Russian Password Hacking Was Easily Preventable

08/12/2014 / 0 Comments

The Internet is buzzing after the recent New York Times report that Russian hackers have stolen over 1.2 billion user name and password combinations, along with more than 500 million email addresses.

password_theft

According to Hold Security, the cybersecurity firm that revealed the staggering scope of the hacking, a Russian gang “amassed over 4.5 billion records, mostly consisting of stolen credentials”, among which 1.2 billion appear to be unique sets of e-mails and passwords.

The crime ring compromised over 420,000 websites and FTP sites of all sizes. They did not distinguish between large and small websites, and they did not concentrate on targeting only the largest companies. Instead, they obtained data from botnet networks of virus-infected computers to identify SQL vulnerabilities on websites that victims visited. They used these vulnerabilities to hack into the sites’ databases and steal massive amounts of confidential user data.

Various media outlets and cybersecurity experts have been advising people to change their passwords, begin using password management services, and enable two-factor authentication, which protects your accounts whenever you log into services from a new device. They are also recommending that, if you are a company or website owner, you should conduct tests and audits to learn whether your sites is susceptible to SQL injection.

These are all reasonable and helpful suggestions, but all of this is too late for the individuals and companies who may have been victimized, and it is mostly damage control rather than prevention.

Sadly, all of this could have been prevented easily with simple yet powerful security that addresses the real problem, which is passwords.

Companies, website developers, and end users that continue to use passwords are automatically targets for hacking, phishing, and malware. The continued use of password-based logins and insecure authentication technology is what attracts criminals like the Russian hackers and allows them to gain access to individual user accounts and to hack into servers and databases to steal masses of sensitive data.

The solution to all of this is to eliminate passwords and replace them with an authentication method that is designed from the ground up to provide the strongest possible security to protect user accounts and make it physically impossible for user credentials to be compromised or stolen.

SecSign ID is a mobile authentication solution that was designed with this purpose in mind. It uses public key infrastructure (PKI) and 2048-bit encrypted key pairs to allow companies and website developers to provide secure access to user accounts without using passwords and without transmitting or storing any sensitive credentials. And authentication with SecSign ID can be completed in just 10 seconds.

Using simple plugins that can be integrated with any website or application, developers can provide a simple login for their users and offer mobile authentication that uses these key pairs and is virtually impossible for criminals to thwart.

This authentication method also means that there are no confidential credentials that can be stolen through SQL injection attacks, so servers that use this technology will no longer offer any incentive for hackers to target them. This level of security not only prevents data breaches that can damage a company or a brand’s reputation, it can even bolster that reputation by showing that an organization or website is using the most powerful security available to protect user, customer, and company data.

Most companies and website developers are not in the business of building their own impenetrable cybersecurity, so having a convenient solution like this, designed by cryptography experts, can save considerable worry and resources.

SecSign ID is based on cryptographic procedures that are mathematically impossible to defeat by any known or anticipated level of technology. The mobile authentication method is based on the concept of combining a user’s knowledge or biometrics with physical possession of an encrypted private key on the mobile device. The combination of knowledge and possession is considered to be the most secure approach to user account security among leading cybersecurity experts.

To begin a login session with a service protected by SecSign ID, a user enters a simple, non-confidential user ID through the secured website or application. On the user’s mobile device, an instant notification appears from the SecSign ID mobile app. From the notification, the user can quickly open the app, tap the corresponding user ID, and enter a simple 4-digit PIN or passcode. This confirms ownership of the private key that is securely stored on the mobile device.

With the release of Apple’s iOS8 in the coming weeks, users will also be able to confirm ownership of their private key by using their Touch ID fingerprint.

Once ownership of the private key is confirmed, the app shows a set of four symbols. The user taps the symbol that matches one shown on the login screen of the secured website or application, and this provides the final identify verification. The app notifies the authentication server of the result, and access to the user account is granted.

In just seconds, a user can complete authentication, and all of this happens without using a password and without entering, transmitting, storing any sensitive credentials. Nothing confidential is entered during the login, transmitted between servers and devices, or stored on a server.

This means that there is physically nothing for criminals to steal and use to gain unauthorized access to accounts or data. No amount of hacking, phishing, or malware will provide them with a credential that could be used to access a user’s account and cause further damage.

If the 420,000+ sites that were attacked by the Russian hackers had been using SecSign ID to protect their user accounts, none of their user data could have been stolen, and none of their user accounts could have been compromised. Quite simply, there would have been no sensitive credentials to steal. And zero stolen credentials sounds like a much better number than 1.2 billion.
To learn more about SecSign ID, to download the free mobile app, and to try a sample login, visit https://www.secsign.com/business/two-factor-authentication/.

Do NOT follow this link or you will be banned from the site!