By Nick Roquefort-Villeneuve, Director of Marketing at 1Kosmos

Phishing, Vishing, and Smishing in a Nutshell

The Nigerian inheritance email is a prime example of a phishing attack. And along with technological advances, other types of attacks have appeared in recent years, such as vishing and smishing. Let’s take a quick look at what they are:

• Phishing is a type of social engineering attack used to steal user data, which includes login credentials and credit card numbers, for example. Phishing happens when an ill-intentioned individual, posing as a trusted entity, dupes a victim into opening an email, instant message, or text message.
• Vishing is similar to phishing, except the criminal tries to gain information over the phone. If you want to see an example of vishing and spend a lovely time with your family this weekend, watch the movie “Identity Thief” starring Melissa McCarthy and Jason Bateman.
• Finally, smishing is short for SMS Phishing. Hackers send bogus links via text instead of email.

All of the above attacks are designed to compromise essentially 5 types of data: credentials (passwords, usernames, pin numbers), personal data (name, address, email address), internal data (sales projections, product roadmaps), medical (treatment information, insurance claims) and bank (account numbers, credit card information).

The Consequences of Phishing, Vishing, and Smishing Attacks

Now, a few staggering statistics:

• 1 in every 99 emails is a phishing attack (Check Point Research)
• 32% of data breaches involve phishing (Verizon Data Breach Investigations Report)
• 29% of data breaches involve the use of stolen credentials (Verizon Data Breach Investigations Report)
• 64% of organizations have experienced a phishing attack in the past year (Check Point Research)
• 22% of organizations list phishing as their greatest security threat (EY Global Information)

The average cost per compromised record is $150 (Per IBM’s Cost of a Data Breach Report). Reportedly, 5.2 million records were stolen in Marriott’s most recent breach, so allow me to do the math for you: a potential cost of $780 million.  In fairness, no one is immune to a data breach. The average breach costs businesses $3.92 million. The costs can be broken down into several different categories, including loss of productivity, damaged reputation, direct monetary loss, compliance fines, etc.

Is there a remedy or better, a vaccine, against these forms of cyberattacks?

The Vaccine to Protect Against Phishing, Vishing, and Smishing Attacks

With regard to users’ authentication, there is a vaccine of sorts, and it leverages advanced biometrics as well as Blockchain technology. 1Kosmos BlockID is the next-generation contact-free authentication solution that goes far beyond what 2FA, MFA and most passwordless applications on the market have to offer. The company’s platform is built on three pillars: Enrollment, authentication, and verifiable credentials. The goal is to always focus on ID proofing, which is the irrefutable approach that is used to verify and authenticate the identity of an employee or a customer who accesses a system or application.

Enrollment Process

The enrollment of employees and customers in the BlockID mobile app consists of triangulating a given claim (ID photo, address, last name, etc.) with a multitude of company or government-issued documents (driver’s license, passport, etc.) as well as sources of truth (AAMVA, State Department, passport’s issuing country, passport chip, credit cards, bank account, etc.), including biometrics like a liveness test. The liveness test is performed to verify if the biometric traits of an individual are from a living person rather than an artificial or lifeless person. This biometric feature is essential because, ultimately, facial spoofing which is the task of creating false facial verification by using a photo, video, mask, or a different substitute for an authorized person’s face is not too difficult if someone really wants to impersonate you. BlockID’s enrollment reaches the highest level of identity assurance per the NIST 800-63-3 guidelines, or IAL3.

Authentication Process

The biometric identifier BlockID leverages for authentication is a liveness test. Each time a user needs to authenticate to access a critical system or transact financially, he or she performs a liveness test. If it doesn’t match the liveness test performed during the enrollment process, the authentication fails. Moreover, a liveness test offers the added benefit of requiring users to capture a live video of themselves, which has a frightening effect on criminals who’d rather not share their face with the company they are targeting. BlockID’s authentication process reaches the highest level of authentication assurance per the NIST 800-63-3 guidelines, or AAL3.

Verification Process

The verification process leverages the attributes BlockID triangulates during the enrollment phase as well as verifiable credentials in their digital form. Verifiable credentials are tamper-evident credentials that have authorship that can be cryptographically verified. Users can share them through API calls with third parties and with explicit consent. Thus, the BlockID verification process eliminates all tedious back-and-forth communication between verifiers and issuers, since the verifier no longer has to contact the issuer to confirm the credential, thus eliminating data verification costs in the process. Our verification process is fully W3C compliant. It means that the digital credentials we leverage respond to a specific standard and format and go through a secure and vetted verification process, so they can’t be shared or leveraged to commit fraud. Moreover, they respect a robust privacy strategy, so they can comply with regulatory requirements across legal jurisdictions. Finally, the attestations that verifiable credentials make are backed by the Decentralized Identifiers (DIDs), a technology that enables verifiable, decentralized digital identity.

Lastly, BlockID’s distributed ledger technology stores users’ data encrypted and creates a permanent, immutable record that is invulnerable to tampering.

3 Main Benefits to Conclude…

BlockID creates a paradigm shift in the passwordless industry by bringing 3 main benefits:

• BlockID proofs the identity of an organization’s employees and customers. In other words, the organization can be certain that its employees and customers are who they say they are… Always. Indeed, the levels of identity and authentication assurance per the NIST 800-63-3 guidelines that BlockID reaches simply make impersonation impossible and giving away or sharing purposely credentials a worthless enterprise.
• The costs of deploying 2FA and MFA solutions that require hardware is eliminated. So is the cost of installing biometrics stations throughout a facility for fingerprint or iris recognition, for example. BlockID is an app installed on the user’s smartphone that gives physical and logical access to whoever authenticates successfully.
• Distributed ledger technology is immune to hacking. Therefore, the potentiality of a data breach is eliminated. This is why BlockID leverages this technology to securely store users’ identity information encrypted, with access controlled by the user (GDPR compliant).

About the Author

Nicolas Roquefort-Villeneuve, a French and American bi-national, is the Director of Marketing at 1Kosmos. He is an influential technology and communication marketing executive and an entrepreneur at heart. Roquefort-Villeneuve has 22 years of marketing experience with Fortune 100 companies (Mattel, E*Trade), startups, and as an independent consultant. He is also an award-winning documentary filmmaker. In the last three years, Roquefort-Villeneuve has become an expert in marketing new technologies such as Blockchain. He has earned an MSc in Econometrics from the Université Paris 1 and an MBA from the University of San Francisco.

Disclaimer

CISO MAG did not evaluate/test the products mentioned in this article. The facts, opinions, and language in the article are entirely those expressed by the author and do not reflect the views of CISO MAG.

The post Vaccine Released Against Phishing, Vishing, Smishing, and Identity Compromises appeared first on CISO MAG | Cyber Security Magazine.

By Michael Engle, Chief Strategy Officer, 1Kosmos, and Nick Roquefort-Villeneuve, Director of Marketing, 1Kosmos

Three Workforce Authentication Challenges

1. Leveraging Passwords

Some employees have no problem remembering different usernames and passwords.  And then some specify it incorrectly three tries, before they’re locked out,  and then they start speed dialing the Helpdesk. And a few choose to rely on the good old post-it note they stick on their monitor, openly and publicly.

To make matters worse, IT departments insist on complex formats for passwords: between eight and sixteen characters long with at least one uppercase letter, one number, and one special character. How is anyone going to memorize that type of password? Moreover, IT also enforces a password change every 30 or 60 days. For many folks, those requirements compounded by multiple systems can be overwhelming, resulting in a proliferation of the infamous post-it notes and Help Desk calls. To get round this challenge, some use the same password for multiple logins or services.

This ecosystem creates inefficiencies, such as loss of productivity and increased costs. Did you know, for example, that replacing one password can cost up to $70? Yes, that’s what it can cost in human capital and machine resources to handle one password reset request!

2. Leveraging 2FA and MFA Solutions

To avoid accounts from being compromised because a password was accidentally “stolen” and to strengthen the level of user authentication, many organizations have implemented two-factor authentication (2FA) or even multi-factor authentication solutions. That’s when you submit your username and password, and then you receive, for example, a text message prompting you to enter a code online.

Those solutions certainly make it slightly harder to compromise an account, however, they’re not foolproof. Ultimately, any hacker can steal a username, a password, and a mobile number stored inside a company’s centralized system. There are also MFA solutions that necessitate a piece of hardware like a security key (a hardware token like Google Titan), but that comes at a cost:  Pay for each physical token and allocate resources for the hardware’s maintenance. The security key can also be lost or stolen.

3. Leveraging Some Passwordless Solutions

To mitigate the risks MFA solutions incur, biometrics have been added into the mix. This is what passwordless applications offer with the following biometric features:  Touch ID, Face ID, or the more advanced iris recognition. A login page, a QR code to scan from a mobile application, a biometric-based authentication, and the employee is in. No more username and password needed! The mobile phone is something the employee has, and the biometric data is something the employee is. The problems with those solutions are high implementation costs and heavy data storage. For example, facial recognition requires top-quality cameras and advanced software to ensure accuracy and speed. Moreover, the high-quality images required for facial recognition take up a significant amount of storage.

So, is there an alternative?

Workforce Authentication Best Practices

A robust contact-free authentication solution for the workforce should focus on identity proofing and therefore be built on three identity pillars: Enrolling, authenticating and verifiable credentials. Each pillar needs to interact with one another to ensure that identity remains the number one priority. This is the core architecture of the BlockID platform.

1. Enrolling with Claim Triangulation

An employee’s enrollment should consist of triangulating a given claim with a multitude of company or government-issued documents and sources of truth, including advanced biometrics.

For example, by enrolling an employee’s driver’s license and passport (government-issued documents), we are able to verify, in real-time, the validity of each document by querying the proper databases (sources of truth) and triangulate several claims (first and last name, address, date of birth, photos) simultaneously, prior to adding an extra source of truth to our ID proofing process: a liveness test. The liveness test is performed to verify if the biometric traits of the employee are from a living person rather than an artificial or lifeless person.

We leverage more sources of validation, such as passport chips to validate the fact that the passport scanned during the enrollment process matches digitally signed data. We can also introduce credit cards, bank accounts or loyalty programs, among others, to reach the highest level of identity assurance per the NIST 800-63-3 guidelines, or IAL3.

2. Authenticating

BlockID uses advanced biometric authentication as a security process that relies solely on the unique biological characteristics of the employee to verify that he is who he says he is. Our advanced biometric authentication technology, using a liveness test, compares biometric data capture to stored, confirmed factual data in the BlockID Blockchain Ecosystem. A liveness test offers the added benefit of requiring users to capture a live video of themselves, which has a frightening effect on criminals who’d rather not share their face with the company they are targeting.

The BlockID authentication process reaches the highest level of authentication assurance per the NIST 800-63-3 guidelines, or AAL3.

3. Verifiable Credentials

The verification process leverages the attributes BlockID triangulates during the enrollment phase as well as verifiable credentials (in their digital form) that users can share with third parties and with explicit consent.

A verifiable credential is a credential that was issued by a trusted authority for, and only for, the user. It is a tamper-evident credential based on W3C standards and has authorship that can be cryptographically verified. Schematically, issuers create verifiable credentials, users can store some of them, and verifiers ask for proof-based upon them. When identity needs to be confirmed, the user chooses those credentials that must be verified.

The BlockID verification process eliminates all tedious back-and-forth communication between verifiers and issuers, since the verifier no longer has to contact the issuer to confirm the credential, thus reducing data verification costs in the process. This mechanism infers that the user remains in control and keeps ownership over his or her identity, by electing what they want to disclose, and to whom they wish to disclose it.

4. Employee Data Stored Encrypted in a Decentralized Ledger

BlockID leverages the BlockID Private Blockchain Ecosystem to store employees’ encrypted data. The benefits of using a decentralized system are multiple, from being virtually uncompromisable to initiating peer-to-peer transactions while ensuring the immutability of the data stored. Such a system promotes transparency and consequently creates trust between employers and their employees who need to access corporate systems and applications. Employees own their data and choose to share only the information that is required to access a specific solution. And it is W3C compliant.

Conclusion

BlockID is the next generation contact-free authentication solution for the workforce that leverages advanced biometrics and distributed ledger technology. The application unifies physical and logical access, allowing all employees to use a single smartphone app for all kinds of accesses, whether it is to enter a highly secure data center through a mantrap, to log into Unix or Salesforce or to unlock a workstation without connectivity.

ADVERTORIAL

About the Authors

Michael Engle is the Chief Strategy Officer at 1Kosmos. He is a seasoned information technology executive, leader, and entrepreneur. Engle is an expert in information security, business development and product design/development. He has experience running large teams and multi-million-dollar projects for a Fortune-100 bank as well as working with startups that need to set direction and go from “zero to one” as it is now commonly called. As a co-founder of Bastille Networks, he helped raise over $40 million in VC to create a powerhouse in the RF security sector. As a Senior VP at Lehman Brothers, Engle was instrumental in designing and implementing the bank’s security program.

Nicolas Roquefort-Villeneuve, a French and American bi-national, is the Director of Marketing at 1Kosmos. He is an influential technology and communication marketing executive and an entrepreneur at heart. Roquefort-Villeneuve has 22 years of marketing experience with Fortune 100 companies (Mattel, E*Trade), startups, and as an independent consultant. He is also an award-winning documentary filmmaker. In the last three years, Roquefort-Villeneuve has become an expert in marketing new technologies such as Blockchain. He has earned a MSc in Econometrics from the Université Paris 1 and an MBA from the University of San Francisco.

Disclaimer

CISO MAG did not evaluate/test the products mentioned in this article. The facts, opinions, and language in the article are entirely those expressed by the authors and do not reflect the views of CISO MAG.  

The post How to Leverage a Contact-free Authentication Solution for the Workforce appeared first on CISO MAG | Cyber Security Magazine.