We just had a chance to read the Forrester report on Risk Based Authentication (RBA). As a quick reminder, “RBA methods observe users’ actions and transaction context silently in order to form a risk score. RBA frequently leads to “stepping up” to a stronger form authentication that the user must explicitly perform.” 

With all the talk of RBA at the RSA 2012 Conference, you could guess we were pretty excited to read this report. Forrester does an excellent job of explaining the core parts of RBA and what it means to enterprise companies. They also go into the RBA offerings of six premier security companies: CA Technologies, Entrust, RSA, Symantec, Iovation, and ThreatMetrix.  

The part that really hit home for us was Forrester’s 5 reasons why security and risk professionals are turning to RBA. I’ll point them out here, but you will have to read the report to get the details:

1. Easy to deploy
2. Works well on mobile devices
3. Flexible to use on non-web channels
4. Easy to use
5. Cost effective

Since NuCaptcha has an RBA system built in to it, our platform meets all five points mentioned above. We monitor all interactions on the platform and then use this information to tune the security of each Captcha delivered to each user. Legitimate users are given easy to solve Captchas, and attackers are given progressively more secure Captchas. This maximizes usability for legitimate users; eliminating frustration and increasing conversions on your website, while providing a high degree of security against attackers.

Maybe next year we’ll be one of the six featured companies in 2013 report.

Last week we made our first trip to the RSA Conference in San Francisco. As the premier event that relates to IT, network and Internet security, I found it an excellent place to go as it gives you first hand knowledge of how customers perceive your product.

Probably the best thing for us was that we were able to do a face to face with many companies that we had briefly spoken to on the phone or had tried to reach out to. Now they came by our booth and we were able to spend 5-7 minutes with each one. As a result we had a lot of quality leads to follow up with.

The most surprising thing to me was the number of companies that used booth girls to promote their products. Now I come from the video game space, so seeing girls promoting games at conferences is very common. However, I would never have guessed I would see the same at a conference as “un-sexy” as IT security. The best one was the company that had girls wearing T-Shirts that said “Honey Badger don’t give a $%#&! We do!” 

Of all the banners and signs I saw, the one below from Veracode was the best one by showing all their major customers in one big, bright graphic.

Our CTO, Christopher Bailey, recently did a web presentation on combating cybercrime through behavior analysis. This was done for (ISC)² , the globally recognized Gold Standard for certifying information security professionals throughout their careers. Watch his presentation in full. 

Last week Kim Krause Berg did a blog post Captcha and the User Experience on www.searchengineland.com. It was a good post in that it brought together a lot of info on Captcha into a nice, concise article. She also noted why we need Captcha since research shows that relying on passwords for security is not good enough; password dictionaries can be used by bots. In addition, people still use very easy, common passwords.

Below are some of their findings along with our own comments.

• When they presented Captcha to three different humans, all three agreed only 71% of the time on average. This makes sense since the current Captcha providers are found to give only a 75% success rate. NuCaptcha’s success rate is 99%.
• “Segmentation” is found to be the most reliable recognition system for humans. NuCaptcha makes use of segmentation in it’s technology.

There is more info in the blog post that I suggest you check out.

Last week Kim Krause Berg did a blog post Captcha and the User Experience on www.searchengineland.com. It was a good post in that it brought together a lot of info on Captcha into a nice, concise article. She also noted why we need Captcha since research shows that relying on passwords for security is not good enough; password dictionaries can be used by bots. In addition, people still use very easy, common passwords.

Below are some of their findings along with our own comments.

• When they presented Captcha to three different humans, all three agreed only 71% of the time on average. This makes sense since the current Captcha providers are found to give only a 75% success rate. NuCaptcha’s success rate is 99%.
• “Segmentation” is found to be the most reliable recognition system for humans. NuCaptcha makes use of segmentation in it’s technology.

There is more info in the blog post that I suggest you check out.

One of Facebook’s employees in the Recon and Response team just did a post about his first year fighting spam on the world’s biggest social network. It’s very insightful and he’s pretty open about the types of attacks they face. As a business that’s there to reduce the spam and bot attacks, we’re really glad to see Facebook put a great emphasis on security. In fact he said something that we always preach to our current and potential clients, “Security cannot be an afterthought, it has to be carefully designed within the product”.

Here is a summary of the types of things they face:

Fake Accounts: Spammers go to great lengths in setting up their fake accounts, including backgrounds, photos, etc. It’s all about making friend requests and then spamming them once it’s accepted.

Social Engineering Attacks: This is when an attacker will lure a person in with some content like a free iPad and then ask them to copy and paste a code to get the item. However the code is a script that allows the spammer to post on the person’s profile and their friend’s profile.

Monitoring: Most assume that the best time an attack takes place is mid-week when everyone is at work. But similar to timing email marketing campaigns, that is not it. The attacks usually start on Fridays. As a result Facebook is constantly monitoring the network and trying to predict what is coming next.

Malicious Extension: Attackers will create a browser extension that people will install thinking its a video plugin, and now they have an entry into the user’s computer. 

According to Verizon’s “2011 Data Breach Investigations Report”, the number of data attacks has tripled in the past five years. As a result they have listed the 13 biggest security threats they see in 2012. Below we’ve picked the ones that relate to personal data and thus need extra security to prevent theft. 

1. Emergence of bank-friendly applications with built-in security - more bank transactions will take place over mobile devices, thus more security will be in place.
2. Hyper-connectivity leads to growing identity and privacy challenges - enterprises will have to implement data protection at every access point.
3. Mobile and medical devices will begin to emerge - it’s going to be easier to track people’s health in real time with smart phones. This will invite attackers to personal data.
4. Smart grid security standards will keep evolving - governments will require utilities to demonstrate that the privacy of consumers is protected.
5. Social network threats resurface - the amount people who are still seduced to visiting a fishy site is surprising.
6. Safeguarding online identities will no longer be optional - everyone will be looking to the private sector for cost-effective solutions. 

It was reported last week that skilled hackers were able to bypass the CAPTCHA code on Microsoft’s Xbox Live to run password generating scripts that enabled them access to personal Xbox Live accounts. These hackers then used the credit card info on file to commit fraud, like buying Microsoft Points. 

After looking into it, we feel this is the result of the poor implementation of CAPTCHA. Here are two things they should have done:

1. The IP(s) where the attacks came from should have been flagged for trying too many login attempts, and then locked out for a period of time
2. A user should get a grace of X attempts without CAPTCHA, and then see one thereafter until they have gone a set number of hours without making an attempt. 

NuCaptcha would be perfect here because it’s properly implemented, maintained and constantly monitored by it’s Behaviour Analysis System. 

Below is an excerpt taken from our white paper on NuCaptcha Vs Traditional Captcha White Paper. This can be downloaded from our site.

Most traditional Captcha systems do not use behavior analysis or use only a rudimentary one that simply measures the solve rate of an IP address. For example, in one system it is reported that if the success rate drops below 50% over 32 attempts, the IP is flagged, and the user must consistently solve both words displayed to proceed.

NuCaptcha has developed a sophisticated Behavior Analysis technology that can modify the security of the Captcha in real-time on a per-user basis. This behavior analysis system works on three levels:

1. The system measures how a user interacts with the Captcha system, and scores their behavior as it deviates from the norm
2. The system measures how a user interacts with the Captcha system, and scores their behavior as it relates to previously detected risky patterns of behavior.
3. A rule-based system is applied to modify the users score that can be customized and integrated with the website/application’s other security measures.

The result is a score that determines a relative risk level of the user, and is used to pick the security level of the puzzle to display. This system allows NuCaptcha to maximize usability for low-risk users and ramp up security for less trusted users.

Every time I log in to do online banking, I’m stunned at how poor their user authentication security is. I’m always asked to verify the computer I’m on with some secret code, even though I have clicked on “register this computer” multiple times before. If that’s not bad enough, when I place the pointer in the box, the secret code actually automatically fills in. Isn’t that the equivalent of going to a building, the computer asking for an entrance key, and then just telling you? 

Another issue I have is sometimes my bank will show me a random picture and ask me to write down what that picture reminds me of. If I get it right, then I get logged in. For example, when I first registered it may have shown me a picture of a monkey. And let’s say I entered that I think of “Bubbles” when I see it. So when I go and log in, I enter my client number, my online password, and then a picture of a monkey shows up. Now I bet most people would not remember what they had entered before. Talk about a poor customer experience. 

You would think with all the money they spend on risk management and security, banks could come up with something better. Fortunately security expert Robert Siciliano points out that the Federal Financial Institutions Examination Council (FFIEC) has mandated that banks recognize that their security is ineffective against new, more sophisticated attacks. The FFIEC suggests complex device identification which uses multiple layers of protection. The goal is to stop the intruder as early as possible. 

So this is a step in the right direction for us human users. We’ll get better banking security and hopefully better usability too.