Browse archive

Latest news

Experts highlight top data breach vulnerabilities

Review: Logging and Log Management

Commission wants to minimize U.S. IP theft economic impact

NYPD detective accused of hiring email hackers

Why BYOx is the next big concern of CISOs

Free tool repairs critical Windows configuration vulnerabilities

Guantanamo cuts off Wi-Fi access due to OpGTMO

IT pros focus on cloud security, not hype

Blue Coat to acquire Solera Networks

APT1 is back, attacks many of the initial U.S. corporate targets

Aurora attackers were looking for Google's surveillance database

U.S. DOJ accuses journalist of espionage

Find TrueCrypt and BitLocker encrypted containers and images

The CSO perspective on healthcare security and compliance

Hacking charge stations for electric cars

Identity Theft - Should You Be Worried?

by Robin Gertsen - Senior Product Marketing Manager, PortWise - Tuesday, 2 May 2006.

In March of 2005, Techworld reported on a gang of scam artists who had sent out millions of daily emails to users, and once the user clicked on the links in the email, a Trojan keylogger was automatically installed on the user’s device, recording everything the user did and sending it back to the gang. The gang was so successful in their operation that they managed to profit more than $37,000,000 before being shut down. Most of the profit came from users accessing online banking systems and credit card purchases, which could be easily captured and exploited. Two-factor authentication could have ensured that information had stayed safe, because users would be required to enter a unique one-time password that is unique to a device that they own.

Several large financial institutions across the world are now starting to implement two-factor authentication ensuring that trust can be re-established with their users, fearing that if nothing is done profits are lost, customer confidence will drop, and the brand will be damaged for long-term disadvantages.

The icing on the cake: adding an extra layer of security

Most organizations think that providing users with secure authentication, along with the latest anti-virus and anti-spyware software should take care of the problem of identity theft. The reality is that with the changing paradigm of how users connect, security also needs to be present after the user ends the session or connection.

In the 1980s and 1990s it was easy to control what devices users used to connect with, but in today’s world, go into any city around the world and there are bound to be several internet cafés offering easy and cheap access, or walk through the airport and you are guaranteed to find a number of Internet kiosks offering quick and easy access to the Internet. Any time a user uses an “insecure” device, they could be leaving a trail of information behind, stored in cookies, URL history, temporary files, and even downloaded files. For organizations to offer mobile access from any location using any device, automatic clean-up of session data is imperative.

By combining the session clean-up with an upfront device assessment, it becomes easy to detect if the user is using a device approved by the organization or if it is not approved. If the device is not approved, once the user is done using the system to connect to e-mail or any other number of applications, data should be erased immediately from the device.

By simply adding this extra layer of protection, most organizations can safe-guard themselves against losing sensitive data to malicious attackers. Session clean-up should be added as part of a larger security strategy aimed at minimizing the loss of personal data, in combination with device assessment and strong authentication.

Summary