Don't Be Passive About Passwords
Most online accounts used to manage money and investments use multiple factors for authentication, that is, they use a password plus some other way to prove the customer is who they say they are.
This is mandated by regulation, the institution's own security and risk management policies, by business partners demanding adherence to industry best practices and/or by the consumers themselves.
Passwords are used everywhere, and they are important keys in protecting valuable assets. Unfortunately, research based on actual breaches has shown that users will generally select weak passwords, those that are simple and easy to guess, if allowed.
One recent breach that included the disclosure of a large number of users' passwords shows that a hacker had a one-in-seven chance of guessing the user's password simply by going through a list of the top 10 most often used passwords.
Other information that hackers frequently collect, such as names of spouses and birthdates, are often used to optimize a list of possible passwords for brute force attacks.
Hackers will stop at nothing, short of the value of the assets they are after, in order to obtain someone’s password. Tactics include phishing, social engineering to reveal or reset passwords, exploiting systems or system users to install spyware and keylogging programs, and cracking passwords by looking up stolen hashes or guessing them using optimized brute force attacks.
Do Not Store Passwords in Databases
Databases should never be used to store passwords. Rather they should store the hashes, or hash values, that are created by the characters in a password. That way, if a hacker breaches a database, he won’t find the passwords, only the hashes. Although there are tools that can convert hashes to passwords, not storing passwords in the clear does add another layer of protection.
Implement Systems that Support Passwords with 12 Characters or More
Research at Georgia Tech shows that effective passwords are generally 12 characters or longer, and each additional character vastly increases the work a hacker, or his home supercomputer, must do to deduce the password.
Financial institution’s systems should support long, complex passwords. Some financial institutions support no more than eight lowercase letters or numbers for accounts that contain hundreds of thousands of dollars in assets.
This is due to the fact that when these financial institutions created their password systems, hackers did not have the modern tools they now can easily access that allow them to easily guess passwords. If a password is 12 or more characters, it is exponentially harder to break than one with fewer characters.
Do Not Use the Same Password for Financial Accounts as Social Networking Sites and Others
People often use the same password for managing their money as they do to log in to their social networking sites. They should use a different password for each site they interact with.
While it's not possible to stop the user from using the same passwords for separate sites, it is possible to educate users about the harm in doing this and to force their passwords to expire every three months.
Keeping a password history and forbidding the use of old passwords increases the chances that a password will be unique and unusable by hackers who may have obtained a user’s password to other websites.
Ensure that Systems Employ Multiple Factors of Authentication
Passwords should be only one part of the authentication process. Hardware or software tokens, smart cards, secret answers to security questions, or biometrics like fingerprints can also be used as an additional factor.
Out-of-Band Authentication and Authorization
Out-of-band verification of authentication and authorization can be used to help prevent fraudulent transactions. These types of verification include the use of email, SMS (text messages sent to mobile devices), and phone calls to voice numbers.
However, these can all be defeated by hackers with the right knowledge and tools. Hackers may hijack the email account, they may use mobile malware to steal SMS messages with transaction authorization, or they may change or reroute the user’s phone numbers that the financial institution has to contact the customer.
Luckily, some new products and services offer methods for OOB verification that are much more resistant to attacks than traditional methods like email, SMS, and phone. There are products that banks and credit unions could use that work similar to a token. The best devices never connect to the Internet.
That way, they can never become corrupted or compromised. These devices constantly change their passwords every few seconds. The user must carry the miniature device with him and input that password into the financial institution’s portal in addition to inputting a username and password. The IBM ZTIC, products from Cronto, and services like those from Ardeun are good examples of solutions that serve as another layer of protection.
Dell SecureWorks has developed a list of best practices to help protect your financial assets by protecting your passwords.
Security Tips for Financial Institutions and Service Providers:
- Support long, complex passwords
- Implement policies prohibiting short, simple, common, and re-used passwords
- Fortify websites against attacks like SQL injection and protect password hashes against reverse lookup
- Use additional factors for authentication such as secret answers to security questions, security tokens, etc.
- Use out-out-of band verification of authentication and authorization
- Implement strong OOB solutions to defeat hackers who have hijacked your customer's email, mobile device and/or phone numbers
- Offer complimentary security software like anti-virus and tools like Trusteer’s Rapport to your customers
- Prominently place fraud alerts and education regarding computer security and social engineering scams like phishing on your customer portal
Security Tips for Customers:
- Use a separate, dedicated computer to manage financial accounts online; don't use it for normal Web surfing, email, social networking, etc.
- Use anti-virus and other security software to prevent passwords from being stolen by spyware and viruses
- Passwords should include as many random characters as possible. If a password is 12 or more characters, it is exponentially harder to break than one with fewer characters.
- See if your financial institution offers a software tool like Trusteer's Rapport to help protect online sessions with money management services
- Look for a financial institution that supports long, complex passwords
- Avoid using simple, easy-to-guess, and easy-to-crack passwords
- Don't use the same password for different sites or online services
- Use software like KeePass (free, open source, multi-platform) or hardware security tools like IronKey to securely remember and manage online passwords. IronKey is portable and automatically logs users into their accounts on any computer to circumvent keyloggers and phishing attacks.
Don Jackson is a director in the Counter Threat Unit at Dell SecureWorks in Atlanta.