www.PhilipHall.com

Hackers have developed a new distributed WordPress admin account cracking tool which poses a severe risk for the security of blogs whose owners select insecure passwords.

In a nutshell, a new PHP script has been developed which runs brute force attacks on random WordPress sites – hosted on virtual servers. Many sites can be attacked at the same time by the system, with results written into an associated database.

The SANS Institute’s Internet Storm Centre notes that brute force attacks against Wordpress are commonplace. The distributed nature of the latest attack marks an evolution towards blog hacking as a web service, however, thus marking it out from the crowd.

The interesting thing about the new script is that it allows distributed cracking. Information is saved in a MySQL database and the script actually connects directly to the main database. This allows the attacker to run many simultaneous scripts – each of them will take 200 new URLs and mark them with the brute forcer’s ID ($colo).

The script then takes every password from a password script and tries it on each site. The script can even be stopped and when executed next time will continue where it stopped.

“While this particular version is relatively simple, the power behind the script and the MySQL database allows the attacker to distribute the attacks not only by sites, but also by passwords tried as well.” ISC security watcher Bojan Zdrnja writes.

Blog owners and administrators are advised to use strong passwords, and to limiting access by IP address as a security precaution to prevent getting pwned.

Cisco have recently released a free iPhone app that allows users to view customised alerts relating to new security threats and other information for safe web browsing.

The iPhone app, which is now available in the Apple iTunes store, provides information about new malware signatures, bulletins for how to mitigate against threats, ways to see if particular web sites are compromised, as well as links to podcasts and videos.

The Cisco SIO To Go iPhone app gets its information from the company’s Security Intelligence Operations (SIO) system which gathers information in real time from 700,000 sensors located at customer sites, ISPs, and other sites around the world.

The data from the disparate sources allows Cisco engineers to do threat correlation to detect Internet attacks and spam campaigns.

The app is designed for professionals and security geeks, not the average consumer, said Michael Weir, Cisco security marketing director.

Download by searching the iPhone app store for “Cisco SIO”.

On Friday, Microsoft confirmed that an unpatched vulnerability exists in Windows 7, but is keeping the issue low key, saying most users may be protected from attack by blocking two ports at the firewall.

The vulnerability was intially reported by researcher Laurent Gaffie last Wednesday, when he disclosed details of the bug, and posted proof-of-concept attack code on his blog.  According to Gaffie, exploiting the flaw completely grinds Windows 7 and Server 2008 R2 to a halt – and the only way to fix is to manually power off the impacted computer. Anyone else tried this yet to confirm?

When this was first publisised, Microsoft only indicated that they were looking into the issue, however it has now been confirmed, as Microsoft acknowledged that a bug in Server Message Block (SMB) a network file and print sharing protocol, could be used by attackers to cripple Windows 7 and Windows Server 2008 R2 machines in a recent security advisory.

Microsoft said it will patch the issue, however haven’t provided details of the timeframe or any commitment to an out-of-cycle update.

The next scheduled patch Tuesday is December 8th 2009.

For now, Microsoft have suggested users block TCP ports 139 and 445. In doing so, this may cause further problems for critical services, including network file sharing and IT group policies.

In Microsoft’s defence, although this is not good news it is worth noting that much fewer issues are being discovered, as compared to the initial days of XP. 

Let’s hope that the Windows 7 product remains as secure as Microsoft have advertised.

If like me, you are hosting your own installation of WordPress for your online blog site, you may have some concerns about keeping your install up-to-date and as secure as possible.

Unfortunately the reality is that there have been a number of serious security vulnerabilities found with WordPress recently, and as a result a number of people have had their web sites hacked, and defaced. I personally know of a number of people who have been directly impacted over the past few months.

As social online media becomes more and more popular, celebs and high profile company executives are often looking to host their own blogs or sites. Additionally the functionality that WordPress and it’s plug-ins can provide has become a very attractive and popular solution, especially when most web hosting companies provide WordPress as a standard offering as part of their hosting service. Hence there are all sorts of WordPress hosted websites which are considered easy pickings and potential targets for hackers who are intent on breaking into and defacing – mainly because they are not managed or maintained from a maintenance / security perspective.

For anyone who is currently hosting their website on WordPress, or for anyone from a corporate or high profile – when it comes to security - you just need to ask yourself two simple questions:

1. Would you be embarrassed if your web site was hacked and / or defaced?

2. If your site was hacked – would it impact your personal brand / reputation or your companies brand / reputation?

Some people may not care, however for the majority most respond with a firm ”YES” – so obviously security is a major consideration for most people out there.

It’s not that hard to protect a WordPress site. It comes back to the process of regularly reviewing and plugging any holes to minimise the potential for a person of malicious intent in findings vulnerabilities to exploit.

WordPress Updates

WordPress have released a number of updates to fix the vulnerabilities found, however like any platform or product that has a large following or user base, there are a lot of bad guys who are focused on finding more holes due to it’s popularity. WordPress as a result have released a number of updates over the last few months.

Check the WordPress web site for further details.

Security Recommendations:

Below are a few key points and recommended plug ins which I’d suggest you follow if you want to protect your WordPress installation:

1. Make sure your WordPress installation is up-to-date, and when a new fix is made available update as soon as possible – obviously making sure you perform a full back up prior to doing so. Vulnerabilities are often found enabling the bad guys to create and use exploits in order to gain access to your web site. By ensuring your version of WordPress is up-to-date, you are minimising the potential vulnerability exposure.

2. Ensure that any WordPress plug-ins are up-to-date also. Same logic as per the point above.

3. I’d recommend that you give some thought as to the WordPress plugins you use, in order to further minimise the potential exposure. Only use plugins that provide additional features if you really really need to use them. e.g. you might have a requirement to remotely administer your site using an additional plug-in via an iPhone. How secure is this functionality and it’s related plug-in? Would it be better to just use the more secure browser based functionality?

4. For any functionality or plug-ins providing user input, ensure you use plug-ins that enable full input validation, blacklisting, IP blocking etc etc. Actively block iFrames which helps minimise the usual techniques applied in the input fields to prevent misuse.  Also ensure you use a spam filter (see plug-ins below) to enable you to review and authorise feedback / comments prior to them appearing on your site… useful if you have friends or colleagues who are security professionals trying to fun-deface your web site!!

5. There are several security related plug-ins which help to minimise the potential security exposure.  I’d highly recommend the following plugins. Note to my colleagues and friends who often try to hack my site – this is not a “complete” list of plug-ins I personally use, but some the core ones that I know, use and recommend to others:

reCAPTCHA Form

Secure WordPress

WordPress Exploit Scanner

WP_reCAPTCHA

WP_SpamFree

WP_Security Scan

There are a few more things you can do to fully protect your WordPress install, including the hosting operating system and database it sits on. I don’t want to bore you with these details, but for those who are serious about security, you are hopefully aware that there’s a bit more that can be done.

Get in touch with me direct via my contact page if you need any further info or advice.

For all you bloggers out there using WordPress on your own hosted site… it’s time to upgrade to WordPress version 2.8.5 to ensure you are protected against a number of security vulnerabilities.

Many of you may be aware of a number of previous security issues with previous versions of WordPress, so is increasingly important to ensure you are running the latest version.

Backup Backup Backup!

One piece of advice if you are upgrading your version of WordPress. Ensure you do backup your entire site, as occasionally there are some problems with the upgrade process – especially if you are running untested plugins, tools or themes.

The autoupgrade seems to work very well for most plugins or WordPress upgrades, however it’s generally better to do it manually and include creating a full backup.

It’s hard to avoid all the hype surrounding today’s release of Windows 7 operating system (however for us Apple fans it’s easy to be distracted by all the new slick looking hardware released yesterday as a ploy to steal some of Microsoft’s thunder).

 

So What Happened to Vista?

Windows 7 is the successor to Vista, the highly unpopular operating system that was panned by critics and users alike. Vista was bloated and processor-intensive, and Microsoft hopes that the leaner footprint of Windows 7 will do much to win over consumers. Windows 7 builds on many of Vista’s best bits, but has been tweaked and refined to make the user experience a more enjoyable and less frustrating one.

So What Are the Windows 7 Security Features Like?

Windows 7 security three main areas that have received a fair amount of media attention – namely BitLocker, DirectAccess,  and AppLocker. With these, as well as other features and enhancements to the UAC (user account control), officials at Microsoft have announced they feel they are pushing out their most secure operating system yet.

Windows 7 is built upon the security foundations in Windows Vista and retains all of the core technologies, such as Firewall, Windows Defender and User Account Control. Some additional features have also been added based on customer / end user feedback.

BitLocker

BitLocker To Go encrypts removable storage devices such as USB drives. With BitLocker To Go, users can restrict access to the data with a pass code, as well as set a policy that requires users to apply BitLocker protection to removable drives before being able to write to them. The feature also provides configurable read-only support for removable devices on older versions of Windows so BitLocker-protected files can be shared.

Analysts are predicting there will be over 1 billion USB flash drives by 2010, with the average USB flash drive holding almost 4GB of data and costing less than $10. The scary part is that, unlike losing a laptop, users rarely seem to report, or sometimes even notice, the loss of a USB flash drive. BitLocker To Go makes your data secure so you don’t have to worry.

One important point is that there is growing concern within law enforcement & government agencies that the encryption features within Windows 7 may make it harder to gather physical “evidence”. It’s hard to successfully convict a child porn peddler or other types of baddies unless there’s some physical proof. This is hard to provide if the files are encrypted!   It’s fair to say that encryption technoloies which can do this have obviously been around for a while, however Windows 7 has brought encryption to the masses.

DirectAccess

Some of the feedback has resulted in “DirectAccess”. Based on IPv6 technology, DirectAccess works alongside Windows Server 2008 R2 to enable users to securely access corporate network resources on the net without a VPN connection. The technology takes advantage of IP Security for encryption and authentication, and integrates with NAP (Network Access Protection) to check for compliance before allowing client computers to connect to internal resources.

More people are working from places other than the office, and accessing corporate network resources securely and maintaining connectivity using remote access solutions, such as VPN, can add complexity and effort. It’s also harder for IT to manage those mobile PCs. DirectAccess is a new feature that helps solve both these issues. Using DirectAccess, workers can easily navigate to intranet sites or internal file shares and access documents from remote locations, without manually establishing a VPN connection.

AppLocker

Enterprises looking to upgrade or switch to Windows 7 can also count AppLocker as a key security feature. AppLocker allows administrators to use Group Policy to specify what applications, installation programs and scripts users can execute. With the Audit Only Enforcement Mode setting, administrators can determine what applications are used in an organization and test rules before deploying them.

AppLocker also introduces publisher rules that are based on an application’s digital signature, which makes it possible to build rules that survive application updates. For example, you could create a rule to ‘allow all versions greater than 9.0 of the program Acrobat Reader to run if it’s signed by the software publisher Adobe.’ In this way, when Adobe [Systems] updates Acrobat, you can safely deploy the application update without having to build another rule for the new version of Acrobat.

Microsoft Vs Apple

 

 

The improvements come as Microsoft—which still holds a large share of the OS market—has been hit with public attacks on its security reputation by Apple, as its Mac OS X is relatively malware-free compared with Windows.

Windows 7 is a definite security improvement over XP and it will definitely decrease the Windows desktop attack surface. But Windows still has to run on an infinite variety of hardware and still has to maintain compatibility with huge numbers of third-party apps—problems the Mac OS really has never had to deal with. So, it might be fair to say that Windows will always have unique security challenges.
So What’s Next?

So when is Windows 8 due for release!!!?

So how many user accounts and passwords do you have? How many passwords do you need to remember for access to your various work and personal related systems?…

The advent of Web 2.0 and the rise of social networking sites and other web services has compelled most of us to create dozens of new online accounts – each requiring a username and a password.

Let’s face it… trying to manage various user ids and passwords can often be a frustrating & sometimes time consuming thing to do. This article looks at some of the common scenarios, related issues & pitfalls, and some tips to help you better manage your passwords.

Not yet another user id & password?!
Many of us have access to multiple systems be it work related, or personal ones such as our online banking & personal finance sites. As an example, just being an employee at  a regular sized company means that you already have a wide range of user accounts and passwords you need to remember and use. There’s your network domain account, email account, time tracking systems, expense systems, HR systems, training systems…. the list goes on and on.

Add to that – your list of personal user accounts and passwords for sites such as LinkedIn, Facebook, Twitter, etc, and you’ve probably got anywhere between 10 to 30 or more user ids and passwords to remember.

Some you may not use very often, and some you might use every day, however in order to successfully gain access to all of these various online systems, you need to use and remember a variety of user accounts and passwords. Add to this a mix of different password complexity requirements, password lengths, lockouts and expiry dates, and we have a fairly complex situation.

Why Can’t I Just Use a short & easy to remember word?
Meet your opponent – the cracker…

 

These bad guys are basically people who use the method of employing various techniques and tools to guess, methodically determine, or otherwise obtain a password to gain unauthorised access to a protected resource. Password cracking was once a very specialised skill, however thanks to tools such as L0phtcrack,or other utilities which can be easily obtained and used to crack office document passwords & Windows operating system passwords, it’s child’s play to do.

Without going into too much detail, these tools use dictionary or brute force guessing to work out what your password is. These days, the tool can do this very quickly, especially if you are using dictionary words – hence why you should avoid using dictionary words, and incorporating symbols and numbers into your passwords. There are many other ways of breaking someone’s password, such as defeating the secret questions and answers as in the Palin example, and lots of ways to help protect against these forms of attack, however let’s park this topic for now, and get back on track to the topic of passwords.

 

The not so secure things to do with your passwords
To simplify the laborious task of remembering our various passwords to different work & personal systems, people often make use of less than secure practices, and do one or more of the following:

Write down their user ids and passwords insecurely. i.e. write down each user id and password on an A4 piece of paper or a single post-it note, and then store this next to the monitor, in their top draw, or within easy arms reach somewhere on their desk. The pieces of paper are often very very easy to find. In a similar way, some people store their user IDs and passwords within text files, or word / excel documents and keep these files on their laptop or desktop’s local hard drive – not quite as bad as handwritten password notes, but again is not very secure.

Use the same password or small handful of passwords across multiple systems. Some people use the same password for their various work systems, but also use the exact same password for their personal accounts such as Gmail, Facebook, Linkedin, banking site, and other online systems. The problem with using the same password for everything is that if it’s compromised and someone finds it, the rest of your identity and system access is at risk.  Not a good situation.

For example if you accidentally disclosed your Gmail password or it was compromised, and you use the same login & password details for other online accounts, such as your Amazon shopping account or worse still your online banking account, thieves could potentially gain access to all of your financial information, & personal information.

 

Making Password Management Easier
There are a variety of ways to help us remember passwords. There are various point solutions available on the internet (such as Keepass & Roboform) which are software solutions for password management, however for now, below are some quick and simple tips relating to passwords, which will hopefully help you create and manage your passwords helping you make them easier to remember without needing to write or store them.

Remembering all your unique passwords with some “generation logic”!
Coming up with a password when setting yourself up with access to a new system, which is both easy to remember and safe – is no easy task. However, you don’t need to remember 100 strong passwords if you have one piece of logic for generating them in the first place.
One way to generate unique passwords is to choose a “master” or “base” strong password, and then apply a piece of logic or rule that mashes it in some form with the service name or web site address you are using:

So it would look something like this:
{your base password} & {sitenamelogic}
For example, say your base password was the following:
M3and&{sitenamerule}
And then the rest of the password could be the first two consonants and first two vowels of the service name you are using, and the month backwards.

So with this particular password rule for example, the Yahoo email password using the above bass password and the yahoo account would be:
M3and&yhao40
And for eBay would be:
M3and&byea40
 

Before you decide on your single base password generation rule, keep in mind that while password requirements are different for each service in terms of length and characters allowed and required, a good guideline is a password at least 8 characters long that includes both letters and numbers. To make a password even more secure – or applicable for services that require special characters – add them around it, like @M3and&byea40!

 

Here’s some additional password memory tips:
Try one or all of these different techniques below to create a secure but memorable password. Note, one problem with rules-based passwords is that some sites have their own password requirements that conflict with your established password, such as “no special characters” or “at least 12 characters in length” or “all numbers/numbers and letters/just alphabetical.” In those cases, somehow you have to remember the exception to your rule for those services:

Use a favorite Song or Phrase
Use the first letters of a favorite phrase or song lyric. For example, if you wanted to use lyrics “It’s a beautiful day” from the the U2 song “A Beautiful Day”, your base password might be “Iabd.” Remembering the password is a matter of humming the song. Then combine this base with some extra information unique to the service you are logging in to.

Connect the first letters
Develop a password using the first letters of a sentence or phrase that means something to you – like your national anthem or a slogan you have seen somewhere. ‘Where the Bloody Hell are you!?’ would become “WtBHay!?”.

 

Pass Phrases
Length can be a huge advantage to memorisation. If your typing is accurate, consider large phrases from a favorite book. Phrases are easy to memorise and can be combined with some easy to remember symbols and / or numbers:
“It was A dark and stormy night! ”
“Houston, we have @ problem!2″
The length of a pass phrase has several advantages:
• The length can provide security even if special symbols are not used. This can help with sites that prevent the use of symbols.
• Make good use of punctuation and capitalization to make a secure pass phrase that complies with common password rules.
• When coming up with a mnemonic sentence, try and make the sentence funny or relevant to yourself. That way you will find it easier to remember the sentence, so you can remember the password.

 

You might combine several of these methods and still come up with a truly memorable yet very strong pass phrase. You might use a favorite quotation, song lyric, or the advertising slogan you despise most (preferably six words long or more) and create an acronym by using the first letter of each word (Where Would You Like To Go Today = wwyltgt).

 

The Most Secure P@55w0rd5!
The most secure passwords contain lowercase letters, capital letters, numbers, AND symbols. This sounds painful, however using the above methods can help make all of your passwords more secure, but easy to remember.
Use one of the above methods to create a password with both letters and numbers, and then hold down the shift key while typing part of it. This helps to create special characters. For example, make a standard of holding down shift for the first four characters, or characters three through seven, or whatever you like. You won’t have to stop and remember where you inserted that pesky exclamation point or whether you replaced the ’s’ with ‘5′ or ‘$’ this time.

 

Additional Password Tips:
• Avoid using the same password for several logins, especially if they involve sensitive financial or other personal information.
• When registering new accounts on websites that ask for your email address, never use the same password as you do for your email account.
• Don’t use common words or dictionary words as your password. These are easy to guess or break with automated password cracking tools.
• When using numbers only, make sure the sequence is completely random and has no importance. It’s best not to use any number that is a matter of record, such as a publically known phone numbers or a date of birth.
• Do not simply combine two or more dictionary words even if you think they are rare. Many password crackers try combinations of dictionary words first.

 

The Future of The Password
This is unfortunately only the tip of the iceberg when it comes to this topic. There are a variety of other issues and considerations when it comes to passwords.

The main point to this article however is to provide you with some easy and cost effective ways of creating and remembering your various passwords.

From here onwards however, the future of the password is an interesting one, and is something which is frequently debated. There are a variety of centralised Single Sign On & Simplified Password solutions out there today, as well as other means of confirming someone’s identity, such as biometrics, voice analysis, and token based authentication options.

There are also a variety of solutions out there which when combined with other security measures help to protect systems and their users (such as “Captcha” & secondary authentication token solutions), however again these are not 100% bullet proof and can still be compromised.

Over the next couple of years, authentication solutions will mature further, and will become a part of a longer term Identity Management Strategy which many enterprises will adopt.

For now, try some of the above tips to help you create stronger but easier to remember passwords.

Apple have released version 3.1.2 of it’s iPhone OSX software – which fixes a number of issues with the 3.1 release.

This release will hopefully finally fix a number of issues with cellular network services, and another problem relating iphone was not waking from sleep, and video crashes.

The update is around 200Mb in size, and can be updated via the usual iTunes update process.

For those of you out there who already have your own Apple iPhone 3G/S, below are a few recommended security tips to help keep your iPhone secure.

 

While Apple continue to promptly fix security flaws that are found and are reported, it is still important that we all do what we can to ensure that our personal iPhone’s are secure.

Unfortunately iPhones do get lost or stolen on a regular basis, and the last thing you would want after losing your much loved phone is for someone to have full access to your email, contacts, and all your other iPhone applications which store / give access to your personal information.

 

Install The latest firmware updates
Unfortunately due to the popularity of the iPhone, people are starting to focus on discovering new security flaws in the device.  By viewing some of the earlier articles on this website, you will see details of vulnerabilities which have been discovered (such as an SMS vulnerability), which Apple have now fixed.

By keeping your device up-to-date you can ensure you are not vulnerable to the security flaws that are discovered. Also Apple continue to add additional security related features and improve the overall security of the iPhone through new firmware releases, so it pays to keep up-to-date.

In order to update your iPhone, you will need to plug your phone into the computer which is synched with your device, so that you can download and install the latest OSX update via iTunes.  Apple released version 3.1 a couple of weeks ago, which everyone should upgrade to asap.

 

Use the Enable “Passcode Lock” feature:

The Auto-Lock feature (Settings -> General -> Auto-Lock) only locks the screen after a preset time of not using the iPhone. The “Passcode Lock” takes this a step further, as you need to enter a four-digit code to get access to the iPhone’s home screen. This will ensure that if someone gets their hands on your iPhone, they won’t be able to access it without knowing your 4 digit passcode.

 

By default, the iPhone doesn’t require you to enter a pass-code to unlock it.  To set a pass-code, open the following menus on the phone:

“Settings“, “General“, “Passcode Lock” and enter a 4-digit pass-code.

See the Apple support pages for more details.

 

Use “Erase Data” Feature

The “Erase Data” feature lets you completely wipe your iPhone after 10 failed pass-code attempts. After six failed attempts, the iPhone locks out users for a minute before another pass-code can be entered. And the device increases the lock-out time following each additional failed attempt – one minute, five minutes, 15 minutes, etc.

Its a nice feature to protect the data on your iPhone if it gets lost or stolen. However, you might want to be careful enabling this feature if you have young children who might get their hands on the phone.

 

“Show SMS Preview” Feature

If you have “Show SMS Preview” enabled, you will see the name of the sender and the first few words of the text message when you get the text message when iPhone’s screen is locked.

 

If you are concerned about privacy then you can disable it.  With Show SMS Preview disabled you will only get a generic “New Text Message”.

 

Using Wi-Fi safely on the iPhone:

One of the best things about the iPhone is Wi-Fi support, so you can connect to hi-speed Wi-Fi whenever it is available.

 

To ensure that you don’t unknowingly connect to any open (unsecure) Wi-Fi networks while on the go, you should enable the iPhone’s “Ask to Join Networks” function. This is enabled by default (Settings -> Wi-Fi -> Ask to Join Networks).

 

Summary

The points above are just a small selection of tips relating to securing your iPhone. Unfortunately there are known ways to get around some of the security features of the iPhone, however for the average punter, most won’t know (or want to know) about these techniques and therefore the above tips will offer an adequate level of protection.

Read on if you have a Propeller head – RedSn0w or PwnageTool 3.1

Lastly for those of a technical nature who do know what “Redsn0w” and “Cydia” are please read on…

 

 

For those who have jailbroken their much loved iPhone, there’s a few things you need to consider:

The first is to ensure you change the default password of your Jailbroken iPhone, and ensure that you lock down SSH or any other transfer protocols or apps you may have installed.

e.g. normally the root password for a jailbroken phone is “alpine”, and is therefore extremely critical to change the password as if you decide to ignore the tip on connecting to only secure Wi-Fi networks and connect to an open non-secure Wi-Fi network, as it exposes you to a security risk where a person with malicious intent could get access to your iPhone using the default password without your knowledge.

The majority of you who do your banking or finances online will already be familiar with two factor authentication – such as the use of RSA tokens, SMS one time codes, in conjunction with your user id and passwords.  This article helps to raise awareness of two factor & its uses, some of the pitfalls, and a high level sneak peek about where the technology is heading.

Back To Basics – So What Is Two Factor Anyway?

Authentication is all about verifying the identity of a person or entity using a piece of information (e.g a password). “Two-factor” authentication (T-FA) is where two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance. e.g. using a username & password in conjunction with an RSA token, or SMS code.

So what two factor solutions are currently in use, and why isn’t it used everywhere?
There are a number of two factor solutions widely in use for a number of industries. Most corporates & large enterprises often deploy two factor to ensure adequate protection for access to their systems for staff / customers.

Hardware Based Tokens
Examples of this are the use of RSA tokens for VPN access, whereby the two-factor authentication is based on something you know (your password or PIN) and something you have (the token an authenticator) providing a much more reliable level of user authentication than reusable passwords.

Tokens are often provided to high net worth customers, for people who perform large financial transactions, or for people who want assurance that their account has a better level of security protection.

SMS One Time Passwords
The majority of banks currently make use of SMS verification codes in order to validate a persons identity prior to completing a transaction. SMS one time verification codes are a highly effective but convenient (and relatively cheap) authentication system requiring single-use passwords to authorise certain banking activities / transactions. The single-use password is sent to the users mobile phone via an SMS message and only remains valid for a short time frame (e.g. Commbank’s implementation only keeps the SMS valid for 30 seconds).

So are there issues with the current two factor solutions That Are In Use?
Most technology is unfortunately not 100% bullet proof. People spend a lot of time finding technical vulnerabilities or ways in which to circumvent controls put in place. Even hardware based tokens are not 100% rock solid.

The most talked about issues recently are around the use of SMS as a second form of authentication. Unfortunately it is still fairly easy (due to poor regulations in the telco industry currently) to steal somebody else’s mobile phone number, by porting the same number to a different carrier & physical handset – so that the bad guy receives any SMS verification messages sent to that number, rather than the legitimate mobile phone owner. All that is needed for a successful mobile phone port is basic customer information – which can normally be obtained through “phishing”, which glean the customers account numbers also.

So Will Things Change?
The big telcos aren’t really going to move fast to fix up mobile phone porting regulation, as there’s nothing in it for them. The banks are losing money via this form of fraud, but probably not enough yet for them to consider spending lots of money on a different solution. A couple of the Australian banks have only just moved to SMS verification in the past year or so as a form of authentication, so they’re not too keen to move to another solution for now. The majority are also looking at smarter ways of two factor implementation in order to improve customer experience as well as keeping costs and fraud to a minimum. So as an example – rather than using SMS or hardware tokens for transactions over a certain value limit, some of the banks use two factor instead for setting up a new payee only.

Why Aren’t Two Factor Solutions More Widespread?
Basically there are three key considerations. The first is ease of use, secondly is the value of the asset that is being protected, and the third is cost of the solution to protect it. It’s all about balancing these factors, and as a result some businesses choose not to deploy second factor solutions for certain situations / customers.

So Where Is Two Factor Technology Heading In the Finacial Industry Space?
Apart from banks and financial companies getting smarter about how they use and implement these types of two factor, there are some changes in this space thanks to technology advancements.

There are a variety of newer and stronger hardware based tokens – some which require the end user to type in a code into the device before being given a response to provide in an online authentication process. Other advancements are hardware based tokens, EMUE integrated credit card chips, as well as soft-token applications running on smart phones.

RSA and other vendors are starting to provide their token solution as an iPhone application. Obviously financial institutions want to use something that can be widely and cheaply used by their customer base, so the take up on this will probably be slow initially.

Voice Biometrics
The big technology advancement in the two factor space is “Voice biometrics”. You may already be familiar with automated customer call centres, which use voice biometrics to confirm the reason for your call.

This enables you to be put you through to the most appropriate part of the business – resulting in a better customer experience & lower business costs. The technology is now capable of a lot more than that, as it can be used for authentication purposes also. It’s so advanced that the technology is highly accurate, and can even detect when a caller is under duress. NAB recently implemented this technology for part of its customer call centre.

A number of other companies are now moving into the voice biometrics game – so watch this space.