Do you need another reason to stop using SMS for 2FA?

Posted in Computers and Internet, General, Security with tags , , , , , , , , on March 7, 2018 by Will

In an age when data is gold, and marketing is a way of life, you still probably don’t want to receive marketing on your mobile phone.  I always hate having to register for events or downloads because I know that email address is going to get sold and then I am going to start receiving my fair share of spam.  I bet most of my readers probably have a separate email account setup just for this reason.

Over the last year or so, I have noticed that I am getting more and more telemarketers calling my mobile phone.  Now I also know that I have been putting my mobile phone number into more sites than my home number simply because its where I can typically be reached.  This has lead me to start having a “spam” mobile number, just so I can filter out all of those unwanted calls more easily.

After reading about a Facebook user that started receiving SMS spam after registering for Facebook’s 2FA, I now know to use my “spam” mobile number for those sites that I can’t use real 2FA on.  This is just a new encouragement for me to search these sites and see if I can find a real One Time Password application or a good FIDO U2F hardware device.  If your account hasn’t been hacked by leveraging SMS for your 2FA, now it might be sold to the highest bidder so you can get spammed on it.  It’s time to stop using SMS for 2FA, find a better solution.


After writing and scheduling this story, I found a response from Facebook stating that the SPAM to the security SMS number was in fact an error.  For me, this does not change the fact that SMS is still insecure and easily hack-able and should not be used if other more secure options are available.  In the case of Facebook, you can use their mobile app to generate One Time Passcodes and they will send you secure push notifications, and I would highly recommend using both of those options over just the SMS 2FA option.


Yet another crypto hack, protect yourselves

Posted in Computers and Internet, General, Security with tags , , , , , on March 6, 2018 by Will

Over the last 6 months, the most prevalent news stories in my news readers are those about the increase in crypto-mining malware incidents as I commented on a few months back.  They are literally happening weekly and maybe even daily.  Last week I presented data on the fact that we are seeing a massive rise in phishing attacks.  These phishing attacks are targeted attacks, also called spear phishing.  They are targeted at companies and individuals in order to get crypto-mining software in more locations.  Getting the crypto mining bots on as many systems as possible, by leveraging traditional attack methods such as phishing, are  major headaches for all companies and individuals out there.

The crypto currency explosion has brought everyone from every corner.  Most people associate Bitcoin with crypto currency, but there are many others out there.  All of these crypto currencies are a great way to anonymously move money.  Back in the days of early phishing, a hacker or a hacking team would go out and steal usernames and passwords and then they would sell them on the black market.  There were many points at which they could get caught here, and the old adage of “follow the money” was the most common.  With the usage of crypto currencies, now the hackers to move the money more secretly.  However, there were still problems and spots where they could get caught, and rather than seek payment for services, I think everyone would agree that if you could just generate your own currency and avoid the middle people, that would be much easier.  That’s exactly what the hackers have thought too.  So now the name of the game is to get crypto mining software on anything that has a CPU, and phishing to get privileged credentials is less about selling them to others and more about being able to immediately use them to get the mining software loaded and making money for them.

This week, Telsa’s cloud servers were compromised and crypto mining bots were loaded on their Amazon Web Services.  There have been a number of high profile companies recently that have been compromised, but less big headlines around them.  The main reason for this, is that these companies, although compromised the hackers don’t necessarily leak the data contained in those servers.  That is not to say the data isn’t compromised in most cases, just that getting the crypto mining bot up and running is more the focus and the intelligence community knows this.  So why bring more panic and attention rather than just stop the malware in its tracks.

With knowing what the attacks are focused on, we should adjust our security to protecting for this.  Crypto mining bots are being added to Cloud Server where there is almost unlimited processing power.  They are also being added to web sites as file-less attacks, or drive by attacks, allowing for every visitor to give a bit of their processing power to the mining malware collective.  And we are seeing many main stream (and not-so-mainstream) mobile apps repackaged to include these mining malware bots, typically in a hidden mechanism that the end user would never even notice until their device slows down and is unusable due to the mining operations.  There are still other platforms that are being attacked including IoT (like your wireless cameras and wifi connected thermostats) and big industrial systems (SCADA) used in utilities and manufacturing.  Each attack-able platform needs to make use of the appropriate tools to help combat these attacks. I pointed out last time that it’s important to be up to date with your patches and to pay close attention to your data.  These recent attacks make it even more visible.

***Edit adding more missed hijacked sites***

I missed the UK government one:

Or the list of 4300 other web sites that have been infected:

Los Angeles Times:

Too busy to blog…but come see my webinar

Posted in Computers and Internet, Conferences, Security with tags , , , , , , , , , , , , on February 28, 2018 by Will

It’s been a busy couple of weeks since the DeveloperWeek conference.  There has been no shortage in security related news, with lots of predictions becoming realities for 2018. Unfortunately my work and real life have caught up with me and limited my weekly posts.  Don’t fret, I am coming back.  And if you miss me, come sign up for my webinar: register online here.  I’ll be covering all of my favorite Application Shielding and Hardening reasons to use it and all of the DIGIPASS for Apps tools and where to use them.  Bring your questions and I’ll answer all of them.

Multi-factor, not just biometrics.

Posted in Computers and Internet, General, Security with tags , , , , , , , , , , , on February 5, 2018 by Will

Picture1Biometric authentication is fairly common place today.  Just about everyone knows how to use the Fingerprint scanner on most modern smartphones.  With the newer phones, facial scanning has started to take the place of the fingerprint.  And some Mobile Apps that are trying to up their security beyond the builtin platforms have included iris scanning.  Biometrics check off the “ease of use” and “strong security” check boxes most of the time.

Where it starts to fall apart is when application owners start to implement only biometrics.   For years security experts have been telling applications that they should be implementing multi-factor authentication.  This means they should be pairing two different authentication technologies from at least two different factor groupings.  As a refresher, there are three authentication factor groups, “Something You Know”, “Something You Have” and “Something You Are”.  Taking two technologies from the same factor does not mean you have multifactor, you must have at least two technologies from different factors.  Biometrics fits into the “Something You Are” factor grouping and is a single factor technology.

Today a great write up on the attack vectors that are currently plaguing the most common biometric technologies was published on DarkReading.  The attacks have been darkreadinglogoaround for a while, but they still work.  When you read the article, it impressive as to how simplistic these attacks really.  Biometrics are an advanced technology, and yet a piece of paper, or a gummy bear is all that is needed to break them.  These attacks will be mitigated and solved and new versions of the products will be released, but then that will just invite new attacks.  Nothing is completely secure from some style attack, it just takes longer to find the appropriate attack vector.

Application owners should see these attacks and think back to attacks on static passwords, and on SMS passwords and all of the other authentication attacks.  When you take one from of an authentication factor, there are probably a few different attacks against it.  However, when you start to combine the technologies across the different factors of authentication, the attacks are much harder and even some of them are next to impossible.  The best applications implement multifactor authentication in ways that only call attention to them when it is needed (or detected), and allow a user to continue to do what they need to without being impacted all the time.

Developer Week 2018 opens today

Posted in Computers and Internet, Conferences, General with tags , , , , , , , , , , , , , on February 5, 2018 by Will

Monday morning in Oakland, California and Developer Week 2018 has started.  Registration is going well, and my colleague, Michael Williams, and I are all setup and ready to give our talk tomorrow.  Our talk is on Tuesday from 3:00 to 4:30PM on the home-box-dw-new18second floor in room 208, Workshop Stage 5.  We’d love to fill the room and get everyone in to hear about VASCO Data Security’s latest DIGIPASS for Apps mobile SDK’s and eSignLive SDK’s.  We will take you through how to leverage the free to trial DIGIPASS for Apps API’s to help extend the your apps features and build small security steps on your way to creating a fully trusted and secure mobile app.  We will also help you with implementing a full digital signature workflow moving your app towards a complete electronic document processing implementation.  In the end we hope to leave you with information on how to use all of our technologies to enhance and speed up your mobile app strategy by giving you a number of new tools you can use in your daily development lives.

We hope to see you there, and questions are always welcome!


Hackathon @DeveloperWeek 2018 eSignLive by VASCO Winners!

Posted in Computers and Internet, Entertainment, General with tags , , , , , , on February 4, 2018 by Will

Congratulations to our winners!

1st Place:IMG_20180204_155613-devweek2k18-winners

Esfer – This team decided to tackle the legality of Peer to Peer payments.  They created a beautiful prototype of a mobile application where a requester could create a legal document using the eSignLive SDK and send that to the payee where the payee would then sign the document and accept the terms and complete the transaction.

2nd Place:IMG_20180204_155217-devweek2k18-second

VMatch – This team decided to make a mobile app to connect Conference Organizers with Volunteers.  It included a video conference component to interview candidates and then used the eSignLive Android SDK to create a volunteering contract with the organizer.

Great Apps!

Hackathon Day 2 – Let’s see your projects!

Posted in Computers and Internet, Entertainment, General with tags , , , , , , , , , , on February 4, 2018 by Will

Start of the @DeveloperWeek 2018 Hackaton day 2.  We saw some amazing starts yesterday, so very innovative products and cool uses of our eSignLive SDKs.  Today, weIMG_20180204_092558-esl hope to see some of these projects get to a finished state.  You can still register your project online at the show website:  We will be announcing our winners this afternoon, so make sure you get those projects completed for the judges.  If you are looking for our table, we have moved to the second floor, come up and ask us anything.

On a side note, Congratulations @TomBrady MVP, GOAT, and let’s go @Patriots!


%d bloggers like this: