Ahem. I’m here to clear up that awful myth that Tricerion strong mutual authentication is less secure than those irritating tokens. So here it is folks, the cold, hard facts.

Malware and trojans are all about stealing passwords. They steal them by capturing typed in passwords and login names. With Safe Login, passwords are never typed in – they’re entered on an on-screen keyboard using the mouse to select either alphanumeric characters or pictures that make up a password. To malware, it’s like grasping at air – there’s nothing for them to catch.

What makes Safe Login even more special is that it anticipates and protects against something that has never happened. See, virtually every (secure) login everywhere is protected by 128-bit encryption. No one has figured out how to crack it, but that doesn’t mean hackers aren’t trying. And if someone did crack it, the world would be their oyster. They’d have all logins and passwords in open text, able to hack just about anything, anywhere. Tricerion has this really elegant, intuitive system that separates data streams, so that if SSL 128-bit encryption were ever cracked, anyone using Tricerion’s system would be protected.

2 of my 3 Twitter accounts asked me to reset my password this morning when I signed in. It seems that a third party application may have compromised accounts, but stories abound about what really happened.

What I can tell you is that I know enough about where to share my passwords that I didn’t accidentally give my credentials to a fraudulent site. I can also tell you that no one hijacked my account. My password is reset on both ‘compromised’ accounts and I’ve updated the legitimate applications I use to access Twitter.

I’m not quite sure why Twitter would be the target of a phishing attack. While they might be able to post what they ate for breakfast or follow a few celebrities (or whoever), no one can use my Twitter login information to access money or sensitive information. Not sure what the point to the whole Twitter phishing attack was, but I’m not too worried either. A minor inconvenience at worst, interesting blog fodder at best.

Update: Thanks to Malcolm for posting the following in the comments on one of our posts about phishing:

With the knowledge that many people use the same passwords across multiple sites, there is value in phishing ANY online login system. Because email+password can be identical on every site, any and every site is vunerable to phishing. Phishers need a single chink in the armour, if the phished person uses a hotmail/gmail etc email address for Twitter, there’s a high chance the email can then be comprimised with the same login details, and once you have the email you could wait for a ’statement’ email from a bank or credit card …

More online users know about phishing, while number of victims is up by 600% @ Tricerion Security Blog

What’s different this time is Google’s response to the attack, as well as a number of governments (like France and Germany) that made public announcements recommending that their citizens stop using Internet Explorer, since the attacks were targeting this browser’s vulnerabilities.

Online security is a lot like an inflatable balloon.  If you squeeze a balloon, the air will extend the part with the least resistance.  When it comes to security, attackers will most likely go the path of least resistance that promises the greatest rewards at minimum risk.  In this situation, I really don’t understand why advising millions of people to stop using a specific browser will somehow protect them from future attacks.  Let’s say everyone starts using only Firefox, or Chrome.  Are hackers going to give up and never write another exploit again?  Not only this boycott of IE is not going to be effective for the general public, but since governments usually use IE as their default browser in all of their institutions, imagine the logistics required to make the changes across the board.

Tricerion protects its users in a way that is completely independent of browser functionality and vulnerabilities.  Our graphic passwords are stored in a database in such a way that this information is not possible to interpret and reuse from the outside.  Effective authentication methods should not rely on specific browsers, nor should they be threatened by the vulnerabilities in other companies’ software products.

In an interesting twist of events, a rogue app called “Droid09” was uploaded to Android Market, claiming to be an official online banking app from First Tech FCU. The fake app then attempted to collect user login information – thus becoming the first phishing app for Android.

It makes me wonder whether there is any way for an Android-phone user to know whether a downloaded app is authentic or not. While we usually go to the websites of the companies we know and trust to download software patches and upgrades, both Apple and Google are essentially the middle men in delivering web apps from various service providers. You can’t just go to the Electronic Arts’ website and download a game for iPhone. Consumers will be at risk as long as there is no mutual authentication mechanism that would authenticate the service provider (and/or their app) before the user is asked for their security credentials.