Menu

Timesdelhi.com

May 23, 2019
Category archive

security token

Google recalls its Bluetooth Titan Security Keys because of a security bug

in Bluetooth/computer security/cryptography/cybercrime/Delhi/Google/India/key/Keys/mobile security/Password/phishing/Politics/security token/TC/wireless by

Google today disclosed a security bug in its Bluetooth Titan Security Key that could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide. The company says that the bug is due to a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” and that even the faulty keys still protect against phishing attacks. Still, the company is providing a free replacement key to all existing users.

The bug affects all Titan Bluetooth keys, which sell for $50 in a package that also includes a standard USB/NFC key, that have a “T1” or “T2” on the back.

To exploit the bug, an attacker would have to within Bluetooth range (about 30 feet) and act swiftly as you press the button on the key to activate it. The attackers can then use the misconfigured protocol to connect their own device to the key before your own device connects. With that — and assuming that they already have your username and password — they could sign into your account.

Google also notes that before you can use your key, it has to be paired to your device. An attacker could also potentially exploit this bug by using their own device and masquerading it as your security key to connect to your device when you press the button on the key. By doing this, the attackers can then change their device to look like a keyboard or mouse and remote control your laptop, for example.

All of this has to happen at the exact right time, though, and the attacker must already know your credentials. A persistent attacker could make that work, though.

Google argues that this issue doesn’t affect the Titan key’s main mission, which is to guard against phishing attacks, and argues that users should continue to use the keys until they get a replacement. “It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available,” the company writes in today’s announcement.

The company also offers a few tips for mitigating the potential security issues here.

Some of Google’s competitors in the security key space, including YubiCo, decided against using Bluetooth because of potential security issues and criticized Google for launching a Bluetooth key. “While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,” YubiCo founder Stina Ehrensvard wrote when Google launched its Titan keys.

News Source = techcrunch.com

Google turns your Android phone into a security key

in Access Control/Android/authentication/Authenticator/computer security/cryptography/Delhi/Google/google authenticator/Google Cloud Next 2019/Hardware/India/multi-factor authentication/phishing/Politics/Security/security token/TC by

Your Android phone could soon replace your hardware security key to provide two-factor authentication access to your accounts. As the company announced at its Cloud Next conference today, it has developed a Bluetooth-based protocol that will be able to talk to its Chrome browser and provide a standards-based second factor for access to its services, similar to modern security keys.

It’s no secret that two-factor authentication remains one of the best ways to secure your online accounts. Typically, that second factor comes to you in the form of a push notification, text message or through an authentication app like the Google Authenticator. There’s always the risk of somebody intercepting those numbers or phishing your account and then quickly using your second factor to log in, though. Because a physical security key also ensures that you are on the right site before it exchanges the key, it’s almost impossible to phish this second factor. The key simply isn’t going to produce a token on the wrong site.

Because Google is using the same standard here, just with different hardware, that phishing protection remains intact when you use your phone, too.

Bluetooth security keys aren’t a new thing, of course, and Google’s own Titan keys include a Bluetooth version (though they remain somewhat controversial). The user experience for those keys is a bit messy, though, since you have to connect the key and the device first. Google, however, says that it has done away with all of this thanks to a new protocol that uses Bluetooth but doesn’t necessitate the usual Bluetooth connection setup process. Sadly, though, the company didn’t quite go into details as to how this would work.

Google says this new feature will work with all Android 7+ devices that have Bluetooth and location services enabled. Pixel 3 phones, which include Google’s Titan M tamper-resistant security chip, get some extra protections, but the company is mostly positioning this as a bonus and not a necessity.

As far as the setup goes, the whole process isn’t all that different from setting up a security key (and you’ll still want to have a second or third key handy in case you ever lose or destroy your phone). You’ll be able to use this new feature for both work and private Google accounts.

For now, this also only works in combination with Chrome. The hope here, though, is to establish a new standard that will then be integrated into other browsers, as well. It’s only been a week or two since Google enabled support for logging into its own service with security keys on Edge and Firefox. That was a step forward. Now that Google offers a new service that’s even more convenient, though, it’ll likely be a bit before these competing browsers will offer support, too, once again giving Google a bit of an edge.

News Source = techcrunch.com

Two-factor authentication can save you from hackers

in 2018 Year in Review/computer security/credential stuffing/cryptography/Cybersecurity 101/Delhi/facial recognition/India/multi-factor authentication/Password/phishing/Politics/privacy/Security/security token/smartphone/SMS by

Getty Images

If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts.

Simply put, two-factor authentication adds a second step in your usual log-in process. Once you enter your username and password, you’ll be prompted to enter a code sent as a text message or an email, or sometimes as a push notification on your phone.

In all, it usually only adds a few extra seconds to your day.

Two-factor authentication (sometimes called “two-step verification”) combines something you know — your username and password, with something you have — such as your phone or a physical security key, or even something you are — like your fingerprint or another biometric, as a way of confirming that a person is authorized to log in. You might not have thought much about it, but you do this more than you think. Whenever you withdraw money from an ATM, you insert your card (something you have) and enter your PIN (something you know) — which tells the bank that it’s you. Even when you use your bank card on the internet, often you still need something that you know — such as your ZIP or postal code.

Having a second step of authentication makes it so much more difficult for a hacker or a thief to break into your online accounts.

Why is two-factor important?

Gone are the days where your trusty password can protect you. Even if you have a unique password for every website you use, there’s little in the way to stop malware on your computer (or even on the website!) from scraping your password and using it again. Or, if someone sees you type in your password, they can memorize it and log in as you.

Don’t think it’ll happen to you? So-called “credential stuffing” or brute-force attacks can make it easy for hackers to break in and hijack people’s online accounts in bulk. That happens all the time. Dunkin’ Donuts, Warby Parker, GitHub, AdGuard, the State Department — and even Apple iCloud accounts have all fallen victim to credential-stuffing attacks in recent years. Only two-factor accounts are protected from these automated log-in attacks.

Two-factor also protects you against phishing emails. If someone sends you a dodgy email that tries to trick you into logging in with your Google or Facebook username and password to a fake site, for example, two-factor can still protect you. Only the legitimate site will send you a working two-factor code.

Enabling two-factor is a good start, but it’s not a panacea. As much as it can prevent hackers from logging in as you, it doesn’t mean that your data stored on the server is protected from hackers breaching a server elsewhere, or a government demanding that the company turns over your data.

And some methods of two-factor are better than others. As you’ll see.

The best way to two-factor your accounts

Let’s get something out of the way real quick. Even if you want to go all-out and secure your accounts, you’ll quickly realize many sites and services just don’t support two-factor. You should tell them to! You can see if a website supports two-factor here.

But as credential-stuffing attacks rise and data breaches have become a regular occurrence, many sites and services are doing everything they can to protect their users.

There are four main types of two-factor authentication, ranked in order of effectiveness:

A text message code: The most common form of two-factor is a code sent by SMS. It doesn’t require an app or even a smartphone, just a single bar of cell service. It’s very easy to get started. But two-factor by text message is the least secure method. These days, hackers can easily exploit weaknesses in the phone networks to steal SMS two-factor codes. Because SMS messages aren’t encrypted, they can also just leak. More recently, researchers found that this can be done on a massive scale. Also, if your phone is lost or stolen, you have a problem. A text message code is better than not using two-factor at all, but there are far more secure options.

An authenticator app code: This works similarly to the text message, except you’ll have to install an app on your smartphone. Any time you log in, you’ll get a code sent to your app. There are many authenticator apps to choose from, like Authy, Duo, and Google Authenticator. The difference here is that they are sent over an HTTPS connection, making it near-impossible for anyone to snoop in and steal the code before you use it. But if you lose your phone or have malware on your phone — especially Android devices — those codes can be stolen once they arrive on your device.

A biometric: Smile! You’re on camera. Often, in industrial or enterprise settings, you’ll be asked for your biometrics, such as facial recognition, an iris scan or, more likely, a fingerprint. These usually require specialized hardware (and software) and are less common. A downside is that these technologies can be spoofed — such as cloning a fingerprint or creating a 3D-printed head.

A physical key: Last but not least, a physical key is considered the strongest of all two-factor authentication methods. Google said that it hasn’t had a single confirmed account takeover since rolling out security keys to its staff. Security keys are USB sticks that you can keep on your keyring. When you log in to your account, you are prompted to insert the cryptographically unique key into your computer and that’s it. Even if someone steals your password, they can’t log in without that key. And phishing pages won’t work because only the legitimate sites support security keys. These keys are designed to thwart even the smartest and most resourceful attackers, like nation-state hackers.

There are several security keys to choose from: Google has its Advanced Protection Program for high-risk users, like politicians and journalists, and its Google Titan key for everyone else. But many security experts will say Yubikey is the gold standard of security keys. There are a few things to note. Firstly, not many sites support security keys yet, but most of the major companies do — like Microsoft, Facebook, Google and Twitter. Usually, when you set up a physical key, you can’t revert to a text message code or a biometric. It’s a security key, or nothing. A downside is that you will have to buy two — one as a backup — but security keys are inexpensive. Also, if one is stolen, there’s no way to determine your account from the key itself. But, if you lose them both, you might be done for. Even the company that stores your data might not be able to get you back into your account. So, be careful and keep one safe.

That’s what you need to know. You might want to create a checklist of your most valuable accounts, and begin switching on two-factor authentication starting with them. In most cases, it’s straightforward — but you can always head to this website to learn how to enable two-factor on each website. You might want to take an hour or so to go through all of your accounts — so put on a pot of coffee and get started.

You should see two-factor as an investment in security: a little of your time today, to save you from a whole world of trouble tomorrow.

Check out our full Cybersecurity 101 guides here.

News Source = techcrunch.com

Security tokens will be coming soon to an exchange near you

in alipay/Bitcoin/chairman/coinbase/Column/cryptocurrencies/cryptocurrency/Delhi/Economy/Finance/homer simpson/India/initial coin offering/Jeremy Allaire/Josh Stein/laser/money/payment network/Politics/polymath/Real estate/security token/switzerland/TC/tokenization/tzero/U.S. Securities and Exchange Commission/university of oregon/Venmo by

While cryptocurrencies have generated the lion’s share of investment and attention to date, I’m more excited about the potential for another blockchain-based digital asset: security tokens.

Security tokens are defined as “any blockchain-based representation of value that is subject to regulation under security laws.” In other words, they represent ownership in a real-world asset, whether that is equity, debt or even real estate. (They also encompass certain pre-launch utility tokens.)

With $256 trillion of real-world assets in the world, the opportunity for crypto-securities is truly massive, especially with regards to asset classes like real estate and fine art that have historically suffered from limited commerce and liquidity. As I’ve written previously, imagine if real estate was tokenized into security tokens that you could trade as safely and easily as you do stocks. That’s where we’re headed.

There’s a lot of forward momentum around tokenized securities, so much so that based on their current trajectory, I believe security tokens are going to become a common part of Wall Street parlance in the near future. Investors won’t just be able to buy and sell tokens on mainstream exchanges, however; “crypto-native” companies are also throwing their hats into this ring.

The starter pistol has been fired

The race is on to bring security tokens to the masses

 

Because Bitcoin and other cryptocurrencies are not classified as securities, it’s been much easier to facilitate trading on a large scale. Security tokens are more complex, requiring not just capabilities around trading, but also issuance and, critically, compliance. (See more of my thoughts on compliance here.) It’s a major undertaking, which is why we haven’t seen the Coinbase or Circle of security token trading emerge yet (or seen these companies expand their platforms to address this—more on that later).

Meanwhile, regular exchanges are blazing the trail and moving into providing tokens trading. The founder and chairman of the company that owns the NYSE announced a new venture, Bakkt, that would provide an on-ramp for institutional investors interested in purchasing cryptocurrencies. Last month, the SIX Swiss Exchange—Switzerland’s principal stock trading exchange—announced plans to build a regulated exchange for tokenized securities. The trading and issuing platform, SIX Digital Exchange, will adhere to the same regulatory standards as the non-digital exchanges and be overseen by Swiss financial regulators.

This announcement confirms a few things:

  1. Most assets (stocks, bonds, real estate, etc) will be tokenized and supported on regulated trading platforms.

  2. Incumbents like SIX have a head start due to their size, regulatory licensing and built-in user base. They are likely to use this advantage to defend their position of power.

  3. Most investors will never know they are using distributed ledger technology, let alone trading tokenized assets. They will simply buy and sell assets as they always have.

I expect other major financial exchanges to follow SIX’s lead and onboard crypto trading before long. I can imagine them salivating over the trading fees now, Homer Simpson style.

Live shot of financial exchanges drooling over crypto trading fees

 

Crypto companies are revving their engines

The big crypto companies are preparing to enter the security token arena

Stock exchanges won’t have the space to themselves, however. Crypto companies like Polymath and tZERO have already debuted dedicated platforms for security tokens, and all signs indicate announcements from Circle and Coinbase unveiling their own tokenized asset exchanges are not far behind.

Coinbase is much closer to offering security token products after acquiring a FINRA-registered broker-dealer in June, effectively backward-somersaulting its way into a state of regulatory compliance. President and COO Asiff Hirji all but confirmed crypto-securities are in the company’s roadmap, saying that Coinbase “can envision a world where we may even work with regulators to tokenize existing types of securities.”

Circle is also laser-focused on security tokens. Circle CEO and co-founder Jeremy Allaire explained the company’s acquisition of crypto exchange Poloniex and launch of app Circle Invest in terms of the “tokenization of everything.” In addition, it is pursuing registration as a broker-dealer with the SEC to facilitate token trading—it could also attempt to take the same backdoor acquisition approach as Coinbase.

If there’s a reason Circle and Coinbase haven’t moved into security token services even more rapidly, it’s that there simply aren’t that many security tokens yet. Much of this is due to the lack of compliance and issuance platforms, keeping high-quality securities on legacy systems issuers feel more comfortable with. As projects like Harbor ramp up more, this comfort gap will grow smaller and smaller, driving the big crypto players deeper into security token services.

The old guard vs. the new wave

Expect a battle between traditional and crypto exchanges.

 

This showdown between traditional finance incumbents and crypto giants will be worth watching. One is incentivized to preserve the status quo, while the other is looking to create a new, more global financial system.

The Swiss SIX Exchanges of the world enjoy some distinct advantages over the likes of Coinbase — they have decades of traditional financial operating experience, deep relationships throughout the industry and a head start on regulatory compliance. Those advantages probably mean that such incumbents will probably be the first to make infrastructural and logistical upgrades to their systems using security tokens. The first time you interact with a security token, it is likely to be through the Nasdaq.

Having said that, incumbents’ greatest disadvantage will be transporting an old-finance-world mentality to these innovations. Coinbase, Circle, Polymath, Robinhood and other newer players are better suited to harnessing the stepchange elements of security tokens — particularly asset interoperability and imaginative security design.

University of Oregon Professor Stephen McKeon, an authority on security tokens, told me that “the potential for programmable securities to enable the expression of new investment types is the most exciting feature.” Harbor CEO Josh Stein explained why private securities in particular will be transformed: “by automating compliance, issuers can allow their investors to trade to the limit of their liquidity across multiple exchanges. Now imagine a world where buyers and sellers around the world can trade 24/7/365 with near instantaneous settlement and no counterparty risk – that is something only possible through blockchain.”

Those hypergrowth startups are going to experiment with these new paradigms in ways that older firms won’t think of. You can see evidence of this forward thinking in Circle’s efforts to build a payment network that allows Venmo users to send value to Alipay users — exactly embracing interoperability, if not in an asset sense.

The race is on

As Polymath’s Trevor Koverko and Anthony “Pomp” Pompliano have been saying for the past year, the financial services world is moving towards security tokens. As the crypto economy matures, we’re inching closer to a new era of real-world assets being securitized on the blockchain in a regulatory compliant manner.

The challenge for both traditional and crypto exchanges will be to educate investors about this new way to buy and sell investments while powering these securities transactions via a smooth, seamless experience. Ultimately, security tokens lay the groundwork for granting investors their biggest wish — the ability to trade equity, debt, real estate and digital assets all on the same platform.

News Source = techcrunch.com

Go to Top