Categories ArchivesConsumer Security

Ten Things Companies Get Wrong About CIAM standard

Customer Identity and Access Management (CIAM) is a core component of creating your digital user experience. If you are unfamiliar with Customer Identity and Access Management, it is the process by which companies grant access to their digital assets (like websites, mobile apps, and even chatbots) to their customers, as well as controlling what those customers can access. The idea is to ensure the right person or process has access to the right applications and information at the right time while being risk and context aware. In a previous role, I was responsible for a complete CIAM modernization at a large bank. More recently, I modernized an entire IAM system for the premier identity company. In both cases, my guiding ...

Continue Reading

Protect Yourself and Freeze Your Credit standard

Breaches are never ending, and if you have not already put freezes on your credit reports, make a late New Year’s resolution and do it now. There are a couple of steps you will need to take for each of the four bureaus (yes four). Before you freeze, get in a habit of requesting your report annually. Some bureaus partner with apps you can use as well (such as Credit Karma, Credit Sesame) that are free to download and set up. You want to make sure nobody opened a line of credit in your name without you knowing. One thing you need to know about freezing your credit report is anytime you take an action that requires a hard inquiry, ...

Continue Reading

Preventing Account Takeover, Enable MFA! standard

Welcome to October where we celebrate National Cybersecurity Awareness Month! In a previous job, we would host a Cybersecurity Expo and learn together. Last year, I presented a version of this presentation to a large audience with representation across the business (not just IT folks) and I wanted to make a version of it that could be consumed anywhere. This all was created from a conversation with a former consultant who made it her personal crusade to get everyone she knows to turn on some form of MFA for their GMail accounts. Just think about all the information someone could learn about you from your email. From there, I wrote this post that urges you to disable SMS and use ...

Continue Reading

Proofpoint Patches URL Sandbox Bypass Bug standard

Or, how a travel website’s newsletter clued me in to a huge security gap in a popular email protection service. tl;dr: I discovered URLs of sufficient length (over 770 characters) would bypass Proofpoint’s URLDefense service leaving the original link untouched, allowing malicious links directly into users’ email inboxes. Proofpoint let me know this week that they finally have patched all the instances of their service that had this particular bug, so it’s time to disclose how I discovered it. Many of you know I switched my personal email protection away from Postini/Google Apps for Business to modusCloud by Vircom. My users and I are 100% satisfied with the service! One of the technologies powering Vircom is Proofpoint Essentials, and one ...

Continue Reading

Pushing Vendors to Abandon SMS standard

SMS-based authentication continues to be a great way to placate a user into thinking they are safe while creating an avenue for attackers to gain access to their accounts. Fabio Assolini and Andre Tenreiro from Kaspersky published some research that puts numbers in fraud losses to these threats. SIM Swaps cost criminals $10-15/SIM with gains from fraud being over $1,000. That’s a good return on investment. It’s why I’ve become a huge fan of U2F and other non-SMS authenticators (see my guide here). Companies like Yubico have made real multi-factor authentication doable for the masses with zero client-side infrastructure. Major companies like Google and Facebook are leading the charge to remove SMS-based authentication and account recovery options by allowing users ...

Continue Reading

Ditch SMS for True Second Factor Authentication standard

At one point, getting a text message with a code seemed like a great way to provide more identity and authentication assurance. Phone networks are out of band from email, the cost of sending the message is relatively inexpensive, and few people are without a cell phone these days. As it gained popularity, SMS-based authentication got the attention of cyber criminals and they soon exposed a number of high- and low-tech attacks that make SMS authentication unreliable. I’ve been on a kick to turn on any 2nd-factor authentication option possible in every site/service that I use. Lately, however, I’m switching to real 2nd-factor options that include apps, U2F, or other methods. To that end, I recently published an article that ...

Continue Reading

No Need to Sign standard

If you went shopping on Sunday and happened to notice that a signature was not required for your credit card purchase, that wasn’t an April Fools joke. Back in December & January, the major payment networks all announced they were dropping the signature requirement. Even MORE time saved when paying for things! I’m sure many of you are like me in that you didn’t even put your actual signature on those papers or electronic signature capture devices. The only time I have been serious about it is when I travel abroad. Those cashiers are very good at matching your signature to what is signed on the back of the card. Possibly Related Posts: Ten Things Companies Get Wrong About CIAM ...

Continue Reading

What’s the craic on KRACK? standard

For those who are not familiar with the Irish slang, read this. We got another fun named vulnerability this week that goes after WPA2 encryption, something that is ubiquitous but not impenetrable. Key Reinstallation Attacks, or KRACK for short, exposes a weakness in the WPA2 protocol. It’s an attack on the protocol itself, so anything that is unpatched and properly implemented to the Wi-Fi and WPA2 standard is vulnerable. Patches are already well on their way to being released and deployed. But this problem is going to stick around for a long time like Shellshock and Heartbleed. Many Wi-Fi hotspots are running outdated firmware that cannot be upgraded in some cases. Just like Shellshock and Heartbleed, the only way to ...

Continue Reading

Equifax is only half the problem, your SSN needs a redesign! standard

The Social Security Number in the United States is the closest thing we have to a national identification system. It’s widely used to deal with the government, open lines of credit, and serves as the unique ID for a tax payer. It’s effectively your financial and governmental digital footprint identifier from which all actions are compared. Great, right? We can use it to ensure people pay their taxes, connect bank records and large financial transactions to an identity, ferret out money laundering and illicit business, and get a personal balance sheet on anyone who has credit. Except, once that number is disclosed, it’s disclosed. Unlike a payment card number, there is no wide-scale method to reissue a social security number. Like ...

Continue Reading

More EMV Bypass Fun standard

So I’m sitting here in San Diego, which we all know is German for… never mind. As I pay for my lunch, I present my chip card and there is some kind of error. I know I entered my PIN correctly, but it immediately came back as failed. The bartender taught me a neat trick that I am sure we all need to be aware of as people capture magstripes and write them to new cards. “Oh, no problem on bypassing that. Just turn the card around and insert it, it will fail, and you can swipe!” The Verifone VX-675 terminal this place used detected that a card was inserted without a valid chip read, and immediately told me to ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!