Bringing Multi-factor Authentication to Enterprise File Transfer

By Torben Andersen, Chief Commercial Officer

Last week we shared exciting news that SMS PASSCODE has formed a strategic technology alliance with Globalscape. Globalscape designs and delivers both SMB and enterprise file transfer software and services that are trusted by the U.S. Army, Fortune 100 companies, and businesses around the world. and I wanted to further highlight what this partnership means to enterprises using file transfer services today.

In recent years multi-factor authentication has changed from being a ‘nice to have’ to a ‘need to have’. We encounter it in our personal lives when i.e. paying our bills online, and accessing our social media accounts, and now it is also quickly becoming a best practice for enterprises of all sizes looking to secure access to corporate networks and cloud applications. But what about situations where employees are using various forms of file transfer solutions and FTPs to transmit data to external parties? Here it is equally important to authenticate users before granting access to these data storage facilities.

As a result of this partnership our multi-factor authentication platform now integrates seamlessly with Globalscape’s secure managed file transfer solution EFT™ (Enhanced File Transfer™). With this integration system administrators have the ability to connect EFT to SMS PASSCODE via a local or LDAP-authenticated site, to deliver a one-time-passcode via text message (SMS), a voice call, through email, or via an app to the user’s mobile phone as part of the login process for HTTP, HTTPS or SFTP transfers.

Customers benefit from enhanced security as they can easily deploy multi-factor authentication to their secure file transfer via EFT, and without compromising convenience for the users as they will benefit from the superior user experience the SMS PASSCODE platform provides.

Here is a short video that shows the login experience to Globalscape with multi-factor authentication protection.

Busting The Top Four Myths About Hacking

By Torben Andersen, CCO, SMS PASSCODE

Knowing what’s myth and what’s fact is essential to avoid running unnecessary risks to your business. Myths can lead to false assumptions and thinking that your business is not at risk of being breached by hackers. So let’s take a closer look at some of the most common myths out there.


1# Myth – Hackers only target the big brandsMyth one - hackers only target the big brands

When big brands like Target, eBay, Adobe, and Sony are hacked, it’s big news for business and mainstream publications. Don’t be fooled: big companies aren’t the only ones being targeted. In fact, research shows that 31 percent of all hacking attacks were aimed at businesses with fewer than 250 employees.


2# Myth – You have nothing valuable for hackers to steal

Fair enough. Not everyone is fortunate enough to be storing breakthrough research with the potential to revolutionize your industrythe world if only you can keep it secret long enough to secure a patent. But what about your business email? Email often contains highly sensitive data, such as competitive bids, investment plans or pipeline information. Imagine the damage if these details were to fall into the wrong hands.

Myth two - you have nothing valuable to stealThere’s even more low-hanging fruit to steal if hackers breach your network. Customer records, credit card information and even employee user credentials are worth as much as $50 USD per record when sold on the Internet. An entire shadow economy has emerged online with brokers selling stolen user records; according to the FBI, cybercrime has become even more profitable than drug-related crimes. This makes everyone a target.

3# Myth – Your anti-virus and network vulnerability tests will keep you safe

Patch management, updated anti-virus applications and frequent network vulnerability tests are all good weapons in a defense against hackers. However if you are not securely authenticating your users when they access your corporate networks or applications, then you’re leaving the front door open for the hackers. Research shows that weak or stolen passwords are exploited in 76 percent of all network breaches. So, yes, this really is the hackers’ preferred way in.

4# Myth – Hackers are teenagers lurking in a basement somewhere

For most of us, the word “hacker” prompts images of pale teenage boys with long hair, black t-shirts and a serious grudge against Microsoft. While many hackers probably still fit this description, the reality is that the hacker has evolved. Today’s hacker is highly-educated, well-connected, and well-equipped, enjoying a high-income profession as a professional cybercriminal. The hackers have some powerful tools at their disposal (see examples in this blog post), and many poorly-protected victims has made hacking easier than ever before, resulting in cybercrime becoming the fastest growing crime type in the world.front door wide open

Hackers’ motive is most often financial gain, but “hacktivism” is also becoming a growing threat to nations and organizations that don’t sympathize with the hacker’s cause.

We have created an infographic and short video that capture the key facts from the latest research about the threat companies face from hacks. Take a look here.

Have any hacking myths of your own to share? Post them in the comment field.

 

Sources: Data Breach Quick View 2013,  Verizon Databreach Investigations report 2013, FBI, Internet Security Threat Report 2014

 

Don’t Let Hackers Crash Your Party

By Claus Rosendal, CTO

We can all agree that there are serious IT threats out there today that all companies need to protect themselves against. Working with IT security every day I have seen a lot of what today’s hacking community has to offer, yet I’m still amazed by the strength and sophistication of the hacking tools used to steal identities and breach corporate networks. Some good examples of these tools were on display when I attended Microsoft’s TechEd together with the rest of the development team. Here is a recording from one of the sessions that I thought would be interesting to share in this blog. Amongst other ‘features’ it shows how to easily intercept user credentials and passwords via man-in-the-middle attacks as well as how to steal security certificates from users machines.

Although the powerful tools at hackers’ disposal are scary to think about, there are still companies out there that haven’t yet deployed strong multi-factor authentication to keep their data safe.

Having the latest antivirus software and running network vulnerability tests are both essential places to start, but if you are not authenticating your users, then you are leaving your front door wide open to hackers. front door wide open

The fact that weak or stolen user credentials are exploited in 76 percent of all network breaches (according to Verizon Data Breach Investigations report 2013) shows that obtaining user credentials is the most effective method for hackers to gain access to a company’s data.

Regardless of whether these usernames and passwords are cracked, phished, or purchased online, it is simply the easiest way for hackers to slip past the gates.

While multi-factor authentication can’t protect you from all cyber threats, modern multi-factor authentication technology WILL ensure that only your invited guests can join the party.

Surf’s up – Are You Ready For the Tidal Wave of Forgotten Passwords?

By Torben Andersen, Chief Commercial Officer, SMS PASSCODE

Tidal wave of forgotten passwords

It is summer, surf is up and most of us already have or are planning to take some time off to relax and reload our batteries.

Now I don’t want to spoil your vacation or cause unnecessary stress, but have you thought about what happens when your employees return from summer vacation and cannot remember their passwords?

Statistics suggest that as much as 20-50% of all help desk calls are related to password problems, and the scenario with forgotten passwords after a vacation is classic and a real pain to many IT departments year after year. When I attended Infosecurity Europe in London back in May I had the pleasure of speaking with many IT professionals visiting our booth. During these conversations, it quickly became clear to me that passwords are a real curse for IT managers. Main concern of course is the fact that passwords today offer no real protection as a means of authentication, but the security aspect aside, forgotten passwords typically requires the IT department’s involvement to get the users back online, and the IT managers I spoke with dreaded the spikes in help desk calls they receive around the holiday periods.

However, it doesn’t have to be that way. SMS PASSCODE’s Password Reset Module takes this pain away by enabling users to easily reset their own Active Directory passwords in a secure way.


How does it work?

So how does our Password Reset Module work? Well to illustrate a situation where a user forgets his/her password and is locked out, we made this short video. Take a look.

 

As you can see from the video the process of resetting the password is easy, intuitive, and the user is quickly back online. However the latest release of Password Reset Module also features the possibility of alerting users when their password is about to expire.

By coincidence my own password was up for renewal yesterday, so thought I would write this blog to share the experience from a user point of view and to highlight how the notification process around password renewals actively helps avoid user lockout situations in the first place.

First I received a text message saying “Your password will expire in 3 days. You can set a new password here” and then had a link to the self-service site. Not only was this message timely (informed me BEFORE my passwordSMS expired), but it also allowed me to take action and reset the password by clicking the URL.

I clicked the link in the message and was forwarded to the SMS PASSCODE Self-Service website, where I was guided through the process step-by-step. I completed the process directly from my iPhone. No need to open up a browser on my laptop or to pinch to zoom in on the screen of my mobile phone.

SMS PASSCODE Password Reset Module

In terms of security the Password Reset Module can be configured to look at my location and then determine the level of authentication needed before I can reset my password. In my particular case the solution identified that I was in a trusted location (inside the office building) and I was prompted to enter a One-Time-Passcode (OTP) that was sent to my mobile phone.

This was a an interesting step as the flash SMS with the OTP popped up on top of the self-service site requiring me to remember the code after hitting OK on my screen. Luckily SMS PASSCODE’s memoPasscodesTM feature means all our codes are easy to remember, and I had no problems during this step. memoPasscode

The entire process of setting a new password took me less than 3 minutes.

I hope this post describes just how convenient a password reset process can be, and how it can empower your users to get back online without having to contact the IT department.

It is easy to use and requires no software to be deployed on the users’ phones. More importantly, it can help you avoid that nasty tidal wave of inbound phone calls and emails from frustrated users who have forgotten their password after their summer vacation.

Have a good summer everyone.

It’s a Bird…It’s a Plane…It’s SMS PASSCODE Version 7.2

By Claus E. Kotasek, CEO, SMS PASSCODE

It's a Bird...It's a Plane...

Today is a big day for the team here at SMS PASSCODE as we release SMS PASSCODE 7.2.

As most of you will recall we released version 7.0 earlier this year, which introduced a number of unique features to the market. Features such as Secure Device Provisioning (included as standard in the SMS PASSCODE MFA license) that enables secure and convenient self-enrollment of ActiveSync devices into an organization without the need to contact IT. This greatly reduces the complexity IT administrators face around Bring Your Own Device, and the demand for this particular feature is growing rapidly as more and more users utilize the flexibility of using their own devices in the company IT environment offers. Another innovation we introduced was Contextual Message Dispatching (also referred to as Location Aware Dispatching) where the One-Time-Passcode (OTP) delivery method is determined by the location of where the user are, or any preferences the individual user may have. As an example, you can configure the system to prefer SMS over voice call dispatching during logins from Europe, while preferring voice call over SMS dispatching during logins from North and South America. Or you can send one-time-passcodes to your mobile phone by default, but perform a voice call to a fixed-line phone number when you are logging in from a branch office. The choice is yours as you have full flexibility to configure SMS PASSCODE to your particular requirements. Also after we added OATH token support, customers now benefit from an even broader range of OTP delivery methods. This was indeed an exciting milestone for us, and now it is with great pleasure that we make version 7.2 available for download.
Particularly our Password Reset Module has been enhanced with a number of rich features in version 7.2 making this product a truly unique and powerful solution for convenient and secure password reset.

The main issue with the various password reset solutions available on the market today is that they simply fail in the ‘real world’ as they are not convenient in the moment of truth when the user is locked out and needs to reset their password. With version 7.2 our Password Reset Module is simply deployed on your server without the need to deploy software on the user’s devices. In fact the user doesn’t even need to know about the solution, since SMS PASSCODE conveniently guides the user through the process of resetting the password when the problem arises. A message will be sent to the user’s mobile phone via SMS/text or email once the password is about to expire (e.g. 3 days before). Via a link in the message the user can take action and visit the password reset website directly from their mobile, tablet or PC, where he or she is then guided through the process of resetting the password.

Sounds good right? But wait there is more! The solution can be configured to adapt the level of authentication required to reset the password based on the location of the user. For example if the user is located in a trusted location such as inside the head office, then the old password is enough to successfully reset the password. Whereas if the user is trying to reset the password from a non-trusted location then a personal passcode and OTP would be required.

To learn more about this and other features included in version 7.2 please register for our Version 7.2 Highlights webinar on 26 June or contact us directly

 

Live from Infosecurity Europe 2014

Infosecurity Europe 2014 – Europe’s largest IT security show is taking place at Earl’s Court in London this week, and our team is on site engaging with the IT community and presenting how SMS PASSCODE ensures safe and easy access for employees logging into corporate networks and cloud applications remotely. User authentication is a hot topic for both the businesses visiting the show as well as the media here at Infosecurity. Below is a short video interview with Torben Andersen, Chief Commercial Officer at SMS PASSCODE, that talks about some of the reasons why businesses of all sizes are concerned about keeping their data safe from hackers, and why multi-factor authentication is the most natural place to start when building your defense. In the interview Torben also covers the impact of the Heartbleed bug and goes on to explain what adaptive user authentication is and why it is the next generation in multi-factor authentication.

Could SMS PASSCODE protect end-users from the Heartbleed flaw?

During the past week voices from across the industry have been commenting and predicting on the Heartbleed flaw. So to avoid speculation with regard to SMS PASSCODE, we should like to be clear. SMS PASSCODE is not affected by the Heartbleed flaw – Neither the product nor the company.

In fact the Heartbleed flaw emphasizes the need for session specific Multi-Factor Authentication. The vulnerability enables a hacker to obtain random data portions from a web server’s memory, which dramatically increases the risk for successful phishing attacks. With SMS PASSCODE in place however, even if a hacker manages to lift user credentials of a server’s memory, his chance of gaining access to the company network is infinitely slim.

So with due respect to the devastating impact of the flaw the answer to the question is: Yes, SMS PASSCODE could definitely protect end-users from the Heartbleed flaw.



Follow

Get every new post delivered to your Inbox.

Join 76 other followers