Singled out

Authentication is becoming a critical issue for enterprises around the world, especially in the face of sophisticated online attacks. But Middle Eastern organisations, outside of the financial sector, are still slow on the uptake.

  • E-Mail
By  Eliot Beer Published  August 1, 2006

|~|heads200.jpg|~||~|There are all sorts of terrifying statistics about how the average computer user mistreats his or her password. In addition to using children’s names, birthdays, pets, maiden names and even streets, the average user will probably write down his password if it’s even vaguely hard to remember – in other words, if it contains security features such as capital letters, numbers, or non-alphanumeric symbols. In addition to this, various surveys from around the world reveal that almost anyone can be persuaded to give up passwords in exchange for something as trivial as a free pen, or a bar of chocolate (although it has never been disclosed how many of these surrendered passwords are actually real). And with passwords giving increasing levels of access not only to services like banking facilities, but also to sensitive corporate systems in the case of employees, is it time to call it a day for the static password? Not just yet, at least in the Middle East, according to Ayman Majzoub, general manager of Pointsec’s regional office: “Most organisations in the Middle East today still use static passwords. This is changing bit by bit – companies are looking at smartcards, especially, and we have seen some very large projects, such as Saudi Aramco and several governments – but in the private sector, I think it’s going to take another four to five years to bring in advanced authentication systems.” Majzoub thinks this is down to strong authentication being on firms’ ‘nice to have’ lists, rather than being a critical implementation. He puts this down to the considerable investment, not only in financial terms, but also in staff workloads and disruption, which comes with implementing a new authentication system. But Majzoub says he expects things will start to change. “As things like the Sarbanes-Oxley act start to have an effect here, US companies with business interests in the Middle East are recommending, and sometimes forcing, regional enterprises to adopt stronger authentication methods,” he says. “Also, the media needs to focus on security breaches at banks, as they do in the US for example – every single incident there will mean the management of the bank will get grilled. “We don’t have that over here at the moment, so we have seen only a few shy cases in the region, partly because there are no government controls. But as companies shy away from bad press, they are taking more and more steps to secure their data.” There are signs that this shift is already underway, certainly in countries such as the UAE where internet adoption rates and the high numbers of banks have made it a more attractive target to phishers and hackers. A spate of attacks last year made headlines in the IT press, and forced a number of banks to look again at their security procedures. Jitendra Kapur, business development manager for Online Distribution’s security unit , echoes the suggestion that the banking and finance organisations are leading the uptake of authentication systems. “What we are seeing over the last 18 months is that the adoption of authentication is just starting to take off in the region,” he says. “The financial sector is driving the adoption of authentication systems, to work with their online banking systems; aside from multinational companies opening offices here, the banks are the main authentication customers in the Middle East at the moment. Local corporates are bringing it in, but slowly.”||**|||~|ribeiro200a.jpg|~|Ribeiro: “This is very serious – we are talking about bank security, but it seems like most partners need the vendor to come over and help them implement and maintain solutions.” |~|Among the firms affected by last year’s banking attacks was the Commercial Bank of Dubai (CBD); while the bank suffered no attack on its online banking service, its static website was defaced, prompting it to change its web hosting provider. Since then it has been looking hard at its security systems, both internally and for its internet banking customers. A key part of this is a new authentication system, which will probably be based around both tokens (for the majority of staff) and biometrics (for senior managers and other key personnel - see box: biometric breathroughs.): according to Rinaldo Ribeiro, senior manager for IT security at CBD, the system could be live in the not-too-distant future. “We will be issuing one-time-password tokens to our customers, but we don’t know yet when and how we will be launching the system – we are still testing the solution and considering internal controls and issues,” says Ribeiro. “I hope we can deploy the solution in the near future. “We are considering using the same authentication system internally and for customers – so the staff that use tokens would use the same ones as our customers. We as staff are also the bank’s customers, using the same e-banking sites. So staff could use the same token to connect to CBD’s internet services, and also our internal systems.” Ribeiro highlights two main issues CBD has faced when looking to deploy the new authentication system: integration, and local support. Working to integrate the system is not just a matter of physical installation and connection; Ribeiro points out that a key part of implementation is the meshing of the new system with existing services and processes. He gives the example of integrating token-based passwords with CBD’s e-banking service: which customers will have to give one-time passwords? When in the process will they give them – just at the start, or every time they transfer money? “Local support is also extremely important,” says Ribeiro. “In our case, since we are considering single sign-on and tokens, all the systems and all the users will be using one particular solution, and so we are trying to make sure that we have a very good local partner.” He says CBD is happy for a vendor to come from elsewhere in the world and perform the main implementation, but his main worry is for the post-implementation service. He has concerns about the number of partners available in the region for products such as authentication systems and single sign-on, and says they often do not have the skill levels needed to deploy and service a system by themselves. “It’s very difficult to find a solution along with a partner capable of delivering the whole project,” Ribeiro says. “The excuse is that you need to depend on the vendor, because you cannot expect the whole product to be delivered by the partner alone. “Although they have a very good partnership, and they have sold the solution to other banks, we would be depending on the vendor to deploy it. This is very serious, we are talking about bank security, but it seems like most partners need the vendor to come over and help them.”||**|||~|majzoub200.jpg|~|Majzoub: “In the private sector, I think it’s going to take another four to five years to bring in advanced authentication systems.” |~|There are also a number of critical issues which IT and security managers need to consider prior to an authentication implementation. One vital concept to understand, according to a number of IT industry commentators such as the veteran security consultant Bruce Schneier, is that authentication is by no means a ‘silver bullet’ when it comes to preventing malicious access. Last year Schneier commented in his blog that one-time password tokens and other two-factor authentication methods were potentially ineffective certain sophisticated approaches, such as ‘man-in-the-middle’ attacks, where a hacker or phisher, either through a fake website or a trojan, relays account data in real-time between a victim and an online service – diverting any funds from their intended destination. Last month this theoretical scenario came true for Citibank customers, as a Russian phishing site managed to relay token-generated passwords in real-time to the Citibank site – despite the technical success, it is unclear if the phishers succeeded in stealing any customer funds, though. Ribeiro acknowledges the risk. “Even if you use a one-time password device and a strong authentication solution, there is always a way of stealing your credentials and accessing your systems. There is no silver bullet, no single way of solving 100% of those security problems.” He notes that it is also perfectly possible, for example, to call up customers – something which is increasingly possible with VoIP-based scams growing in numbers – and ask for sufficient information, including password details, to log into an e-banking service in real time. But, says Ribeiro, this does not mean two-factor token-based authentication is useless: “It is possible to break it, but the risk is much, much smaller, and using a solution such as tokens we would be reducing the window of opportunity for an individual or group to try to do something evil against the bank or the system.” While these risks are largely confined to the online banking field, both consumer and business, corporates could also potentially be at risk. A key trend in recent months has been the shift from disruptive, general malware attacks – such as classic viruses – to financially-motivated, more targeted efforts. One recent and worrying manifestation of this came in the UK last year, where hackers working through Chinese servers made a concerted attempt to attack British government departments over the vulnerable Christmas period. Malware writers who target specific organisations are also making their creations harder to spot, as trojans and viruses often no longer try to distribute themselves once they have infected a machine. Pointsec’s Majzoub says organisations need to look at security as a whole: “I think customers adopting authentication systems need to realise that authentication should be part of an overall security strategy. If you have a very good authentication solution in place, this does not mean that your company is secure; you also need to look at other areas just as seriously.” See box - Mobily methods for what the second Saudi operator is doing with authentication.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code