One thing we've pushed with OATH is an open approach to fraud detection. Proprietary networks will never succeed, if each vendor says: "This is my fraud data, and I'm not going to share it.' That just helps the bad guys," VeriSign's Popp says.

[sidebar]

Musicrypt tunes in to so-called soft biometrics

By Paul Roberts

Much of the attention paid to intelligent anti-fraud solutions has come from banking, financial services and e-commerce companies. There's a good reason for that, too: they're the companies most often targeted by frauds. But the benefits of new authentication methods extend well beyond the e-commerce and banking verticals.

At Musicrypt, an online distributor of radio promotions, the advent of new behavioural biometric authentication technology has been a key to the company's growth. Musicrypt's Web-based technology delivers new music singles and other promotions to radio stations in Canada and the US, replacing slower, more expensive, and less reliable physical distribution methods with digital downloads. Distribution via the Internet also provides record labels with vital intelligence about which stations are interested in their music.

Because those same labels are concerned about Internet piracy, however, security is a top concern for Musicrypt's customers. Radio stations often get to listen to new music well before its official release. Musicrypt needed a way to ensure copyright owners that only authorised staff would have access to the material. For that, they chose BioPassword, a software-based biometric technology that identifies computer users by their typing patterns.

As opposed to other forms of biometric identifiers, such as thumbprint scanners, BioPassword's keystroke analyser doesn't require any special hardware to use. Users enrol simply by typing their user ID and password multiple times, allowing the company's software to study the timing and pattern of keystrokes. Customers can then tune the sensitivity of the detection up or down to weed out false positives, or loosen requirements to the point that more than one individual can share a log-on, says BioPassword CTO Greg Wood.

Enterprises often baulk at the cost, constraints and fickle performance of more traditional biometric technologies such as fingerprint, face, and iris scanners. Because of this, so-called behavioural biometrics -- including keystroke, mouse pattern, and voice analysis, in addition to such soft authentication methods as challenge/response questions -- have become more popular.

For Musicrypt, distributing strong authentication tokens to thousands of employees at radio stations would have been impractical and expensive to support. Keystroke biometrics have added security to the traditional user name and password combination in a way that's transparent to users, giving the company an edge over competitors that offer similar online distribution systems but still rely on single-factor authentication to secure them, Montgomery says.

Biometrics also provides another advantage with a potentially bigger impact on the music industry -- and the enterprise.

"Record executives want to know who opens a file at a radio station," Montgomery says. "Did they stream it or download it? And if they downloaded it, how many times did they download it?" According to Montgomery, biometrics such as those used by BioPassword make sure "everyone's accountable".

[sidebar]

Authentication gets an upgrade

By Paul Roberts

It wasn't all that long ago that the market for strong authentication products was the tech industry's equivalent of "Coke or Pepsi?" Companies had just a few choices, including secure tokens such as RSA's popular SecurID and chip-enabled smart cards from companies such as Axalto and Gemplus.

Cards and tokens are still the name of the game for many companies, and the smartcard industry expects 2007 to be one of their best years ever. But behind the scenes, there's plenty going on in the once-staid market for user authentication technology.

Why? Pick your reason. Phishing attacks and targeted "spear phishing" make it easy for fraudsters to get the credentials they need to penetrate sensitive systems such as online banking and e-commerce sites, not to mention enterprise applications. Wi-Fi makes it possible to drop into enterprise networks behind the firewall, and evolving rootkit techniques make malicious code detection so difficult that it's almost worth forgetting about.

And let's not forget: PKI solutions are expensive! In any case, the free-for-all on enterprise networks and enterprise data has spurred rapid evolution in the industry and raised an army of startup companies with new takes on the old authentication problem. Among the trends to watch:

Biometrics. Biometrics have been the "next big thing" for more than a decade, but a combination of factors has recently spurred enterprise adoption. Major PC makers such as Lenovo have integrated biometric scanners into their devices, and USB-enabled scanners are more affordable. A new generation of behavioural biometrics is also gaining traction. Financial risk management vendor Fair Isaac recently introduced a new product called Falcon One for Online Access, which monitors customer behaviours, such as typing and mouse pad patterns. RSA, soon to be part of storage giant EMC, acquired voice recognition technology vendor PassMark Security in April; and BioPassword, another behavioural biometric vendor, says its typing analysis technology can weed out fraudsters even after they've stolen your user name and password.

More form factors. One of the biggest challenges of strong authentication solutions was the cost of purchasing and deploying the additional factor. Key fobs and smartcards get lost or damaged, and vendors never had a good answer for how to manage handfuls of tokens for different companies. In recent years Diversinet, RSA, Saflink, and VeriSign have all developed technologies that can deliver tokens wirelessly to mobile phones or PDAs.

Risk-based authentication. Everybody wants to strengthen access controls, but not every customer or transaction warrants strong, two-factor authentication. The result: Enterprises are taking a more nuanced approach to authentication, applying strong security to high-risk, high-value transactions, and lighter security to low-risk behaviour. In addition to RSA and VeriSign, smaller companies such as Entrust and TriCipher offer solutions that combine support for strong, two-factor authentication with soft authentication methods such as challenge/response questions, as well as hardware and software to analyze fraud risk data.

Reputation services. With rootkits, drive-by downloads, and other stealth technology proliferating, having the right log-in credentials just doesn't mean what it used to. Companies also want to monitor online behaviour to develop profiles of who users are and what they do, to prevent critical security lapses even after users have authenticated. Companies such as Cydelity, Cyveillance, IdenTrust, RSA and VeriSign are integrating anti-fraud and phishing data with behavioural analysis to spot compromised machines and rogue employees. -