DynaPass blog - Two-factor Authentication Security News

Is Your Corporate Data as Secured as Your Own?

By DynaPass Inc. on March 11th, 2016

DynaPass Inc. is a provider of out-of-band two factor authentication online security solutions via a mobile phone.

Two Factor Authentication (2FA) has become an increasingly common tool over the last few years. As the number of cybercrimes continues to grow at an alarming rate, media attention to the topic has grown as well. For the most part, the press has treated cybercrime much the same way it treats everything else, with sensationalist/alarmist reporting, while never really hitting the heart of the topic. Everywhere you look on the internet or even in physical media, articles advise us to opt-in to 2FA whenever it’s available. The missing piece of advice is encouraging not just the end users, but companies and organizations, to make 2FA available. When an individual uses 2FA, while great, it is protection for only a single set of data on a single site. When an enterprise implements a total 2FA integration, not only does it offer this significantly stronger level of log-in authentication to every single one of its users, it also protects its finances, sensitive data, and reputation.

Recent years have seen a drastic increase in the use of compromised login credentials for everything from basic online purchase fraud to the largest of data breaches, and it’s only getting worse. According to the San Diego, California based Identity Theft Resource Center 2015 alone has seen the confirmed exposure of over 175 million data sets in the United States alone. Those 175 million are a bare minimum, any decent report will show that there are many more companies that experience data breaches, but never release their numbers to the public.

While some of these data sets may not include login credentials, many of them do. And as any internet search will show, there are a multitude of studies that demonstrate how common it is for people to re-use their username and password combinations across multiple sites. Criminals have adapted to this landscape. The availability of so many credentials has turned online fraud into an amateur’s game. Almost anyone with a criminal inclination and a little bit of patience can get a hold of and attempt to use these credentials across any number of websites. By adding a modicum of technique, this can be done in a way that is extraordinarily difficult to detect and almost impossible to prevent. With this in mind, every single username and password combination of your userbase can be seen as a potential fraud risk. DynaPass two-factor authentication puts up an immediate roadblock to these kind of threats. Even if criminals manage to find a set of working credentials, without the one-time use password sent directly to the user’s phone, the credentials only serve to alert the user that there was an unauthorized access attempt. It’s good for individual users, it’s great for companies.

Beyond the benefits of utilizing two-factor authentication for customer logins, 2FA used in a company’s IT infrastructure can provide protection for all it’s data, and based on recent history, potentially prevent devastating data breaches. According to studies such as Verizon’s 2015 Data Breach Investigation Report, compromised credentials have become the most commonly exploited point of attack in data breaches. Anthem, eBay, the US Office of Personnel Management, JP Morgan, all of these major breaches involved stolen user credentials. JP Morgan was missing 2FA on a single server which the criminals managed to exploit and leverage into high level access to the rest of their system. With two-factor authentication, those stolen credentials would have dead ended as soon as they came to the passwords sent to the legitimate users mobile phones.

Both sales fraud and data breaches are potentially devastating to your bottom line. While the losses from fraud are fairly straightforward, financial losses from data breaches are more complicated to quantify. The 2015 Cost of Data Breach Study (United States) from IBM and the Ponemon Institute puts the average cost of each record stolen in a data breach at $217, while other studies such as the 2015 Cyber Claims Study by Net Diligence calculate that number to be as high as $964 per record. Is your cyber security up to the task?

Posted in Two Factor Authentication

Over 600 Data Breaches this Year, Has Your Password Been Compromised?

By DynaPass Inc. on October 26th, 2015

DynaPass Inc. is a provider of out-of-band two factor authentication online security solutions via a mobile phone.

Cyber-Security-(2)

2014 saw a record number of data breaches, the United States alone having experienced 783 breaches with over 85 million confirmed record exposures according to the San Diego, California based Identity Theft Resource Center. If that was not bad enough, between January and October of this year, the U.S. has been plagued by more than 600 reported data breaches and the confirmed exposure of over 175 million records. How certain are you that your log-in credentials are safe?

In an effort to get the public to recognize the importance of cyber-security, the Department of Homeland Security and President Obama went out of their way to designate October as National Cyber Security Awareness Month in an attempt to get the public to acknowledge the threat posed by cyber criminals. It’s not just the genius hacker types that we need to be concerned about. According to the FBI’s Blog “sometimes using the least sophisticated means necessary cyber criminals can obtain passwords”. How many of your own passwords could be easily guessed based on your interests or significant dates in your life? How many of your different accounts use the same or similar passwords that could cause one compromised password snowball out of control? One example of a readily available cybercrime tool is a keystroke logger, a piece of software that will run in the background of your computer and log all your keystrokes to send back to the criminal. With a log of all your keystrokes, criminals can easily figure out your passwords. Keep in mind, this is just one of many similarly easy ways by which criminals may discover your passwords. If passwords aren’t secure anymore, what are we supposed to do to protect our data?

The FBI’s first advisory post for National Cyber Security Awareness Month put it quite clearly, “it is important to add another level of protection between the cyber criminal and you…Two Factor Authentication adds that 2nd layer of protection.” Two Factor Authentication, or 2FA, is a technology that increases security by incorporating requirements beyond something you know (your password). The second factor of authentication can be any number of things, a biometric test, a physical security token, your physical location data, or even something as easy as a secondary password sent to your mobile phone. At first glance it may seem that many of these 2FA options are equal. However, the real world truth is that the cost of setup and maintenance of hardware for biometrics and security tokens can be prohibitive, while physical location requirements just may not be feasible for many applications. These issues can make implementing two-factor authentication a daunting task.

DynaPass’ patented method provides 2FA by utilizing users mobile phones to send them a one-time use password via text message. By leveraging something so commonly used as a text message, DynaPass can increase your authentication confidence without adding maintenance costs or unnecessary complications to workflow.

5 Tips for Cyber Security

In the spirit of National Cyber Security Awareness month, we have provided a few tips to keep you safe online.

1. Think before you click. Healthy suspicion and being a bit skeptical will go far in keeping you secure.
2. Use a well-documented, reliable security suite. Good anti-virus software and browser/network security are essential.
3. Keep your software updated. Updates often include security upgrades that close newly discovered weaknesses.
4. Use strong passwords and avoid using the same password across different sites.Your best option is long and seemingly random string of characters. Password managers can help you keep different passwords in order.
5. And always remember, if two-factor authentication is available, make sure that you have it enabled.

Tags: cyber, cybercrime, DynaPass, FBI, two factor authentication
Posted in Two Factor Authentication

Multi-Factor Authentication Market To Grow 17.3% Year Over Year, Worth $5.45 Billion by 2017

By David Tran on December 11th, 2012

According to a recent multi-factor authentication market research study published by MarketsandMarkets.com, the multi-factor authentication market is expected to reach $5.45 billion by 2017. It is estimated that between 2012 and 2017, the year over year growth rate of the multi-factor authentication market will be 17.3%. A key factor contributing to the fast growth of the multi-factor authentication market is the rising number of regulatory compliance requirements. The global multi-factor authentication market has also seen significant growth in the popularity of phone based authentication solutions.

Phone based authentication solutions such as DynaPass’ two factor authentication solution are growing in popularity because it’s easy to implement, cost efficient, reliable, and most of all secure. Since mobile phones are owned by over 85% of the U.S. population, users implementing phone based two factor authentications do not need additional hardware besides a mobile phone and there is no need to install software on their computer or phone. Two-factor authentication, also called strong authentication, is a federally mandated method for user authentication when protecting sensitive information in industries such as finance, education, and healthcare.

For example, last year the FFIEC supplemental guidance outlined the blueprint for the security levels that financial institutions need to combat fraud and succeed in the competitive banking environment. At the core of those requirements is customer authentication. The guidance doesn’t outline a single type of authentication solution across all channels, but multiple security tools that give all channels true multiple layers of authentication, whether customers pay online or request bank transactions over the telephone. DynaPass’ phone based two factor authentication allows users to receive a one-time password via SMS text message to their mobile phone to authenticate them. This satisfies the “sometime you have” category, an essential component of the FFIEC’s multi-factor authentication paradigm that requires banks to have at least two of the categories for customer authentication, including: “something you know” (password, pin number), “something you are” (fingerprint, DNA, retinal pattern), and “something you have” (ID, ATM card, security token, mobile phone).

According to research firm Frost & Sullivan, people using mobile banking services will increase from 12 million in 2009 to 45 million by 2014. This means that financial institutions operating without a secured environment will not be able to keep their customers who will move over to their competitors that have security features such as DynaPass’ phone based two-factor authentication.

The two-factor authentication model covers almost 90% of the market for multi-factor authentication and three, four-, and five-factor authentication models are less used when compared to two-factor authentication. The multi-factor authentication market is spreading across all industries where security is a concern. Currently, America is the biggest multi-factor authentication market with Europe and APAC following behind. Phone based two-factor authentication is the security method of choice by many users and will continue to be since it is easily deployable, cost efficient, and effective.

Tags: Multi Factor Authentication, phone based authentication, strong authentication, two factor authentication
Posted in Two Factor Authentication

Facebook Removes Mobile Numbers Used in Two-Factor Authentication from Search

By David Tran on November 2nd, 2012

In mid 2011, Facebook announced the incorporation of two factor authentication using mobile devices to authenticate their users and to protect against fraud attacks. The service is an opt-in security feature known as ‘Login Approvals’ to Facebook users and requires users to enter a code that is sent via text message to a user’s mobile phone when logging into their account from a new or unrecognized computer. Once users enter in the unique code, they have the option of saving the device so that they do not see the challenge on future logins. This additional layer of security helps prevent unauthorized access for Facebook users. The majority of users primarily have static usernames and passwords associated with their accounts which can be easily hacked and in turn can expose their personal information on their Facebook profiles such as their personal emails, personal messages, mobile numbers, and other private data.

Facebook’s ‘Login Approvals’ is a form of two-factor authentication since it uses a user’s login and password, something they know, and it sends a unique one-time pass code via SMS text message to a user’s mobile device, something they have, to authenticate the user. The user then enters the code into the command prompt to gain access to their account.

If a Facebook user somehow loses their phone and has the ‘Login Approvals’ feature turned on, they can still access their account using a saved device which has been granted access. Having recognized machines helps users prevent unauthorized access, prevents lockouts, and ensures users access to their accounts.

Recently, Facebook removed the mobile phone numbers of users who have enabled the optional ‘Login Approvals’ from Facebook’s search engine so that those mobile numbers are not able to be searched through a reverse-lookup. Before, updates to the Facebook algorithm allowed users to enter in a mobile number and were able to see if that mobile number was tied to a ‘Login Approvals’ of a user. This means that if you knew someone’s mobile phone number, or guessed random numbers, you could potentially find a person’s identity if they linked their mobile number in Facebook’s ‘Login Approvals.’ This could have caused major security breaches if not corrected. This security flaw could have been abused to search for countless numbers of sequential phone numbers in order to find any Facebook profiles associated with them.

Facebook has disabled this reverse-lookup feature for users that use their mobile phone to authenticate a login, but reverse-lookup is still enabled for all other users who display their phone numbers publicly. The new restriction only applies to mobile phone numbers used for two-factor authentication and not every phone number added by users in the ‘Contact Info’ section of their profile pages.

The ‘Login Approvals’ is still a strong security feature which helps protect users against unauthorized access and prevents account abuse in cases where a user’s password is compromised. Facebook is developing a new system that will allow users to decide whether they want to make their mobile numbers used in ‘Login Approvals’ searchable and currently the search restriction for ‘Login Approvals’ is temporary until a new system is implemented. Similar features on other websites require users to download authentication software, apps, or purchase physical tokens to act as the second factor, but require a lot from users before being able to turn on the security feature. We believe that Facebook has decided to use a two-factor authentication system using mobile devices because it is easy to implement, cost effective, and only requires users to have their mobile phone to authenticate them. Facebook users can enable ‘Login Approvals’ from the ‘Account Security’ section of the account settings page. If you have a Facebook account, you may want to consider enabling this feature to increase security of your account and decrease unauthorized access.

Tags: Facebook login approval, IT Security, two factor authentication
Posted in Two Factor Authentication

Intel Confirms Acquisition of A Biometrics Company IDesia, But Is It Worth It?

By David Tran on October 10th, 2012

Intel has just acquired biometrics company IDesia, a medical devices company based out of Israel for several million dollars. IDesia develops heart-based biometric technology that authenticates users by using electrical signals generated by the heartbeat and allows computers, mobile phones, gadgets and electronic devices to recognize these heartbeat signals. The company previously raised $7 million from Partech International and Aladdin Knowledge Systems which is now a unit of SafeNet. Gidi Barak, Chairman of IDesia, has also sold other companies to Intel. In 2004, Barak sold Envara to Intel for $40 million and in 1999 he sold DSP Communications to Intel for $1.6 billion.

Biometrics has long been used as a way to authenticate users, but there are concerns those technologies such as face recognition and fingerprint readers can be easily manipulated. Intel is hoping that monitoring heart beats is a more advanced and secure way to recognize users. IDesia uses electronic signals, also called electro biodynamic signatures, generated by the heartbeat of an individual that is unique to each person and cannot be forged. The signature is obtained through a user’s finger where electronic signals can be collected. The product requires a user’s finger and a small metal sensor which appeals to airports, border crossings and personal electronic equipment.

It is not clear yet what Intel will do with the acquisition of IDesia, but Intel already has a presence in Israel with staff and other acquisitions in the country. Last year Intel acquired Telmap for $300 million, which is an Israel location based services company and has become part of Intel’s consumer services division.

IDesia CEO, Dr. Daniel Lange will continue to serve as a consultant to Intel as IDesia’s products are integrated and stated, “Identification on the basis of heartbeat is not a biometric measurement recognized by any government body, we concentrated in recent years on sales in the consumer products sector and in this field large capital is needed to penetrate markets, and in Israel it is difficult to raise capital for an end-use electronic product.” Lange also said, “I would be happier if the company had not to be sold because in my opinion it has great potential. But as an entrepreneur the most important thing is that the technology will be brought to market, and it looks like Intel is the company that can ensure that.”

IDesia is unique and Intel may be able to use their technology to incorporate it into products such as smart phones and tablets which could monitor the heartbeats of patients as well as possibly use it to authenticate people. This biometric technology hasn’t been proven to be secure way to authenticate people yet, but the technology could be of use in the healthcare industry since it measures a user’s electronic signals.

The technology is of interest to Intel since it has a big interest in the health care industry. Intel has a joint venture with General Electric called Care Innovations to provide health care products such as tablets that are targeted at the health care industry. In addition to that, Intel is also conducting research on health care for senior citizens. With Intel having so much vested in the healthcare industry, they may use the biometric authentication technology to supplement their existing businesses or incorporate the technology in their products.

We believe that it is unlikely that the technology from IDesia will go into Intel’s next microprocessors, but Intel has already a team of developers in Israel that might find a use for it. The Intel team in Israel was responsible for the architecture behind the Core and Core 2 microprocessors.

If Intel uses the IDesia technology to create innovative ways to monitor patient’s heartbeats or use it in other innovative ways they may have made a good acquisition, but if they are intending to use it to authenticate patients we believe that it will be a challenge to prove that the IDesia technology is a reliable and secure authentication solution. Even if it is used to monitor heart beats of patients remotely, secure machine to machine security measures must be in place to ensure data is transmitted safely. Biometric authentication such as facial recognition, retina scanning, and fingerprint scanning has been shown to be easy to manipulate and unreliable so Intel faces challenges if it intends to use IDesia’s technology to be a leader in the authentication industry.

We believe two factor authentication using a one-time password sent to a mobile device is still the most reliable way to authenticate users and will continue to be until new ways of authenticating users are developed. Two factor authentication using one time passwords sent to mobile devices is currently used by Google, Bank of America, and Facebook. With security breaches on the rise and more companies migrating their services to the cloud, we believe that two factor authentication systems such as those offered by as DynaPass’ out of band two factor authentication using a dynamic one time password sent to a mobile device willbe effective in protecting an organizations’s sensitive information and protecting their users.

Tags: biometrics authentication, IT Security
Posted in Two Factor Authentication

Achieve HIPAA Compliance with DynaPass Out of Band Authentication

By David Tran on May 29th, 2012

The United States Congress introduced the Health Insurance Portability and Accountability Act (HIPAA) of 1996 to address the need for security standards and to protect the confidentiality and integrity of private health information. HIPAA affects health care organizations by requiring mechanisms to be put in place to control the privacy and security of sensitive patient data stored and exchanged electronically. HIPAA also affects health care organizations by encouraging the conversion of traditional paper based health care information systems to electronic health care information systems through a standardization of all shared electronic information to make healthcare more effective and efficient. HIPAA also mandates that the design and implementation of these electronic health care information systems protect the privacy and security of individuals’ health information. HIPAA X12 standards, version 5010, is a new standard that regulates the electronic transmission of specific health transactions. Entities that need to conform to HIPAA are health plans, health care clearinghouses and any health care providers that transmit health information in electronic form. The compliance date for use of these new HIPAA X12, version 5010, standards is January 1, 2012. The HIPPA Act of 1996 required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop rules known as the HIPAA Privacy Rule and the HIPAA Security Rule. Within the U.S. Department of Health and Human Services (HHS), the Office of Civil Rights (OCR) is responsible for implementing and enforcing the privacy and security rules.

HIPAA Privacy Rule

The HIPAA Privacy Rule establishes a set of national standards to protect medical records and sensitive health information. This rule addresses the use and disclosure of individuals’ protected health information (PHI) by organizations subject to the privacy rule. An increasing number of organizations are utilizing new forms of health information technologies (HIT) which usually involves the transition of PHI from paper to electronic form. A major purpose of the privacy rule is to define and limit how organizations can use or disclose PHI. Under the privacy rule, organizations must develop and implement policies and procedures that restrict and limit access of health information based on specific roles of members of the organization’s workforce and they must limit uses and disclosures of the information to the minimum necessary to accomplish their intended purpose. Many health care providers are adopting electronic health records (EHRs) to enhance the effectiveness and efficiency of the health care they deliver. The privacy rule became effective on April 14, 2001 and most health plans and health care providers had to comply with its requirements by April 2003.

HIPAA Security Rule

The HIPAA Security Rule is a set of national standards that protects medical records and sensitive health information that is held or transferred in electronic form. One of the major goals of the security rule is to protect the privacy of health information of individuals while allowing organizations covered in HIPAA to adapt to new technologies to improve the quality and efficiency of health care. The security rule requires covered entities to maintain appropriate administrative, technical and physical safeguards for protecting electronic protected health information (e-PHI). Under the security rule, organizations must ensure the confidentiality, integrity and availability of all e-PHI that they create, receive, maintain and transmit. Organizations must be able to identify and protect against anticipated threats to the security of the information and also protect against impermissible uses or disclosures of this information. Organizations must also ensure sure that e-PHI is not able to be accessed by unauthorized persons and that their workforce ensures compliance. Identifying and protecting against anticipated threats and uses is also a requirement by the security rule that organizations must follow. The security rule became effective on February 20, 2003 and most health plans and health care providers had until April 2005 to comply with its requirements.

DynaPass®Out of Band Authentication Technology (U.S. Patent #6,993,658)

DynaPass’® patented out-of-band authentication method while generating a one-time password (OTP) utilizes a user’s mobile device as a way to authenticate them. This works by sending an OTP over SMS to a user’s mobile device. By leveraging DynaPass’® out of band authentication platform, members of an organization’s workforce can authenticate themselves before accessing protected health information and preventing unauthorized users from accessing it. An organization can also limit access of these members by assigning limitations depending on their roles within the organization and it will prevent unauthorized users from accessing the information.

Traditional methods of accessing health care data remotely such as using a login and password can be easily compromised by phishing attacks, malware and man in the middle attacks (MITM). Health care organizations can combat these attacks by utilizing two factor authentication, also called strong authentication, along with DynaPass’® out of band authentication to authenticate users and block unauthorized users trying to access this health information. By combining login credentials along with DynaPass’® out of band authentication platform, organizations can add another layer of security to protect against attacks and data breaches. A user is authenticated by entering in their login credentials within an online portal and through a secure centralized server on a separate channel, in which an OTP is generated and sent to the user’s mobile device which is a true method of two factor authentication. By using two factors to authenticate a user, something that a user knows (login credentials) and something that a user has (mobile device), we believe that unauthorized access to health information will be reduced, and organizations will be able to more confidently and securely store and access their health information in electronic form.

We believe that two-factor authentication is an effective way for health care organizations to protect their health information and prevent attacks because even if one layer of security (login and password) is compromised by an attacker, the second layer of security (OTP sent to mobile device) would stop the authentication process and prevent access to the information. Organizations that are converting from paper based health care information systems to electronic health care information systems need to make sure that their electronic health records information remain safe and that there are safeguards in place to control access to this information.

DynaPass’® out-of-band authentication platform meets and exceeds the requirements of HIPAA by incorporating two-factor authentication while utilizing out of band authentication in a cost efficient way. We believe that DynaPass® out-of-band authentication is an effective layered security process that controls security access and is easy to use. By using a mobile device as an authentication device, such as a mobile phone which the majority of the organization’s workforce already has, users can utilize two-factor authentication without needing to carry additional hardware tokens to authenticate themselves and organizations can save on costs to implement security devices. Users do not need to download any additional applications on the mobile devices since DynaPass’® OTP platform uses the SMS system to send the one time password and is a “zero footprint solution.” We believe that DynaPass’® out-of-band authentication is the patented, cost effective two factor authentication solution that can ensure that organizations comply with HIPAA standards while also protecting sensitive health information.

See DynaPass Two-Factor Authentication

Tags: hipaa, one time password, privacy rule, two factor authentication
Posted in out of band authentication

Is Your Corporate Data as Secured as Your Own?

Over 600 Data Breaches this Year, Has Your Password Been Compromised?

5 Tips for Cyber Security

Multi-Factor Authentication Market To Grow 17.3% Year Over Year, Worth $5.45 Billion by 2017

Intel Confirms Acquisition of A Biometrics Company IDesia, But Is It Worth It?

Achieve HIPAA Compliance with DynaPass Out of Band Authentication

Recent Posts

Company

Solutions

Resources

Awards & Affiliations

Follow Us On