Two-Factor Authentication Best Practices

A second layer of data protection is always a good idea, especially when you want to keep your customers safe from intruders. Authentication mechanisms that require only a username and a password are no longer intrusion-proof, as can be seen by recent experience at some internet giants who shall remain nameless. Your users will be safer if you implement a two-factor authentication system using an SMS gateway, and send customers one-time passwords (OTP) to enter your system.

Typically, one-time passwords are four- to eight-digit numerical codes that are valid for a short period of time, and only for one interaction, session, or transaction. They make authentication safer, because they are sent directly to the customer’s mobile phone. Authentication via OTP gained popularity across industries because it’s a cheap, easy to implement, and ubiquitous way to communicate with customers. The user does not have to install a third-party application to receive the one-time passwords, so it is also a very user-friendly option.

To set up OTPs, you will need an SMS gateway that supports this authentication method. It is configured to generate and send one-time passwords for the user via text. Some OTPs are generated based on time-synchronization, while others use mathematical algorithms.

Text-messages can be delivered in two ways: (1) you can attach a GSM modem to your server with a data cable, or (2) you can send messages through an SMS service provider. If you decide to go for the latter option, text-messages will first be sent to the short message service center (SMSC) of the service provider, and from there, based on connections with other SMSCs, the text-messages get sent to your recipients. For security reasons, setting up a VPN channel between the SMS Gateway and the SMSC of the service provider is always a good precaution. The first option is usually more secure because it is integrated in your infrastructure and does not require an internet connection. The second SMS delivery option is a good choice if you need to send a high volume of text-messages.


SMS-based OTPs are an Option if You Operate in One of these Industries

Everyone understands text messages. Thus implementing two-factor authentication using SMS will not introduce a steep learning curve for your customers. SMS-based OTPs can be implemented regardless of your industry. Here is an extensive list of industries already using this type of authentication successfully!

  1. Education and Training
  2. Food industry
  3. Retail
  4. Travel and Tourism
  5. Healthcare and Hospitality
  6. Web Design
  7. IT and ITeS
  8. Oil and Gas
  9. Real Estate
  10. Media and Advertising

Two-Factor Authentication Use Cases

  • Registration

Ask for a user’s phone number during the first registration attempt. Display a message where it is clearly explained that their phone numbers will be used only for verification procedures. Afterwards, send a one-time password that will allow the user to access their new account.

  • Password Reset

Fraudsters get into user accounts by phishing email addresses, so verifying new passwords by via text OTPs add an extra layer of security.

  • New Device

If the user logs in from a different device, a new IP address, or even a new country, you can add extra verification steps like SMS OTP or by answering qualifying secret questions.

  • Unusual Behavior

Usual behavior such as making a lot of purchases in a short amount of time, or in different timezones can serve as red flags. Prevent fraudulent activities by verifying whether the actions were performed by the user.

  • Changing Account Information or Settings

Set up additional verification steps when the user requests certain changes that could put their information at risk, such as changing the account name, or phone number. You could encourage users to opt in to extra verification steps by rewarding them for choosing to add the second security layer (some companies offer discounts if their users protect themselves in this way).

When Is It Better to Use Multi-Factor Authentication Technology?

With the rise of fraud attacks such as Emmental that affected banks in Switzerland, Sweden, Austria, and Japan, banks are looking for alternatives to OTPs through SMS. During Emmental operation, millions were stolen from both consumer and commercial bank accounts.

Cybercrooks mislead people into installing fake applications on their devices. There were cases where such apps waited for text-messages from banks that contained session tokens, and silently hijacked communication, forwarding the info to attackers’ servers. Cybercriminals are keen on finding ways to undermine SMS OTPs, but this is still an infinitely safer alternative to the ID and password-only option.

SMS two-factor authentication verifies a user’s identity in a fast, easy, and non-disruptive way. It is relevant for a range of industries, it is cost effective, easy to implement and works on a global scale. Reach out to a telecom consultant and discuss your two-factor authentication needs.

Moving Forward,
DAS Solutions Team. 

Instant Messaging

Are You Using Instant Messaging to Chat with Clients?

Instant messaging has been a part of daily routine for years. IM delivers many benefits, such as: ease of use, video streaming, screen sharing, real time communication. It is handy for companies that have offices in different countries. If your company decides to use instant messaging for internal and external communication with partners and clients, make sure you do the following in order to avoid common annoyances and even threats that come with some IM systems:

  • Take control over instant messaging

Ideally you need to have a custom enterprise IM for communication. All instant messages sent and received by employees can be then channeled via a central server, archived for future reference, encrypted and subjected to security processes and policies. Contact us, if you wish to keep your business safe from malware and hackers.

Otherwise, you can use a known IM with tools that were designed for enterprises. Use features that track history and back up messages to create a knowledge base for future reference. Don’t forget to utilize encryption technologies so that anyone who tries to access your messages sees only encrypted (gibberish) text.

  • Minimize the risks

Lower the risks of using IM by verifying the domains that can send and receive messages. The system administrator can block the source of potentially malicious messages. If the company policy forbids the transfer of files to unknown recipients, the risks associated with the loss of confidential information, are mitigated. This is especially relevant in the financial and insurance industries, where data confidentiality is particularly critical.

  • Educate employees

Most importantly, employees need to be aware of security risks. Develop an instant messaging usage policy and make sure that it gets followed. Employees need to understand clearly what kind of information they can provide to clients and partners by IM and what sort of documents can be sent by email. Training end-users to be more skeptical about the messages they get must be part of the strategy.

Instant messaging is the preferred communication channel when it comes to brief conversations with prospects, clients and partners. IM bears risks and requires thorough management to be a safe tool.

Secure software development

Secure Software Development and Its Importance

With the emergence of Bring Your Own Device (BYOD) policies, it is crucial  that employees use secure programs and applications on their devices.

Cyber criminals can break into networks in various ways and one of them is through third-party applications installed on workers’ personal devices. If the software solution is vulnerable, it can be exploited with costly consequences. Companies in the financial sector are especially at risk, but companies in the insurance and lending business are usually high on the target lists as well.

According to a recent study on mobile travel apps  developers have been more focused on the usability of applications than on their security , leaving sensitive data vulnerable to breaches. Many companies recommend to their employees that they download only those applications (used for work, and otherwise), that come from certified Android or iOS app stores. Moreover, employees should use the latest versions of both OS and application and should be careful while using unsecured wireless networks.

Taking into account the ever-changing ways to bypass security, companies’ IT teams should be responsible for InfoSec inside a company, therefore it is their duty to raise this question in discussions with upper management. If the company has a consistent security policy where all employees understand the importance of usage of secure applications provided by trusted vendors then the likelihood of successful attacks decreases.

Flaws are inevitable in the process of creation of new software products. At the same time, secure software development is a practice that ensures that the code and processes used while developing applications are as secure as possible.The secure software development lifecycle takes into account security considerations at each step of the software development process: requirements assessment, design, coding, testing and deployment.

If you consider purchasing software for your company make sure that your vendor follows secure software development principles.