Securing Your Own Data
Securing Very Important Data Your Own
For example, the start-up Mint.com won this year’s TechCrunch award for its Swiss Army knife approach to personal financial management. In exchange for customers uploading their account information and allowing sponsors to offer them specialized services, Mint will connect nightly to their credit-card providers, banks and credit unions. Then it automatically updates transactions and accounts, balances their checkbooks, categorizes their transactions, compares cash with debt and, based on their personal spending habits, shops for better rates on new accounts and credit cards.
A powerful project management and collaboration tool called Basecamp allows teams to store online entire project management plans, including performance targets, to-do lists, files, collaborative documents and messages. Provided by 37Signals L.L.C., based in Chicago, Basecamp has more than a million users around the world, including me.
Another site, Dopplr, from a company of the same name based in Finland, is still in its beta-test phase. It lets users upload and share their travel itineraries with a group of “trusted fellow travelers.” The site can connect with Facebook friend lists, and in September it announced that it had opened an invitation-only social network to business travelers from 100 leading companies and international organizations, including Google, I.B.M. and Nokia.
This type of sensitive, sometimes proprietary information was once locked up on hard drives or in file cabinets far away from anything resembling a global or even a local distribution network. Yet none of the users flocking to these services seem perturbed that they have relinquished personal control over this data to companies that, even with the best of intentions, may not be able to keep it safe.
New Security from USB mass storage
RSA podcast speaks with Larry Hamid, CTO, MXI Security, about how their USB portable security devices are used for strong authentication, as a biometric device, to carry digital identities, and more.
MXI Security works with RSA to deliver a portable 3 factor authentication for secure remote access that is technically interoperable with RSA SecurID technology.
New Security from USB mass storage
Portable Security Devices evolved from two origins; flash drives and security tokens. Flash drive vendors starting adding security enhancements, such as biometric authentication and encrypted storage, to their products in an attempt to differentiate themselves in a competitive and price sensitive market. On the other side, security token vendors have recognized the need for more speed, portability and capacity than what is available on a conventional smart card or token. The end result is a type of device that has the security of a smart card with the power and portability of a flash drive. These devices will likely have significant impact to the security industry.
High-end Portable Security Devices can carry and assert digital identities, provide powerful cryptographic services, strong authentication, secure storage, and have management interfaces that allow them to be easily deployed in an enterprise environment. A single device can satisfy multiple security needs of an enterprise, including public key cryptography for e-mail signing and file encryption, digital identities for network logins and single sign on, portable authentication for remote access, as well as secure storage of confidential information.
What Consumers Think About Online Fraud
From RSA, findings from the latest consumer online fraud survey of 1678 adults from 8 countries
Consumers say ‘Username-&-Password’ must go: 91% of account-holders are willing to use stronger authentication methods offered by financial institutions
Trust in the online channel continues to drop: 52% are “less likely” to sign-up for or use online banking; 82% are “less likely to respond” to banking-related e-mails
The Appearance of Security
Sitekey was touted as the great solution to avoid phishing scams. When you first log into a Bank of America account, you are asked to choose an image like a basket of fruit. That becomes your site key or indicator that the Bank of America website you logged into is a real Bank of America site and not a fraudulent one designed to capture your account numbers.
Problem is less than 10% of online customers with site keys will stop and go no further on a so-called Bank of America website that does NOT have the image.
Study finds security flaws on web sites of major banks.
Internet security experts have long known that simple passwords do not fully defend online bank accounts from determined fraud artists. Now a study suggests that a popular secondary security measure provides little additional protection.
--
The Harvard and M.I.T. researchers, however, found that most online banking customers did not notice when the SiteKey images were absent. When respondents logged in during the study, they saw a site maintenance message on the screen where their image and phrases should have been pictured. The error message also had a conspicuous spelling mistake, further suggesting something fishy,.
PayPal to issue Password Key Fobs
This is big news. EBay will offer password key fobs to users.
PayPal has nearly 123 million accounts
eBay is getting ready to offer its PayPal users a password-generating key fob that promises to increase the security of the online payment service.
The device displays a new one-time password in the form of a six-digit code about every 30 seconds. PayPal clients who opt to use the device will enter this password along with their regular credentials when signing into the service. The key fob is meant as another weapon in the battle on data-thieving phishing scams.
---
The "PayPal Security Key" will cost $5 for personal PayPal accounts, but will be free for business accounts
--
The password-generating device is based on technology from VeriSign, with which eBay entered into a security partnership in 2005. Such key fobs are also used for added security by large corporations for access to corporate resources, and some banks and brokerage firms offer them to clients with a high net worth. Other companies that supply the password gadgets include RSA and Vasco.
Hackers clone e-passports
A German computer security consultant has shown that he can clone the electronic passports that the United States and other countries are beginning to distribute this year.
---
Although countries have talked about encrypting data that's stored on passport chips, this would require that a complicated infrastructure be built first, so currently the data is not encrypted.
"And of course if you can read the data, you can clone the data and put it in a new tag," Grunwald says.
The cloning news is confirmation for many e-passport critics that RFID chips won't make the documents more secure.
"Either this guy is incredible or this technology is unbelievably stupid," says Gus Hosein, a visiting fellow in information systems at the London School of Economics and Political Science and senior fellow at Privacy International, a U.K.-based group that opposes the use of RFID chips in passports.
"I think it's a combination of the two," Hosein says. "Is this what the best and the brightest of the world could come up with? Or is this what happens when you do policy laundering and you get a bunch of bureaucrats making decisions about technologies they don't understand?"
