" identity Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more

Posts Tagged ‘identity’

Stopping Forged Email 1: SPF to the Rescue

Tuesday, February 17th, 2015

We have recently looked at how hackers and spammers can send forged email and then seen how these forged messages can be almost identical to legitimate messages from the purported senders.  In fact, we learned that generally all you can trust in an inbound email message is the internet IP address of the server talking to your inbound email server — as this cannot realistically be forged in any way that would still enable you to receive the message.

We know who the message says it is from and the address of the server that delivered it to us.  How can we reliably prevent fraud by checking if the message was forged or not?  Seems hard.

It turns out that there are a number (yes, more than one!) of techniques that can be used to do this.  The first and simplest is SPF – Sender Policy Framework.  Below, we shall look at what this does, how it works, how to set it up, and what some of its deficiencies are.  In future articles, we will look at the other techniques.

SPF – Sender Policy Framework: A Super Simple Explanation

Simply put, SPF is a way for the owner of a domain, such as bankofamerica.com, to publish information indicating what servers (Internet addresses) are authorized to send email from that domain.  Recipients (e.g. your spam filtering software) can check the Internet address that is trying to send you an email from bankofamerica.com against this authorization list — if it is on it, the message is probably legitimate; if not, it’s probably forged.

Read the rest of this post »

Why protecting and validating email identity is a top priority for a secure 2015

Wednesday, January 21st, 2015

The scope and frequency of cyber attacks, data breaches, information disclosures, and the sophistication of the tools used to attack companies and individuals has been increasing at a tremendous rate.

It doesn’t strain our memories to come up with numerous prime examples including the deliberate corporate penetration of Sony (which was “easy”) and of Sands Casino (presumably very hard); or the exposure of super-powerful nation state sponsored attack software Regin that helps enable penetration of specific, complex targets.   Don’t forget as well, the numerous phishing attacks that were propagated in 2014.  And, perhaps just as infamous, the social engineering attacks in which malicious individuals tricked Apple and GoDaddy into revealing sensitive information.

All of these are different attack vectors, with different ultimate purposes, targeting individuals or corporations.  All were successful.  And the actual, complete list would be too large to publish (and would be impossible to know as more than half of data breaches go unnoticed).

Read the rest of this post »

Web Forms Reduce Spam and Optimize Business Processes

Wednesday, July 10th, 2013

Businesses of all sizes use general purpose email addresses, like info@company.com or support@company.com, as conduits for information, Support, Sales, Billing, and other requests from customers.  On the surface, there is an apparently very good reason for this: many customers appreciate the simplicity of being able to send an email message.  It’s best to be as flexible as possible and reduce the time that the customer must spend to get a response, right?

There are actually many significant downsides to accepting general customer requests via email; downsides which can actually cause friction, slow the response process, or result in missed opportunities.  We will cover many of these issues, below.  The solution, is to use targeted specific web-based forms to collect customer requests; we will also discuss why this is a better approach.

Read the rest of this post »

New Self-Service Password Reset System

Saturday, April 20th, 2013

Since its inception in 1999, LuxSci Support has manually handled all password reset requests that were not handled by the account administrators.  

Why? Security reasons, of course. We are aware of:

  • Poor Security Questions: very often users have poorly chosen answers to security questions,
  • Hackers: that people often try to use password reset systems to gain unauthorized access to users’ accounts
  • Lack of Information: users often do not have enough solid information in their profiles to reliably verify their identities

By manually processing these requests, we can effectively block password resets in the face of poor identity verification information and subjectively identify “fishy” requests.

However, we have come to determine that this manual process, while it provides the best security, is not actually in the best interests of our customers because:

  1. Time: Manual identity verification takes time and delays in password resets can be detrimental to our customer’s ability to get work done.
  2. Better Questions: We have improved our user security questions in the last few years so that the questions and answers are generally of much better quality than they used to be.
  3. Mobile Phones: Most people have mobile phones capable of receiving text messages now and these can be used for identity verification.
  4. Simulating our Manual Process: We find that we can provide an automated self-service password reset process that simulates our manual review and verification process to a very large degree without a significant loss in security.

Best Practices for Password Reminders and Security Questions

Thursday, May 5th, 2011

Many companies, LuxSci included, recommend or require that users have one or more “Security Questions” and corresponding answers associated with their accounts.  These questions are commonly used to:

  • Verify a user’s identity if the user has forgotten his/her password, or
  • Provide a second factor for logging into the service above and beyond the username and password

Because these questions are used to provide access to the service and identity verification, it is very important that questions and answers be well chosen.

Read the rest of this post »