Some facts that the typical ecommerce consumer should be aware of:

1. Too many users have a single set of login credentials (username and password) for all their online accounts. That means, when someone gets their info from Zappos, they can use it to access Facebook, Amazon, online magazine subscriptions, PayPal, email, gaming sites, online banking, and more.
2. “Fixing” an alphanumeric password breach with new alphanumeric passwords doesn’t actually “fix” anything. If I know the guy trying to break into my house is a locksmith, I don’t just cut a new key – I install security measures that a locksmith isn’t an expert in.
3. Zappos has chosen the path of least resistance – deploying consumers themselves to fix the breach. Zappos users have to follow instructions given in an email (which may have gone into spam folders), change their passwords, and email Zappos with any questions or concerns. Anyone with an email address they don’t regularly check, an overactive spam filter, or the ‘grandma’ syndrome (not computer savvy, and likely suspicious of ‘official’ email communication) may fall through the cracks.
4. Changing the Zappos password doesn’t change all the other similar or identical passwords the consumer uses on other accounts, leaving their customer base open to further attack elsewhere.

One of the key takeaways from this is that ecommerce systems should not be based on ‘security’ systems that rely on users’ unreliable alertness. Users expect the systems that hold their sensitive information to bear the burden of iron-clad security for their data. Strong, two-factor authentication systems aren’t just an option in today’s online environment – they are where the market is heading by default and by necessity. Zappos has shown us exactly how not to handle a data breach. Of course, if more systems used strong mutual authentication, we’d see decidedly fewer breaches like the one this weekend.

The university scientists found that they could deduce tiny pieces of a private key by injecting slight fluctuations in a device’s power supply as it was processing encrypted messages. In a little more than 100 hours, they fed the device enough “transient faults” that they were able to assemble the entirety of its 1024-bit key.

“The RSA algorithm gives security under the assumption that as long as the private key is private, you can’t break in unless you guess it. We’ve shown that that’s not true,” said Valeria Bertacco, an associate professor in the Department of Electrical Engineering and Computer Science.

Read the full statement here.

But last weekend their clients and colleagues got a little surprise. First Direct’s Twitter account was duped, sending direct messages – the Twitter equivalent to short emails – to contacts. What’s more? These weren’t just any direct messages – they were pornographic. I don’t think that boosted their image of professionalism. The direct messages sent out tantalizing links, and upon clicking, users were asked to login to Twitter. Of course, it was a phishing attack where the users were actually divulging their password to hackers.

The next day First Direct sent out a series of tweets that did little to allay fears – they mentioned twice that they’d been hacked, then tried to reassure clients that only the Twitter account had been hacked – not the bank – and that no user passwords were involved.

The Register reader Paul Eagles comments in Twitter style of 140 characters or less: “Let’s hope they are more secure with their banking systems than their twitter account,” he writes. Here’s the deal. This attack phished bank users and convinced them to give away their passwords for Twitter. The problem is that a large number of users have the same passwords for all their accounts, giving hackers potential access to more than just Twitter accounts.

So, a note to all users on all platforms. If a link sent to you looks suspect, it probably is. Clicking on it is unwise, and entering any information about yourself is plain foolishness. Your bank won’t send you porn. I promise.

When we talk about the authentication space there are really 3 things we have to balance. It boils down to 1. Real security, 2. Perceived security, and 3. Price. What we’d hope is that all players in the space would have strong real security. I mean, that’s the business we’re in, isn’t it? But when it comes down to it, not all login systems are created equally.

And unfortunately perceived security combined with an effective pricing model can equal success, regardless of the level of actual security. What that means is the industry is open to clever fox-types who can swindle their way through a sales presentation based on slick ideas with little real security provision. Yikes. And our consumers are left vulnerable, but worse – with the perception that their information is secure.

And then there’s me. And my colleagues. See, we’re sticklers for real security. We’re those geeky types who aren’t satisfied with merely protecting our clients authentically from current threats while providing perceived security through positive user experience. We’re the crazy guys who are determined to get it right, without cutting corners. We have this crazy notion that we won’t stop improving our technology as long as there are still hackers out there finding ways to compromise consumers. Of course, that means we have a team of geeky types just like us on payroll. And our pricing strategy can’t compete with the fake-it-till-you-make it guys. We believe you get what you pay for, and even though our prices aren’t much higher than the other guys, cost-cutting measures can mean that the contracts go to the cheap solutions, even when those solutions offer cheap quality.

That’s ok though. We’re creating a safety net. When the merchants out there are disappointed with their lack of actual security, when the hackers seem to be winning the battle, we’re here to catch you when you fall. It’s like the commercial for Office Depot when a barber sees a competitor open shop across the street for “$6 haircuts.” Our barber puts up a sign saying “We fix $6 haircuts.” That’s us. We fix $6 haircuts authentication.

We read stories about phishing and data breaches and we get worried. Some of us start thinking that maybe we’re better off (security-wise) with paper-based banking. Sending checks, receiving statements in the mail, paying bills the old fashioned way – manually with a checkbook and a stamp. But as Jean Chatzky said this morning on NBC’s Today Show, online banking is actually safer than paper-based for a few reasons.

1. People who use online banking check their account 4 times more often than those who use paper-based banking. That means if someone does fraudulently steal your identity or your banking information, you’ll find out about it more quickly and remedy the problem earlier, translating to potentially fewer losses.
2. Banks’ online systems are more secure than your mailbox and trash bin. Sure, they may not be 100% impervious to attack, but they’re much harder to hack into than your mailbox at the curb or the trash can full of sensitive information (even if it is shredded).
3. You can’t ‘wash’ an online transaction. Check washing still occurs today – where someone takes a legitimate check you signed, washes the original amount and payee information but retains your signature. They’re then free to put their own name and any amount they choose. Online transactions aren’t washable – they go where they’re meant to go, when they’re meant to go.

Basically what it boils down to is, choose a secure password that you can remember without writing it down. Keep your information to yourself, and don’t fall prey to scams inviting you “click here” to verify your information. You bank doesn’t need you to verify your information, and if they do they can find a more secure way to contact you than sending an email or putting a button on your Facebook page.

Another research study comes from RSA’s 2010 Global Online Consumer Security Survey, which shows very interesting trends:

“Of the more significant survey findings, consumer awareness of phishing attacks has doubled between 2007 and 2009 and the number of consumers who reported falling prey to this attack increased six times during that same period of time. In addition, while hundreds of thousands of people join social networking websites each day, the survey exposed that nearly two in three (65 percent) people who belong to these online communities indicated they are less likely¹ to interact or share information due to their growing security concerns.”

“Consumers using online banking (86 percent) websites shared more concern with the theft of their personal information than those using healthcare portals (64 percent) and government websites (68 percent). As a result of these concerns, more than half of all consumers reported that they are less likely to share information and interact on these websites.”

This is interesting because it tells us that phishers are becoming more and more sophisticated and consumer education is limited in terms of preventing online and identity fraud.

What it means for us is that social engineering is becoming more sophisticated, fooling even those who don’t remember the times before Internet and mobile phones.  Effective proactive defense includes mutli-channel authentication options, which will not rely on user alertness or mental mapping techniques.   Secure web services will help protect their customers without relying on their ability to recognize a phishing attack.

In an interesting twist of events, a rogue app called “Droid09” was uploaded to Android Market, claiming to be an official online banking app from First Tech FCU. The fake app then attempted to collect user login information – thus becoming the first phishing app for Android.

It makes me wonder whether there is any way for an Android-phone user to know whether a downloaded app is authentic or not. While we usually go to the websites of the companies we know and trust to download software patches and upgrades, both Apple and Google are essentially the middle men in delivering web apps from various service providers. You can’t just go to the Electronic Arts’ website and download a game for iPhone. Consumers will be at risk as long as there is no mutual authentication mechanism that would authenticate the service provider (and/or their app) before the user is asked for their security credentials.

In the last two years hackers have stolen over $40 million from small to medium enterprises that typically don’t have the resources or tech expertise to protect themselves from such attacks. They often do business with small banks and credit unions, which are typically considered “low hanging fruit” for hackers. Channel-Pro SMB interviewed our very own Stuart Morris about this issue, and the write-up points out some key issues – like the impact this can potentially have on small to medium businesses.

The solution the feds propose is a dedicated computer used only for banking. They recommend it because malware is often installed when surfing the net, gaming, emailing, and downloading programs. It isn’t fool-proof though. Crooks are smarter than we like to think and a computer dedicated to online banking isn’t a surefire way to stop them. And logistically, unless we’re talking about sole proprietors, it becomes both a hassle and prohibitive expense when every person who needs access to banking information requires a separate computer to do so.

Hey! I have an idea! What if banks, e-commerce sites, and other agencies requiring sensitive login procedures found a way to protect their users and consumers from this type of fraud? Is it possible? Is it plausible? What is this, 1976? Of course it is! And it has been for years.

The only real way to stop keyloggers is to stop typing passwords. You know how you use your mouse to click on buttons on the computer screen?  There’s no reason banks couldn’t use a clickable keypad on the screen to replace password typing, or even credit card entry. And guess what? It’s already being done. There’s a system that first recognizes the user and generates a customized keypad for them. If your keypad doesn’t look right you know you’re on a fraudulent site. When you see the keypad you recognize, you use your mouse to key in your password. Easy, breezy. And keyloggers don’t have a chance. (Neither do man-in-the-middle, man-in-the-browser, or any host of other hackers.)

Wanna give it shot? You can. Go ahead – try it now. I’ll give you a buck – a whole greenback for the minute you spent – if you think it’s too hard to use.

Fake or rogue security software was the most prevalent threat of 2008. It seems criminals know that we as a population have a weakness for security products. We want to be safe, so they hit our vulnerability with security products that are far from secure. This malware product has the look and feel of McAffee, only it’s not quite right.

Email phishing seems to be on a decline, but phishing as a whole is increasing, with internet-based scams leading the pack. Our awareness campaigns to caution customers about email phishing paid off – the customers grew email-savvy, but the criminals grew more sophisticated.

As for 2010, CA expects to see an increase in Malvertising (advertising malware), threats to social networks, and – not so surprisingly – denial of service attacks like we saw this year in political showdowns in Moldova and Iran. Banking trojans are expected to be on the rise as well, and we’d be fool to think criminals would ever really back off financial institutions, since the carrot at the end of the stick is so big.

They could approach it the way AT&T did when they realized that 3% of users (iPhone owners) exploit 40% of bandwith – AT&T started looking for ways to discourage iPhone users from accessing the data services they so love. Instead of using the situation to build business and expand services (which is what any strategically driven company would do) AT&T looked for ways to hamstring their customers.

Banks could take the same approach, right? Encourage their customers to use online banking less. Scale back online services. Provide second-rate security. Promote fear in their customers.

Of course, that would mean technological dinosaurs that take the path of least resistance would inevitably lose customers to banks that provide the online services their customers want. Penalizing users for creating business process conundrums does nothing but propel corporations into decline.

So maybe, in an ideal world, banks might think to increase security to keep up with online threats. Novel idea, right? In fact it is, in a way. As online risks have grown, the majority of banks have done little to keep up with the threat level. Sometimes it’s easier from an operations perspective to reimburse money lost through identity fraud than it is to actively protect against it.

Come on, folks. Are we really lazy enough to believe that doing nothing and suffering attack is better than proactively adopting solutions to protect our customers? Check out Tricerion’s SafeLogin. It’s simple. It’s elegant. It’s easy from the bank’s side and seamless to the user.

Don’t make the mistake AT&T did. Move with the market. Take the lead. Get your groove on.