Target hack investigation looks at vendor ID credentials

Target: Cybercrooks used stolen vendor ID to hack into system (Star Tribune)

Target Corp. said Wednesday that the huge data breach it suffered late last year happened after an intruder stole a vendor’s credentials and used them to gain access to the company’s computer system.

A Target spokeswoman wouldn’t identify the vendor or type of credentials because the retailer is in the midst of forensic and criminal investigations into the malware attack, where cybercrooks hijacked debit and credit card information from up to 110 million people.

I guess it’s a start

“password” is no longer the most popular password on the internet.

  The 25 most common passwords of 2013 (CBS News)

According to password management company SplashData, the top three passwords of the year are “123456,” “password” and “12345678.” The top three passwords haven’t changed, but “123456” and “password” swapped places from last year. The company’s list of the “25 worst passwords of the year” was compiled using data that hackers have posted online, which are said to be stolen passwords.

I’m thinking of a number…

Affordable brainwave sensors could make typed passwords obsolete (The Verge)

The last hurdle involved determining what specific mental tasks would be best-suited to this type of authentication — the team wanted the interaction to be as user-friendly as possible. To find the most suitable tasks, the team the brainwaves of test subjects performing seven different mental activities to authenticate their identify. Researched showed that the best tasks for this setup were ones that users didn’t mind repeating on a daily basis — the tasks need to be easy, but not too boring.

Interesting sort of behavioral biometric of the brain.

Coopetition: Biometrics and Passwords

Startup Prepares Alternative to Online, Mobile Banking Passwords (American Banker)

As banks struggle to move past passwords, a Silicon Valley startup is taking a stab at a fingerprint and facial recognition standard backed by some heavy hitters — PayPal and Lenovo among them.

Despite hopeful initiatives, demise of passwords years away (CSO)

Security pros have been saying for years that password protection is not enough. And this week, two groups — one private, one public — announced initiatives to create more secure ways to authenticate identities online.

Several security experts, who would love to see passwords retired, said they will be watching those initiatives with interest, but don’t expect mainstream change for at least the next several years.

Passwords are the ID management security method everyone loves to hate. So why are they still everywhere? Why is their number growing without signs of slowing?

In their A Research Agenda Acknowledging the Persistence of PasswordsCormac Herley and Paul C. van Oorschot tell us why.

Passwords, though unloved, deserve some words of praise. They have brought us this far: they are the means by which two billion Internet users access email, banking, social networking and other services. They are essentially free from the service provider viewpoint, and are readily understood by users. They allow instantaneous account setup. Revocation is as simple as changing the password. Those who forget their passwords can be emailed either reset links or the passwords themselves (this practice, though insecure, is common for low-value sites). All of this is automated and instantaneous. They allow access to one’s accounts from anywhere in the world assuming nothing more than a simple browser. Sophisticated users can protect themselves from many of the threats.

The part about them being essentially free requires qualification (which the authors offer), but that’s a pretty impressive list.

So it’s good thing for us in the biometrics business that biometrics don’t need to supplant the password altogether. For the moment biometrics can’t compete on cost to root passwords out everywhere. But I’d like to discuss two (there are more) instances where biometrics can and should be used to limit the risks organizations expose themselves to by over-reliance upon passwords.

Databases of customer information should be biometrically protected. 
From an organizational point of view, for many many service providers, allowing customers and users to protect their individual accounts with passwords, exposes the organization as a whole to minimal risk. Some relatively predictable number of users who use passwords will choose poor passwords, some will become victims of phishing scams. If the costs of sorting these cases out are less than the costs associated with burdening all users with more onerous security protocols, then the password is the appropriate solution. But at some point, all databases of user/customer information should be protected with biometric access control methods because, while having occasional users pick weak passwords or get tricked into giving them away is one thing, hackers making off with the entire database of user/password information is something else altogether. Requiring biometric verification of all human database Administrator logins would go a long way to lowering the biggest risk of passwords: their wholesale theft. In many ways the Admin level is the perfect point to introduce these more rigorous security protocols. There aren’t (or shouldn’t be) too many Admins, so the inconvenience falls on as few individuals as possible. Admins are tech savvy, so they should be able to adapt to the new security environment quickly. They should have an understanding of why the extra step is worth the effort. It’s their responsibility to keep the keys of the kingdom. Perhaps most compelling, they’re the ones on the hot seat when the CEO is out apologizing to all and sundry following a data breach.

Biometrics can also be used to overcome some of the limitations of passwords in more mundane password use models.
Biometrics can facilitate the use of more complex passwords that change more frequently and hence are more secure. [See the laptop fingerprint sensor (i.e. biometrics to control a password management application).]

In higher value authentications, biometrics can also be used as a way to return the password to the simplicity of the PIN. For example: a fingerprint scan associated with a weak password such as a 4 digit PIN provides far stronger authentication than any password a human could be expected to type*. In other words, biometrics can be combined with rudimentary passwords to bring an end to the “password arms race” where the main coping strategy has been longer, more complex and more frequently changing passwords — i.e. the real reasons people tire of the humble workhorse of the ID game. So instead of replacing the password, biometrics might one day be used as a way to salvage what makes it great while minimizing the frustrations associated with over-reliance upon it.

*This type of model also has virtues regarding the irrevocablility of biometric identifiers, a discussion of which is beyond the scope of this post.

The future of online user authentication

7 Reasons Passwords Are Doomed – Finally (ReadWrite Enterprise)

Passwords control your life. From accessing work email and stock prices on the go to checking a grocery store shopping list, passwords have become the primary source of identifying who you are. They are arguably more important than your driver’s license.

But with that ubiquity comes risk – this tiny, yet powerful device contains enough information to expose your financial or health records and other personal details. From an enterprise perspective, the risks are just as great, if not greater.

Ubiquity also creates confusion. On average, password reset requests make up 10% – 30% of all IT helpdesk calls. It’s a productivity black hole.

Granted, despite their problems, passwords have shown incredible staying power. But here are seven reasons why they will finally fade away.

The reasons Toby Rush, EyeVerify CEO, gives for the decline of the password as a human authentication method are good ones.

Humans, however, aren’t the only things that must identify themselves to IT infrastructure. Computers have to do it too. For that reason, it’s hard to foresee the extinction of the password but that might not matter much. Long passwords don’t bother computers nearly as much as they bother people.

Strange and Unintended Brain-Computer Interface Applications

You shouldn’t believe everything you read in a headline. I’ve supplied one above that is far more accurate but far less alarming than the one provided by the original story below.

Scientists Successfully ‘Hack’ Brain To Obtain Private Data (CBS – Seattle, WA)

The scientists took an off-the-shelf Emotiv brain-computer interface, a device that costs around $299, which allows users to interact with their computers by thought.

The scientists then sat their subjects in front of a computer screen and showed them images of banks, people, and PIN numbers. They then tracked the readings coming off of the brain, specifically the P300 signal.

The P300 signal is typically given off when a person recognizes something meaningful, such as someone or something they interact with on a regular basis.

Scientists that conducted the experiment found they could reduce the randomness of the images by 15 to 40 percent, giving them a better chance of guessing the correct answer.

The case the author wants to make is way overstated, which it too bad because the topic is very interesting without over hyping it.

The controversial part of what the story describes (quoted above) is sort of a half-way house between the hack vs con discussion. I guess in the distant future, people will have to be more wary of street-corner magicians and psychologists but the PIN probably isn’t going anywhere any time soon.

This may be for a future post but I suspect that due to biometrics the PIN will become more common as complex passwords become more rare, even in the presence of brain-computer-interface wielding mountebanks.