Multifactor authentication is high on the list of payment security requirements, including new standards from PCI. For any company on the fence on adding stronger authentication, there's plenty of examples of what can go wrong with basic identity management.
In March, employees of Ozaukee County, Wisconsin got a nasty surprise when they went to file their taxes. Someone else had already done so. Using fraudulent tax returns to collect refunds isn’t a new scheme, but in this case the root cause was traced back to a compromise of the system Ozaukee county uses for managing payroll information.
Unfortunately, Ozaukee County isn’t alone. NextCare employees and those of a Chicago school district have experienced the same fraud, with a common thread of being Greenshades customers. Finally, in April, security blogger Brian Krebs reported on how the Greenshades product authenticates users for access to payroll information, “Greenshades set customers up for this [fraud] by allowing access to payroll records just by supplying the employee’s Social Security number and date of birth.”
One of the most basic ways to protect access to information and systems is through authentication. While you may not think twice about entering a username and password for your email, that simply function keeps the majority of malicious criminals out. When information is sensitive in nature, such as with payroll and tax data, it has to be protected.
A simple username and password may not be enough. In fact, it’s increasingly the case that these single factor authentication systems can be either bypassed or simply guessed. Users often reuse passwords across multiple services, so when login credentials are compromised from a low security service, such as webmail, they are reused to access much more sensitive sites, like online banking. Furthermore, users often choose weak, easily guessable passwords.
The solution to simply password authentication is already available. Two-factor authentication requires more than just a password. In fact, the most secure authentication requires something you have, something you are and something you know. Two-factor authentication can work with a password and a one-time code, key card or other token. By requiring an additional interaction or object, two-factor authentication prevents the compromise of passwords from resulting in compromised accounts.
In the case of Greenshades, if they had offered and customers had employed two-factor authentication for access to data, it may have prevented so many successfully filed fraudulent returns. For their part, Greenshades is working on adding two-factor authentication.
Tim Erlin is Director of IT Security and Risk Strategy at Tripwire.