Confident Technologies Inc.‘s (CTI) KillSwitch collects data on hacking attempts to help information security (IS) professionals safeguard their companies’ online properties and mobile applications against brute-force attacks that occur when hackers use all possible combinations of symbols, letters and numbers to obtain account passwords.
State of Affairs
According to a 2011 Data Breach Investigations report by the US Secret Service and Verizon, the persistent use of password-guessing techniques and the exploitation of easy-to-guess passwords were factors in more than 50% of the major data breaches last year. Separately, University of Cambridge researchers said in a 2010 study, which looked at market failures in human authentication on the Internet, that in excess of 84% of top online destinations such as eBay and Amazon failed to place limits on how many incorrect login attempts could be made. This shortcoming, according to the researchers, provided hackers with ample opportunities to employ brute-force attacks without the fear of encountering counter measures such as account lockouts.
KillSwitch, according to CTI, is an authentication solution that companies can use to accurately identify and properly address brute-force attacks on account logins, password-reset processes, transaction verifications and other authentication requests.
After companies roll out the solution, end users who register at their KillSwitch-enabled websites, mobile applications or other online services will be prompted to select a number of secret categories of items to remember such as dogs, flowers and cars.
For illustrative purposes, the following graphic shows a user who has chosen flowers, cars and dogs as “pass” categories.
Whenever authentication is required, the websites, apps or online services will present end users with a grid composed of random pictures, known as the Confident ImageShield. End users will be required to accurately select the pictures that correspond to their secret categories to form one-time passwords required for the authentication process.
Users can also select one or more “no pass” categories in addition to their secret authentication categories chosen during registration. So if hackers employing brute-force attacks select images that fit one of the users’ “no pass” categories, KillSwitch can automatically alert IS professionals or account owners that unauthorized access is being attempted. The technology can immediately lock all access or can present increasingly difficult ImageShield challenges while collecting critical data including the IP address, geographic location, behavioral biometrics as well as whether it’s an attempt to compromise a single account or part of a broader attack on one or more organizations.
For illustrative purposes, the following graphic shows a user who has chosen cats and insects as “no-pass” categories.
Addressing the topic of websites and apps that use a general user id password level of authentication, CTI Chief Technology Officer Roman Yudkin said that it isn’t always easy for businesses to quickly determine whether or not the entry of incorrect passwords is a mistake or an attack.
“[I]f you mistype your password one really cannot take any proactive action or action in general because you, the owner of the website or application, really don’t know whether or not this was a mistake or was an active malicious attack,” said Yudkin in an interview with InfoSec Institute. “Obviously those two cases are not disambiguated enough for you to make that determination. So the patent that we filed and the technology we’re introducing attempts to address that problem.”
According to CTI, IS professionals can use KillSwitch in conjunction with their in-house risk engines, fraud-detection platforms or other adaptive-security systems, which can lead to better-informed decisions when it comes to proactively defending against brute-force attacks.
“Our technology works really well in conjunction with other technologies,” explained Sarah Needham, manager of marketing and public relations at CTI, in an interview with InfoSec Institute. “Businesses would probably do well to take the data that’s being gathered by our KillSwitch technology and feed it into a risk engine — use it in combination with other data that they’re collecting through other mechanisms. It does work well as one security layer among other security technologies that they’re using.”
KillSwitch is currently available as an optional feature with any of the CTI image-based authentication products, which can be used as stand-alone authentication solutions or as white-label integrations with other technologies.
How to set it up
According to CTI, the following – which has been adapted from the company’s implementation guide – can help IS professionals with the task of integrating KillSwitch with their companies’ own efforts to address brute-force attacks.
CTI Application Programming Interfaces (APIs)
CTI has a well-documented set of APIs that allow customers to use its patent-pending image-based authentication technologies and services to do the following: create Confident ImageShield passwords, issue ImageShield challenges and verify solution/authentication attempts. CTI’s APIs are based on open industry standards using standard RESTful architecture. Moreover, the integration process is simplified even further by enabling customers to use server- and client-side components and libraries as well as process templates provided by CTI.
Add CTI component library to application servers
CTI provides server-side component libraries in .NET, Java and PHP for its customers to communicate with its APIs and render the UI displays that get sent to the end users’ webpage (client.)
Add client-side components for enrollment and authentication
CTI provides templates for its customers to quickly add the functionality to create ImageShield passwords for their end users (enrollment) and issue/solve ImageShield challenges (authentication). Customers can modify these components and templates as they see fit or they can use them as best practices to create their own.
During user registration (enrollment), the customers’ end users will create ImageShield passwords by selecting secret “pass” categories as well as selecting secret KillSwitch or “no-pass” categories.
This complex ImageShield password is encrypted and can be then stored by customers with other information related to their end users or CTI can store it and provide secure methods to retrieve and authenticate passwords for end users.
The server-side component that CTI provides will handle the entire process of selecting “pass” and “no-pass” categories and either return the ImageShield password to customers as clear text or the encrypted password with encryption method for accessing the password via API calls.
On authentication request, customers will issue an ImageShield challenge by utilizing the CTI client-side component or library and send CTI the values entered by end users in a API call provided by the CTI server-side library.
The response from this API method is encoded and provides customers with the information they need to decide how to continue their authentication workflow:
- ‘Success’ – End users attempts (images shield password) are a match; customers can proceed to authenticated workflow.
- ‘Previously attempted’ – Imageshield already attempted (i.e. end users click the back button); customers may want to load a new Imageshield.
- ‘Expired’ – Imageshield is not solvable (i.e. was on screen for too long); customers may want to end session and/or load a new Imageshield.
- ‘Failed’ – End users’ attempts are not a match, but no KillSwitch categories were selected; customers may want end users to retry.
- ‘Alert’ – First there is a status code that alerts customers that at least one KillSwitch category was selected.
Along with the status code is a score. The score is based on multiple dimensions: the number of KillSwitch
categories selected, their proximity to “pass” categories and the interval at which the selections were made.
The score is a measure between 0.0 and 1.0 and falls into four general categories:
- < .30 – end users made a mistake; customers may want to allow a retry.
- Btw .31 and .70 – end users’ identities are in question; customers should escalate security measures (e.g. issue a stronger challenge and/or password reset and/or identity confirmation measure, capture requesters’ information, etc.)
- Btw .70 and .90 – end users likely not who they pretend to be; customers should prepare to take stronger measures as their policy may indicate for escalated security risk (e.g. lock accounts and gather incident information, etc.)
- > .90 – requesters (end users) attempting to break into accounts; customers should take the strongest measures given this security risk level (e.g. immediately lock accounts, block requesters’ IP addresses, correlate and examine other temporally related authentication requests, and gather incident information.)
While brute-force attacks are a real and present problem, there are measures companies can take to effectively combat them. Used as one part of an overall information security strategy, KillSwitch can help businesses to prevent hackers from successfully using brute-force attacks to harvest account passwords.
- 2011 Data Breach Investigations report – http://www.secretservice.gov/Verizon_Data_Breach_2011.pdf
- The password thicket – http://weis2010.econinfosec.org/papers/session3/weis2010_bonneau.pdf