The 2010 Data Breach Investigations Report from the Verizon Risk Team and the US Secret Service reveals that 96 percent of all compromised records were hacked from outside the organization, often through the use of stolen login credentials. The report also shows that the most common attack pathway is through the public-facing website and Web applications. Despite these facts, most businesses allocate just 10 to 18 percent of their IT Security budget toward securing their websites and Web applications! The vast majority of IT Security budgets are allocated to network infrastructure security while the most visible and most targeted portion of the business – the public-facing website – is left vulnerable to attack. It’s equivalent to equipping your home with an expensive alarm system but then leaving the front door wide open to robbers.

The interactive nature of websites today makes them more susceptible to attacks than in the past. Most websites allow visitors to create accounts, store data, share content, submit Web forms and post comments on blogs and news articles. Weak authentication standards on the public facing website – such as requiring only a simple username and password to login – make it easy for hackers to compromise customer accounts, steal confidential company data, and commit fraud and identity theft.

That’s because most people choose weak passwords that are easily compromised and re-use passwords across multiple websites. The average Internet user has more than 25 online accounts for which they use just 6 different passwords. The top 5,000 most common passwords used on the Web are shared by 20 percent of the population! In a recent study, researchers at Cambridge University describe the domino effect of poor passwords on the Web, saying that inadequate authentication practices on just a few websites undermines security across the entire Web. They explain that, because people re-use passwords, hackers steal online credentials from sites with weak security and use them to access high-value websites with stronger security. For example, it’s estimated that 10 percent of the 32 million login credentials exposed in data breach could also be used to access PayPal accounts!

It’s not just users exhibiting poor security practices. In the same study, only two percent of websites adequately addressed all the necessary areas for secure authentication – including preventing brute force guessing attacks and harvesting of account information, and encrypting credentials during transmission and storage.

The negative repercussions of a data breach can be ruinous for a business and can include legal liability and fines, damage to the corporate reputation, loss of customers, the costs to improve IT security systems and more. Fortunately, most data breaches can be avoided by implementing straightforward security controls – specifically, by adopting stronger mutual authentication practices on websites.

Strong authentication is easier to achieve today than in the past. The growing popularity of authentication-as-a-service and the widespread use of mobile smartphones make it possible to deploy one-time passwords and two-factor authentication without the need for tokens, smart cards or biometrics, which are often cost-prohibitive and too complex to distribute and maintain.

Most organizations can improve website security by taking advantage of image-based authentication which creates one-time passwords for each login or high-value transaction. One-time passwords provide increased protection against keylogging software and can be used either to replace traditional passwords or as an extra layer of security to complement the password. The user simply remembers a few categories – such as dogs, flowers and cars – and then identifies pictures that fit those categories to create a unique password every time authentication is needed.

The widespread use of mobile smartphones among consumer and business users provides an additional option for strong authentication. Some websites today already take advantage of mobile phones for out-of-band authentication by sending a one-time password to the user’s mobile phone. The user then types the password they received into the website to authenticate. The disadvantage of this approach is that the one-time password is sent in clear text. If someone else has possession of the user’s phone, they can easily read the password and authenticate. A better approach is to send an ImageShield to the user’s smartphone. A grid of images appears on the users’ phone display and they must authenticate by identifying the images that fit their secret categories. Using this method, even if somebody else has possession of the user’s phone, they would not be able to correctly authenticate because they don’t know which images to select. Relying on mobile phones for two-factor authentication is much more affordable for businesses than purchasing, distributing and maintaining hardware tokens or smart cards for their entire user base.

The availability of cloud-based and mobile authentication services today enable businesses to put into practice strong authentication recommendations that used to be considered too costly or complex for widespread use. No longer is strong authentication only important for businesses in regulated industries such as financial services. With the interconnected nature of the Web, the domino effect of poor password practices, and the amount of sensitive information shared and stored on everything from social networking sites to shopping sites, businesses must improve authentication on their websites. Some leading websites are doing just that, with Google Apps, WordPress and Facebook all recently implementing mobile authentication, one-time passwords and image-based authentication. It’s time for more businesses to follow their lead by shifting their focus to improving security and protecting confidential data through strong online authentication.

Source by Roman Yudkin

Share Article:

Leave a Reply

Unlock the Power of SEO with the Top SEO Service Provider in Sri Lanka. Our experts deliver tailored strategies for businesses to soar higher in search rankings and dominate the online competition.

©2018 Shen e-Services (Pvt) Ltd. All Rights Reserved. SEO Services

Check The Feedback