Identity thieves are getting quite sophisticated when it comes to stealing your username and password. We might be wary of an unsolicited email containing a link but what if it came from a friend's email account? This happened to my wife recently - her friend's PC had been taken over and was sending believable emails to all her contacts (the PC was later encrypted by the hackers and held to ransom for bitcoins). If you clicked the link up would pop a window purporting to be from Google asking you to login with your username and password... . Then there is the issue of having to remember too many long and complex passwords for the different web services we all use. I think most of us would agree that passwords aren't safe and they are painful to use.
Fortunately the combination of a new authentication protocol called FIDO (Fast ID Online) and biometrics is changing the landscape rapidly. The FIDO Alliance is a group of approximately 200 companies working together to create a new protocol that provides simpler, stronger authentication. It can work with many different types of authenticator such as fingerprint sensor, iris scanner or trusted PIN entry. The device (not the remote sever) creates a public/private key pair for each combination of user/device/relying party during registration and provides the public key to the relying party. The sensitive parts of the algorithm e.g. crypto, matching, key stores need to be protected from scalable attacks. Fortunately ARM based applications processors usually implement a TrustZone based Trusted Execution Environment consisting of isolation hardware, authenticated trusted boot and a small Trusted OS. The TEE is being standardised by GlobalPlatform who are working on a security certification scheme so that it will soon be possible for platforms to be tested by 3rd party labs. The attached white paper looks at how the TrustZone based TEE is being used with FIDO based systems to protect assets and accelerate the revolution to a world without passwords.
A good whitepaper. The website links in this paper such as "online" with an underline can't be open, do you also find this problem?
Yes; I certainly agree on that they're clever.
Very recently, I received an email, which appeared to be from a friend of mine.
It was of course written in danish, and my "friend" wrote that he was stranded in London, had his wallet and passport stolen.
Thus he asked me to send DKK 5000 using Western Union for a plane ticket to Denmark.
Please note: I am a system administrator and I know spam when I see it; I was very close to believing this email myself.
Everything was quite believable, except for two things: There were a few spelling mistakes and a few words were too modern for my friend to use.
In addition to the spelling mistakes, the "Western Union" was also sounding the alarm.
Tricksters on Alibaba managed to cheat my brother for DKK 5000 as well, they used Western Union.
Such tricksters do not want to use PayPal or Skrill; they want you to transfer the money so you can't recall them.
This is why they want to use T&T or Western Union.
Back to my friend. What I did, was to wait until 08:00 and call his wife.
I asked if her husband was in London; she replied: "No he's right here next to me, we didn't get out of bed yet."
-So the impostor used Google Translate for translating his message into danish-ish and then finally sent a bunch of emails to my friends contacts, including me.
Of course I went straight to the local police and told my friend to first send emails to his contacts and also call a few people, telling them what had happened.
I'd like every reader of this comment to be cautious as soon as someone is asking for a money transfer; do not reply to the email you've received, but use another way for verifying that the person is who he/she claims to be.
You could use the money that you didn't send to the trickster, to improve your electronic security.
FIDO looks to me to be a good technology and the more who uses it when possible, the less 'friends in need' we will encounter.
Also, if you have a SSH server connected to the net, do *NOT* use username/password for your logins, use SSH Keys instead and reject all username/password login attempts! I've seen someone getting access to my own system before I switched.