New Readers

 
 Home Executive Briefings Security Predictions SM Directory Global Excellence Volunteer as Expert Register Awards About
 
Your everyday guide to keeping and staying safe online

Every second, of every day, TeleSign protects the world's largest Internet and Cloud properties against fraud. TeleSign Intelligent Authentication provides an easy-to-implement and powerful method for identifying and substantially reducing online fraud and spam using the most widely deployed technology — a user's phone. The company protects 2.5 billion downstream accounts in more than 200 countries, offering localization services in 87 languages. In 2012, TeleSign ranked #23 on the Deloitte Technology Fast 500™ and was named a Visionary in Gartner’s User Authentication Magic Quadrant.

Rake Narang: How much has authentication evolved over the years? And why do most people still rely simply on passwords?

Charles McColgan: For most people it hasn’t evolved much at all. The main advancement that has been seen in modern Internet times (1995 to present) has been the introduction of stream based encryption for transmission of passwords. Before the advent of SSL and SSH people would transmit passwords in the clear over the Internet using protocols like telnet, ftp, and http. With SSL and SSH at least we now have a secure channel that data is passed over, unfortunately the attacks have now moved from the data stream to the endpoints (client or the server).

For more secure types of conversations the use of public key cryptography has dramatically increased security. That being said, most people still log into Gmail or their bank using a simple username and password, and in most cases the passwords that users are using are the same across all or most of their sites.

Why do people still rely on passwords? Because that’s what they are offered and in many cases it’s the only option. Some companies, like Google, have really been at the forefront of offering consumers better ways of securing themselves using things like Google Authenticator or Google’s 2-step verification (2SV). Both of these are very easy ways to make something the user knows, a password, much more secure by adding something that they have, a mobile app or a phone.

Rake Narang: How do you manage your personal security what are some tips or tricks to keeping safe?

Charles McColgan: I have some principles that I follow:

I have a different password for every site.  All passwords are 16 characters long randomly generated with 95 bits of entropy (NIST recommends at least 80 bits).  If the site offers mobile 2FA via SMS I use it.

If the site offers OATH compliant soft token integration I may use it ( this is very rare)

For the following categories of data I store authentication information in in a password safe (currently using Password Safe v 3.29Y): Health, Banking, Email, IT System Authentication, Social Media, and Utilities.  My password safe is synced on my laptop, desktop and then backed up in the cloud to a secure service.  Currently I’m using a pass phrase to secure my password safe but am in the process of experimenting moving to using YubiKey for my password safe authentication (just perfecting my backup and recovery strategy for that currently).  For non-critical sites I have a password file on my computer that I keep in a synced location between my computers and iPhone.

Storage on my laptop is encrypted, currently using BitLocker.  If you don’t have Windows or not a version that supports BitLocker, things like TrueCrypt or Apple’s native whole disk encryption are very good.

Where possible I also use random passwords as answers to “Secret Questions” as password recovery questions that rely on information about the user have been proven many times to be a very weak form of authentication. The other problems with Secret Questions is that often times you end up leaking this personal information to sites that aren’t very secure.

There are other physical security precautions that I take as well.

Rake Narang: With mobile devices such as smartphones becoming more and more common and susceptible to attacks, what can users do to stay safe from threats like phishing, infected attachments, and more.

Charles McColgan: Several things:

Don’t jailbreak your phone if you have an iPhone.  Jailbroken phones are basically open to have any app installed on them that could be from any source.

Phishing rules apply the same everywhere. Never click on a link in an email. You just don’t know where it goes to. Always run the latest version of whichever browser you use. Never open an attachment unless it’s something you expect from someone you know.  Even then there is some risk since spoofing email addresses is easy.  Never ever open an executable attachment. Always type URLs into a browser yourself or copy a URL and then paste it into your browser before going there. Look / read before you click!

Don’t dial a phone number for which you don’t recognize or have verified a source / destination.

Rake Narang: What do you think about government efforts to add more regulation to security on the Internet? Has this worked already in other countries?

Charles McColgan: I think there needs to be more accountability and regulation, unfortunately efforts in many countries like the US, UK and Australia have been misdirected (mainly focused on protecting copyright holders or protecting children but doing so in a draconian or lip service type manner).

I haven’t seen this work well but I think people and governments should keep trying especially in making organizations that have been subject to security breaches being transparent around those breaches to their end users.

Company: TeleSign
4136 Del Rey Ave. Marina del Rey, CA 90292 U.S.A.

Founded in: 2005
CEO: Steve Jillings
Public or Private: Private
Head Office in Country: United States
Products: Two-Factor Authentication, Phone Verification, PhoneID Standard, PhoneID Contact, PhoneID Live
Company's Goals: Keep the Internet safe from fraud.

JOIN NOW THE CYBER SECURITY WORLDWIDE COMMUNITY ON LINKEDIN

CLICK HERE