From @jjmartucci: I bet 99% of the stolen Zappos passwords were “shoes”. // Fact: most passwords are frighteningly easy to guess. We bet that those passwords aren’t “shoes” at all, but rather “password”, “abc123″ and others from the list of too-often-used passwords. Alphanumeric passwords just aren’t as safe as we think they are.

From @dombenoit: receive @zappos email asking to change password after hack, can’t change password because i’m outside the US… good thinking guys.// Fact: American may be in the center of some poorly conceived maps, but it is not the center of the universe. Corporations, don’t forget that the majority of the world lives outside of the US, and they need customer service too.

From @kimfouroffive: In order to change my Zappos password I would have to remember my Zappos password and that’s not going to happen. // Fact: Tons of consumers rely on the “cookies” on their computer to remember their passwords. There’s no need to delve into all the reasons that’s poor practice. But let’s face it – many users either don’t remember their passwords, or they have them written on a post-it in their desk.

From @Kevbo1111: Wait, you’re telling me a company whose office looks like this, has lax security? #Zappos http://pic.twitter.com/pr9SrfCF // Fact: If we could see inside the workings of all the places that hold our ‘secure data’ we wouldn’t feel so secure.

From @Tuna999: Im confused, is that zappos security email real? // Fact: This is actually a very smart question, that many wouldn’t think to ask (or research before clicking through). A phishing attempt can look much the same, and confuse consumers into handing over their credentials to fraudulent sites.

From @justAK: Had someone try to acces my bank info a few times. Could this be cause of the #zappos #hacking ? I hope not. #worried // Fact: Too many users have the same password for all online accounts. It’s not hard to believe that hackers would use information from one site to try to access others.

From @andishehnouraee: Zappos hacked, “sensitive” customer info stolen. Before I’m outed, I’ll confess here: I’m a size 12. // Fact: sensitive information is a lot more sensitive than shoe size. That said, great sense of humor!

From @Tontiella: Zappos why are your accounts being hacked into?? Who is not doing their job to prevent this?  // Fact: Strong security measures are fabled to be more expensive than responding to data breaches. Time will tell how this affects Zappos in the long term, but let’s just say that resetting passwords doesn’t instill a sense of trust. (And, for the record, strong mutual authentication is well worth the investment)

Some facts that the typical ecommerce consumer should be aware of:

1. Too many users have a single set of login credentials (username and password) for all their online accounts. That means, when someone gets their info from Zappos, they can use it to access Facebook, Amazon, online magazine subscriptions, PayPal, email, gaming sites, online banking, and more.
2. “Fixing” an alphanumeric password breach with new alphanumeric passwords doesn’t actually “fix” anything. If I know the guy trying to break into my house is a locksmith, I don’t just cut a new key – I install security measures that a locksmith isn’t an expert in.
3. Zappos has chosen the path of least resistance – deploying consumers themselves to fix the breach. Zappos users have to follow instructions given in an email (which may have gone into spam folders), change their passwords, and email Zappos with any questions or concerns. Anyone with an email address they don’t regularly check, an overactive spam filter, or the ‘grandma’ syndrome (not computer savvy, and likely suspicious of ‘official’ email communication) may fall through the cracks.
4. Changing the Zappos password doesn’t change all the other similar or identical passwords the consumer uses on other accounts, leaving their customer base open to further attack elsewhere.

One of the key takeaways from this is that ecommerce systems should not be based on ‘security’ systems that rely on users’ unreliable alertness. Users expect the systems that hold their sensitive information to bear the burden of iron-clad security for their data. Strong, two-factor authentication systems aren’t just an option in today’s online environment – they are where the market is heading by default and by necessity. Zappos has shown us exactly how not to handle a data breach. Of course, if more systems used strong mutual authentication, we’d see decidedly fewer breaches like the one this weekend.

The new image- and gesture-based sign-on system to be incorporated into Windows 8 is nifty at best, but leaves much to be desired. The sensitivity of touch screens may prove too sensitive for users’ taste. Being off by a few pixels, or hesitating in the wrong place could end up in a failed authentication. To compensate for this type of confusion, there’s a traditional password system in place as a backup.

But what happens when we relegate an alphanumeric password to ‘backup’ status? It becomes superfluous in our minds – not worth the brain cells to remember. And easily forgotten passwords worse than no passwords. Next, allowing users who can’t authenticate with the image-gesture system to bypass the system with an alphanumeric password nullifies the actual security of the system against keyloggers and other malware sources.

Nifty? Yes. Secure? Unfortunately not. While we’d all like to live in a world where security concerns are secondary to user experience, as my grandpa used to say, that’s just not in the cards.  Need we mention that Tricerion’s strong mutual authentication system could run circles around Windows’ new “nifty” toy? Check it out for yourself, and you’ll see why.

Those in the business know that December is a notoriously risk-ridden time for identity theft, as hackers take advantage of escalating ecommerce around the holidays. How are merchants and business owners to safeguard identity when customers like Joe Consumer make identity theft child’s play? One of the keys in identity protection is anticipating the evolution of technology. Responding reactively to current and past attacks only leaves users highly vulnerable.

A recent two-pronged RSA security breach hows just how deep hackers will go, uniting efforts across nations to attack secure data. Tokens are out of reach for many, with their high cost of maintenance. SMS authentication is cumbersome at best, and the most user-friendly solutions require nothing other than the user himself. That said, biometrics are excessively expensive.

Strong mutual authentication systems, like that of Tricerion, offer secure protection against assault while maintaining accessible affordability in comparison with biometric or token-based systems.  Picture-passwords have been found more memorable and harder to crack than alpha numeric passwords in multiple studies . Details on our authentication systems can be found on our website.

In brief:

• Complaints received:  336,655
• Total loss:  $559.7 million
• Increase from 2008 by 22.3 percent
• Median dollar loss of $575
• Average dollar loss: $1,633

Top five categories of offenses:

1. Non-delivered merchandise and/or payment – 19.9%
2. Identity theft – 14.1%
3. Credit card fraud – 10.4%
4. Auction fraud – 10.3%
5. Computer fraud – 7.9%

Find lots more data and demographic information by reading the full report at IC3.

The university scientists found that they could deduce tiny pieces of a private key by injecting slight fluctuations in a device’s power supply as it was processing encrypted messages. In a little more than 100 hours, they fed the device enough “transient faults” that they were able to assemble the entirety of its 1024-bit key.

“The RSA algorithm gives security under the assumption that as long as the private key is private, you can’t break in unless you guess it. We’ve shown that that’s not true,” said Valeria Bertacco, an associate professor in the Department of Electrical Engineering and Computer Science.

Read the full statement here.

Small business or large, studies show that all companies are at risk of attack by hackers. Government agencies including the FBI have suggested using a separate computer for all transactions involving money or sensitive information, but from a business view, that isn’t scalable or practical. So we’re gonna spill the beans for you. We’re not claiming to bullet-proof your enterprise, but a few minor tweaks may deflect attack, because – as we’ve seen – the lowest hanging fruit is usually what gets picked off. Let’s raise up your proverbial tree and get that fruit out of reach, shall we?

1. Beware the man (or woman) behind the curtain. Spear phishers are looking for quality, and they’ll do their research well. Often though, they won’t go for the high profile target directly, they’ll go to someone who pushes the buttons for that person – an executive assistant, general counsel, staff attorney. They are more likely to be phished than, say, the CEO or CFO. These folks need to be super vigilant about the links they click on and the sites they login to, in a sense, expecting that someone will try to dupe them. And that is why they should follow the next advice.
2. Look for non-obvious clues. Anyone can duplicate a logo or make a look-alike login page. But a vast number of attacks come from non-English speaking countries. If an ‘official’ communication uses rotten grammar and is overly casual, be suspect. Hover over links and read the entire link source before clicking – is the format what it should be? Trust your gut. If something seems odd, don’t click. And just like dad always told you, if it seems to good to be true, it probably is.
3. Be cautious of downloads. Certain people – like lawyers – deal with downloads all day. PDF’s and other documents are sent back and forth, passed around, read and re-read. Are you aware that PDF’s can contain malicious payload that compromises your computer? Don’t download PDFs thinking they’re just harmless documents. Note the sender (or host), make certain it’s something you requested or critically need. And if you’re unsure, confirm the credentials before downloading.
4. Use unique email addresses if you can, only giving out your ‘real’ email address to people you trust. It’s easy if you have your own domain – myspace@jennycramer.com, travel@jennycramer.com, amazon@jennycramer.com. If you don’t have your own domain, you can at least set up a public email address and a private email address. The public one would be the one you use on websites that require opt-ins, on forms for store loyalty programs, etc. And you would know that anyone can gain access to that account.
5. Don’t click on anything in an email. If you think about it, you hardly ever receive something vitally important in an email that requires a click. There’s the occasional “click to verify your account” message, but let’s be honest – you expect those, they come right on time, and you were told in advance when and where it would come. So if you didn’t ask for it, don’t click on it.
6. You know those patches for software? Ever wonder if they’re for real? Well, they are. Use them. They’re there to protect you, so let them.
7. Avoid P2P – person to person – download applications. BitTorrent, Rapidshare, you know what I’m talking about. If you want to do it at home, go for it. But there’s no place for it on an enterprise computing network. Those things are rife with malware.
8. Switch your company and your home router’s DNS resolver to use OpenDNS. Do it right now, I’ll wait. There’s no reason to use the default DNS provided by your Internet service provider. OpenDNS has a gigantic cache that will speed up your queries and a free Website filtering service that might interest some companies. Even if you don’t want the filtering, its robust and secure DNS infrastructure can shield you from well-known attacks at the DNS level.
9. “Bob” saying so doesn’t make it so. We’ve all had that experience where ‘Bob’ says that if we download that patch or install the new version or upgrade the antivirus software, application xyz will fail to work and the entire business will crash. Are you really going to let ‘Bob’ put your entire network at risk? If the mission-critical application needs to be tweaked for upgrades, tweak it. And silence Bob – your enterprise security is more important than Bob’s personal opinion. Sorry, Bob.

We have to thank CIO magazine for the tips here – many of them came from their informative article on enterprise security. And to conclude, if you have influence over your business’ security procedures, make sure you have policies in place to inform your people about what’s acceptable and what’s not. It doesn’t take militant enforcement – your people want their computers to be safe. They just need to know how.

But last weekend their clients and colleagues got a little surprise. First Direct’s Twitter account was duped, sending direct messages – the Twitter equivalent to short emails – to contacts. What’s more? These weren’t just any direct messages – they were pornographic. I don’t think that boosted their image of professionalism. The direct messages sent out tantalizing links, and upon clicking, users were asked to login to Twitter. Of course, it was a phishing attack where the users were actually divulging their password to hackers.

The next day First Direct sent out a series of tweets that did little to allay fears – they mentioned twice that they’d been hacked, then tried to reassure clients that only the Twitter account had been hacked – not the bank – and that no user passwords were involved.

The Register reader Paul Eagles comments in Twitter style of 140 characters or less: “Let’s hope they are more secure with their banking systems than their twitter account,” he writes. Here’s the deal. This attack phished bank users and convinced them to give away their passwords for Twitter. The problem is that a large number of users have the same passwords for all their accounts, giving hackers potential access to more than just Twitter accounts.

So, a note to all users on all platforms. If a link sent to you looks suspect, it probably is. Clicking on it is unwise, and entering any information about yourself is plain foolishness. Your bank won’t send you porn. I promise.

At Xing.com, the site that was used to test this theory, it is impressive how quickly the technical team implemented the appropriate safeguards to protect their users from this type of attacks (it took 3 days from learning about the potential threat for Hotfix deployment).

Now that the whole world knows how to launch this type of attack it may be wise to adjust the privacy settings of your browsers so that your browsing history is either not recorded or is erased fairly often.  Alternatively, use this plug-in for Firefox – Stanford SafeHistory.

Ahem. I’m here to clear up that awful myth that Tricerion strong mutual authentication is less secure than those irritating tokens. So here it is folks, the cold, hard facts.

Malware and trojans are all about stealing passwords. They steal them by capturing typed in passwords and login names. With Safe Login, passwords are never typed in – they’re entered on an on-screen keyboard using the mouse to select either alphanumeric characters or pictures that make up a password. To malware, it’s like grasping at air – there’s nothing for them to catch.

What makes Safe Login even more special is that it anticipates and protects against something that has never happened. See, virtually every (secure) login everywhere is protected by 128-bit encryption. No one has figured out how to crack it, but that doesn’t mean hackers aren’t trying. And if someone did crack it, the world would be their oyster. They’d have all logins and passwords in open text, able to hack just about anything, anywhere. Tricerion has this really elegant, intuitive system that separates data streams, so that if SSL 128-bit encryption were ever cracked, anyone using Tricerion’s system would be protected.