Are we really safe?
Ubiquity, usability, and ease of use – this is what we expect from various online services and mobile apps providers today.
Numerous spheres of our everyday life are increasingly being moved to cyberspace. It is almost a parallel reality in which 50% of population already lives their lives. Similarly, mobile technology development has made us more and more connected to the Web. With the surge in mobile apps use, it now stands for 86% of the time we spent online. Fast access to all kinds of services is supposed to make our lives easier and save our time.
However, online services have always faced an eternal dilemma: the right balance between the security of end-users and the ease of use. Can Internet-based services be easy and secure at the same time? As we know, additional layers of security require extra authentication methods, external devices, more codes, and then even more passwords and so on. Therefore, the security level of our online activities is frequently lowered to a minimum level in order to deliver satisfactory user experience when navigating through online services and applications. This raises a legitimate question: are we safe in this “easily accessible” virtual world? And the answer is simply: NO.
Are we safe in this “easily accessible” virtual world? And the answer is simply: NO Click To TweetIn its 2016 cybercrime report, RSA noted that 45% of all online transactions in 2015 were made via mobile channels whereas 61% of attack attempts were made with the use of mobile devices. Additionally, the report mentioned a tremendous 173% increase in this kind of attack that was observed between 2013 and 2015.
For a long time, we have been focusing on the use of the technology and the ease of access that it offers. Unfortunately, the security factor is still very much neglected by those who design systems and their end-users. Many users of online banking services put the ease of use above security. They seem to care more about fast access to the service than the security of their private data or money. There are many reasons for that, but one of the most obvious ones is that we do not see the direct threat until:
– access to our e-mail account holding valuable private or business information is taken over by cybercriminals;
– our identity and personal data are put up on sale on the DarkWeb;
– our identity is used for money laundering and other illegal transactions;
– our money from bank accounts, ATMs, or credit cards are stolen;
– our intellectual propriety and business confidential information are taken over by competition.
However, none of the above seems to concern most of us. We think that the probability of such an event to happen to us is low, or that the consequent costs are negligible. But we cannot be more wrong. It is highly possible and highly probable for these events to occur to us every day as the access to all the information and data is “protected” by the weakest possible system: the username and password channel. On top of that, online transactions are confirmed by other compromised systems: SMS and hardware token verification mechanisms.
all the information and data is “protected” by the weakest possible system: the username and… Click To Tweet“Wait a minute! But everybody uses that system. Why should we use anything else if our existing systems work fine and have been around for years?” Or even worse: “Why should we change our system that our users are used to?” Yes, everybody either uses or is accustomed to a popular yet broken, and highly vulnerable “protection” system.
Taking over usernames and passwords to gain access to user accounts and stealing their credentials is very easy. Users behave recklessly, saving their passwords in browsers, or in spreadsheets that are saved on their hard drives. Both locations are among the prime targets for hacking attacks. Almost every day brings breaking news about another credential theft, hacking login elements. One of the biggest breaches so far has been the Yahoo’s account hack where 500 million user credentials were stolen.
Michael Chertoff, former secretary of the U.S. Homeland Security Department, has recently very precisely pointed out where the problem lies: “A closer examination of major breaches reveals a common theme: In every “major headline” breach, the attack vector has been the common password. The reason is simple: The password is by far the weakest link in cybersecurity today.” So are all the systems and services that are “protected” by usernames and passwords.
Building complex data protection mechanisms, equipped with latest antiviruses, fire walls, hack detection and monitoring systems, password aggregators, or second factor authenticators, has little sense if this data is still accessible by relying on “the weakest link”. Password aggregators are much easier to use than passwords. But the problem is that they are still… password aggregators. It is quite likely that while you are reading this text, another 1,800 credentials have just been stolen, so the issue should be taken seriously.
This also concerns transaction authorisation systems based on SMS, tokens, or FOBs. The common denominator for all the above-mentioned mechanisms is a naive faith in their protective role and security. When the systems using SMS as a payment confirmation were designed, the present technology that allows this channel of communication to be hacked was not even dreamed of. It was not meant to be secure. It was designed to be popular. In September 2016, NIST issued a negative recommendation for SMS as an authentication method. SMS has been officially deemed “compromised”.
In September 2016, NIST issued a negative recommendation for SMS as an authentication method. SMS Click To TweetOn the other hand, we have recently witnessed a boom in the popularity of a new cybersecurity solution that has been widely hailed as a virtually universal cure for the “password problem” – biometrics.
Despite the enormous effort put into the development of this technology in service of cybersecurity, unfortunately many of the proposed solutions seem to be rather marketing gadgets. It is another fast and easy fix that is supposed to replace usernames and passwords: a fancy selfie, fingerprint, or iris scan that, again, creates an illusory sense of protection. But it will not guarantee full user safety. While the accuracy of the systems is one problem, the storage of biometric credentials is another. And there are other issues as well. Certainly, biometrics is safer than traditional technologies that use usernames and passwords but…. only until they are taken over by cybercriminals.
When this happens, the user loses the chance to use them – forever. Together with 5.6 million US federal employees whose credentials (including biometric information) have been stolen by cybercriminals. The incident has had an immediate life-threatening impact on many secret agents who can now be easily identified by using their biometric information, even after they have been given new identities, including first names and surnames. While stolen usernames and passwords can be changed, fingerprints or eyeballs – cannot.
While stolen usernames and passwords can be changed, fingerprints or eyeballs - cannot. Click To TweetThis may happen to any of us and, therefore, we need to focus and look for a real and highly secure protection of our credentials, data, money, and intellectual property.
Fortunately, there is a solution to all those problems. Our Krakow-based company Cyberus Labs has recently rolled out a highly innovative and passwordless login system called CYBERUS KEY. The system delivers something that until now was impossible to combine: ease of use and high-level security. CYBERUS KEY is a login and authentication platform that may be used for many different online services including e-commerce, fintech, banking and financial services, online media platforms, or e-healthcare. The core of the CYBERUS KEY solution is a one-time password based on the unbreakable system of One-Time Pad called also a Vernam Cypher, proven by Calude Schannon from MIT. Additionally, CYBERUS KEY uses out-of-band communication to prevent “man in the middle” attacks and the interception of transaction confirmation details.
The system is both fast AND secure. It also does not require usernames, passwords, SMS, tokens, FOBs, etc. Among other unique features of CYBERUS KEY is guaranteed credential protection. This solution ensures that user login details will never be intercepted by cybercriminals as our system does not transmit any actionable user credentials during the login process. Another one is that our system identifies both sides of the online transaction – an authorised user AND a legitimate website or online service. This allows CYBERUS KEY to eliminate cyber threats such as phishing and “man in the middle” attacks.
CYBERUS KEY is a cutting edge solution that makes users forget about remembering passwords. It is the future of both easy and secure login and online transaction confirmation systems.