Secret Q&A : lie about it

I read this post tonight and it reminds me the best security rule about secret Q&A service for self password reset and other critical tasks on the web…

“Do not say the truth”

Today with all 2.0 services (Facebook, LinkedIn, Copains d’Avant,…), pieces of your personal information are no longer yours. So when asked for:

• n  What the birthname of your grand mother?
• n  What is the specie of your pet?
• n  What was the brand of your first car?
• n  Etc.

Don’t even think to answer “Martin”, “Chien” or even “Peugeot”…  Lie about it, use your environment as context for the answer and mnemonic process as the key to remember it.

Like every security moto, it seems natural but like every security moto, it has to be recalled.

Google Apps strong authentication : FireID is on tracks

Yesterday, we spoke about the new ways to authenticate to Web 2.0 services and I listed the announcement of Google.

Today, FireID is going a little bit further. They tied, through a beta release, their mobile authentication component for web application to the new Google OOB system. The main strength of this solution relies on compliancy of FireID with Android, WinMobile and BlackBerry.

"FireID focuses on strong authentication and is committed to remaining the leading innovator in providing authentication solutions on all mobile platforms," says Jenny Dugmore, CEO of FireID. "Security is a strategic imperative for enterprises and this is not resolved with a point solution. More enterprises are recognising the importance of two-factor authentication and the mobile phone is clearly the most cost effective and practical option. FireID's solution is an ideal extension to the Google platform, giving it greater reach and, since it is out-of-band, gives the solution stronger security than traditional solutions."

From [http://www.sys-con.com/node/1555891]

How to test it? Go to https://www.fireid.com/googleapps/welcome

Credit Card : with or without chip, it is time to evolve

I’m still very confused about the lacks of security when paying with credit card in US.

In Europe, the penetration rate of the smart card and the usage of the PIN code with the chip (and not the magnetic stripe) is well beyond the 90% for more than ten years.

This allows Visa and Mastercard to propose new services and products in European countries such as OTP generation within the card or through a reader, electronic purse (aka. Moneo) and, in few years, contactless access like for transportation.

Even if it is not possible to rely on a chip, new solutions and services exist. Dynamics Inc. has presented four new types of credit card and will two more in the next monts:

• n  MultiAccount™
• This credit card that can allow one to pay with with several bank account using only one card. By pushing a button on the card, the client can select the right account to use.
• n  Hidden™ :
• This credit card masks a part of the bank account number embossed in it. By pushing button in a correct order, the client can display the whole information to the merchant.
• After a certain amount of time, the display is cleared.
• n  Redemption™:
• This device allows the user to choose between paying with his bank account or the reward plan associated to store. The amount of points is automatically used as “money” for the transaction.
• n  Dynamic Credit Card™
• This device writes a new credit card unique number to the magnetic stripe each time the button is pushed by the client. A credit card number can only be used once. The system is the same as an OTP system.

The last product can be seen as an alternative to the Visa “e-Carte Bleue” service which can do the same for online transactions.

Stronger authentication for Web 2.0: towards a mobile-centric solution

Control of (identity) information is the main objective of all 2.0 well build applications. “Evil Guys” understood this well and those applications have now to deal with more and more cases of identity thief or unauthorized access to (confidential?) data. Think about various examples:

• n  Famous twitter hacks in 2009: http://blog.twitter.com/2009/01/monday-morning-madness.html
• n  2008 Sarah Palin’s Yahoo Inbox hack: http://www.zdnet.com/blog/security/sarah-palins-yahoo-account-hijacked-e-mails-posted-online/1919
• n  Etc.

How to secure the web and be sure to target everyone without investing in costly hardware or deploying complex solutions?

Till now, the security of these services relied mainly on the control of a mail address and the verification of the ownership by the user.

Today, mobile phones are in everyone pocket. They allow access from more and more places to evolved services like e-banking, e-commerce, electronic purse, transportation ticket, etc. In 2010:

• n  There are 5.1 billion mobile phones used in the world,
• n  The penetration rate in Europe is more than 157.5%.
• n  In both Africa and Middle East, more than 50% persons are equipped with a mobile phone.

So for Web 2.0 services to secure their users’ connection, the best way is to rely on it. As a matter of fact, most famous 2.0 providers launched or are going to launch their multi-factor authentication solutions. Last days, we heard about:

• n  Google and its Google Apps offer:
• Starting with Google Apps Premier, Education and Government and then wit Personal Edition, Google will allow more than 300 million of clients to use a two factor authentication method (something they know and something they have) for Gmail, Reader, Calendar, etc.
• See Three million businesses have gone Google: celebrating growth, innovation and security
• 
  
• n  Facebook:
• By collecting you mobile phone number (if it did not have it already), Facebook will send you an OTP by SMS to use as your current password. The session of Facebook will be reduced to a validity of 20 minutes in order to enforce security.
• This service will be available in U.S. first then worldwide.
• See Facebook announces one-time passwords and remote log-outs
• 
  
• n  Windows Live and Hotmail:
• Only available for the account recovery on the first hand, Microsoft enables two functionalities to protect their users. The first allows them to identity their trusted PC through a unique fingerprint. Sensitive operations could then only be done from the selected component.
• The second functionality allows users to fill the mobile phone to which to they want to to receive an OTP by SMS. This OTP can also validate sensitive operations.
• See Hotmail security updates protect you from account hijackers

On top of that, identity federation and consolidation is still active on the web. OATH implementations are still active like for Twitter, LinkedIn, etc..

As we see, mobile phone is going to become the pillar of web-centric services authentication process. As Gartner estimates worldwide sales for  tablet-like products to 20 million in 2010, the next challenge of a secure web is already found: how to prevent data leaks on mobile thief or loss…