Tag Archive for: Authentication

Customer Authentication Tips for Safer Holiday Shopping

/in


Auth-Sec-Tips-Safer-Shopping-Season-V2

The holiday shopping season represents a major chunk of annual revenue for retailers in virtually every sector. Per the National Retail Federation, sales grew over 14% to nearly $900 billion in November and December 2021; if they grow at the same rate this year, holiday retail sales will top $1 trillion in 2022. The holiday spirit, fueled by the rush to catch Black Friday bargains, has everyone spending, and $226 billion of these sales are happening online.

‘Tis the Season for Hacking

While it’s a great season for retailers, it’s also a cash-in season for hackers who take advantage of the hype. Their scams include fraudulent giveaways that harvest user details, fake firms that never supply goods or formjackers and card skimmers that insert malicious code into e-commerce sites. However, phishing, an old cybercriminal favorite, will still be the most prominent attack this holiday season. 

Phishing, especially with the exceptional rise in cheap and easy-to-use phishing-as-a-service kits, will disrupt plans, cost money and generally try to ruin the holidays for retailers and consumers alike. A typical attack sees the victim opening an email impersonating a trusted retailer, like Amazon. The email looks legitimate, except the link provided within it leads to a spoofed site where the attacker can steal the user’s login details and hijack their account. 

Why you Need Better Customer Authentication

Consumers are growing more aware of the dangers of online shopping. A recent survey by TransUnion found that the majority (54%) are concerned about being victimized by fraud this holiday season — up 17% from 2021. Confidence in the security of a retailer’s customer authentication processes directly affects consumers’ willingness to do business with them. The same survey reported a 40% increase in consumers stating that they would abandon a purchase due to lack of sufficient security. 

For retailers, providing more secure customer authentication isn’t just about allaying consumers’ fears, it’s about protecting their own business. A successful phishing attack on a customer can mean lost income due to redirected purchases and fraudulent orders, reputation damage and potential…

Source…

NCC urges adoption of two-factor authentication to protect telegram accounts against attack – The Sun Nigeria

/in


From Adanna Nnamani, Abuja

The Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has advised users to adopt two-factor authentication to protect their Telegram accounts and to avoid downloading unauthorized Advanced IP Scanner Software.

This, the  NCC says is in response to the discovery of a new attack that compromises victims’ VPN (Virtual Private Network) accounts to compromise messaging app, Telegram.

According to a statement from the Commission, Ukrainian cyber experts discovered the attack, which uses Vidar Malware (Vidar Stealer) to steal Telegram session data, which in the absence of configured two-factor authentication and a passcode, allows unauthorized access to the victim’s telegram account and corporate account or network.

“The malware, which exploits unauthorized access to users’ Telegram accounts and corporate accounts to steal data, targets platforms across iOS, Android, Linux, Mac and Windows Operating Systems.

“The Ukrainian CERT alleged that a Somnia Ransomware was created to be used on Telegram that tricks users to download an installer that mimics ‘Advanced IP Scanner’ software, which contains Vidar Malware. The installer infects the system with the Vidar stealer, which steals the victim’s Telegram session data to take control of their account.

“The threat actors abuse the victim’s Telegram account in some unspecified manner to steal VPN connection data (authentication and certificates). If the VPN account is not protected by two-factor authentication passcode, the hackers use it to gain unauthorized access to the victim’s employer’s corporate network”, the alert and advisory states.

“Once inside, the intruders conduct reconnaissance work using tools like Netscan, Rclone, Anydesk, and Ngrok, to perform various surveillance and remote access activities, and then deploy a Cobalt Strike beacon, exfiltrating data using the Rclone program,” the report stated.

“The CSIRT is the telecom sector’s cyber security incidence centre set up by the NCC to focus on incidents in the telecom sector and as they may affect telecom consumers and citizens at large. The CSIRT also works collaboratively with…

Source…

Why It’s Smart to Use Authentication Apps for Multifactor Security

/in


The apps generate short-lived codes to use along with a password. That can be safer than having codes texted to you.

By Yael Grauer

In a world riddled with data breaches, having a strong password isn’t always enough to keep your personal and financial information safe. That’s why security experts recommend safeguarding your accounts with another layer of defense, namely multifactor authentication (aka two-factor authentication). But many people who use multifactor authentication (MFA) might not be using it in the most secure way, according to security professionals.

When you turn on MFA, which is available for financial sites, social media sites, and many others, you need a second factor in addition to your password to log in. That way, if a hacker gets your password, they still won’t be able to access your account. Probably the most common way to use MFA is to have the site send you a text message with a code that you enter into a pop-up box.

But many security experts say there’s a better option: switching to an authentication app, which uses an algorithm linked to your device to continually generate numerical codes that expire every 30 seconds.

Unlike authentication apps, text messages rely on your phone number, which is more vulnerable to criminal attack. A determined attacker may persuade a phone company to redirect someone else’s phone number to a new SIM card on their own device in what’s called SIM swapping or SIM jacking. Then they can intercept messages directed to that phone number.

“SIM swapping is obviously a risk,” says Leigh Honeywell, CEO and co-founder of Tall Poppy, a social venture that builds tools and services to help companies protect their employees from online harassment and abuse. But, she says, other problems can arise.

“The issues that come up more often are going to be you lose your job and your phone gets cut off, or you’re on a family plan and you have a conflict with a family member who is the administrator of the plan,” she says. “There are a lot of ways that phone numbers end up being a very brittle part of the security ecosystem that go way beyond the very sharp end of the spear that is SIM swapping.”

And MFA based…

Source…

October is Cybersecurity Awareness Month. Part 2: Enable Multi-Factor Authentication

/in


In this multi-part series, we’ll look at what organizations can do to better improve corporate security as part of October’s Cybersecurity Awareness Month. In this blog, our focus is on multi-factor authentication (MFA).

Believe it or not, computers in the old days didn’t even require passwords to get in. The threat wasn’t obvious since computers weren’t everywhere so when you powered a computer on and it was done booting, you’d just use it as needed. Once computers became common in the workplace and different folks had physical access to a computer, the user and password pairing was born. Still, some people, just like they do today, would just write the password on a Post-it Note and call it a day. Many people used ‘password’ or ‘12345’ as their password. The password has evolved and today most systems require a minimum of 8 characters including a number, a capitalized letter, and a special character, which make them harder to guess if you haven’t written it down.

Are passwords perfect now?

Nope. According to various studies, 81% of breaches are caused by poorly-chosen passwords. According to a CNET report in 2020, hackers have published as many as 555 million stolen passwords on the dark web since 2017. When you consider that many people use the same password or a variation of a single password, you can see how poor passwords and password-related practices continue to lead to breaches.

So, what can be done?

Enabling MFA is a start. Multi-factor authentication, sometimes referred as Two-Factor Authentication (2FA), comes in different flavors and not all are built equally. MFA can mean two passwords to two different Microsoft Active Directory (AD) servers, but this is rarely used. The most common is credentials (username/password) with a token. RSA and Google Authenticator are a couple of the more popular token options. These tokens are multi-digit, one-time, and are short-lived, making them hard to guess and even if shared, as there is a short window where they are valid. The other method is a push notification to a different device. The MFA software is usually installed on a mobile phone and when trying to log in from a laptop, the user is prompted to…

Source…