Authentication – The Problem of Phishingashley_madison_thumb800-100609042-primary.idge

The Problem

Hackers just keep getting more inventive and dangerous. It is estimated that phishing, which is tricking people out of usernames, passwords and other sensitive information with phony emails, is a growing threat both to governments and businesses. According to Verizon’s 2015 Data Breach Investigations Report, nearly 50 percent of victims open phishing emails and click on the link within the first hour of receiving them. The Monthly Online Fraud Report – January 2015 found that there were 46,747 phishing attacks worldwide in December United States regional banks were targeted by a quarter of all phishing attacks in December while US nationwide banks experienced an increase in phishing volumes from 50 per cent in November to 58 per cent in December.


And of course now there’s spear phishing where the spear phisher does his research on you and knows your name, email address and other details that make the spear phishing email seem relevant, real and worthy of a response because it appears to be from an individual or business that you know and trust. Beware – it’s not. The email may make reference to a mutual friend or to a bank or ecommerce site you belong to, possibly asking for urgent action, tempting you into acting before thinking. I’ve seen spear phishing attacks claiming to be PayPal and eBay to name a few.


Phishing attacks use social engineering techniques mixed with technical tricks to fool the user and steal sensitive information and banking account credentials. Social engineering schemes are typically based on spoofed emails to lead users to visit infected websites designed to appear as legitimate ones. The websites are designed to lead customers to divulge financial data, such as account usernames, credit card numbers, passwords, and social security numbers.

Spear Phishing attacks have been associated with high-profile data breaches, such as those experienced by Target, Sony and the Pentagon. Spear phishing attacks can quickly yield valuable information such as user credentials to corporate or personal accounts, which attackers can leverage to gain additional insight into the target organization or individual, and to launch additional attacks that seek access to additional systems and services. It is also feared that breaches like the recent one of Ashley Madison provides a real treasure trove of personal details, emails, usernames and the like for spear phishers

The US hosted 48 per cent of phishing attacks in December, followed by the United Kingdom (7 per cent), Germany (5 per cent) and China (3 per cent).


The Current Solution

Securing computers has become very challenging and one of the pain points has become the need for super complex passwords. You know the ones. It must include a capital letter, numbers but no repeat numbers, a special character and be at least 8 alphanumeric characters. Random numbers and letters work best and please…change them frequently and never use the same or similar password on multiple applications. And BTW, good luck remembering your passwords. Then there is the issue of sharing passwords and the consequent leakage to third parties who can enter the system and steal, corrupt or sabotage data!


Multi-factor Authentication

Multifactor authentication is the method of using more than one method for identifying a user. For example if I used your fingerprint and a password or a PIN, I would be using two-factor authentication. If I used a password (something you know), your phone (something you possess) and your iris scan or fingerprint (something you are) then I am using a very powerful three factor authentication method that is much harder to defeat than most of the authentication we use normally.

Here is an example of a recent

RSA comments on the Hello Kitty hack and shares why it may have long-lasting ramifications: