Why do we keep using bad passwords?

We have been using passwords and codes for hundreds of years, but still, it seems like our security thinking hasn’t evolved at all. A new survey from Qualtrics and Okta show that the user’s password-management is less than ideal.

For several years we have seen the lists of “most commonly used passwords”, and frequently it’s “123456”, “password” and “111111” that top the list. Other common passwords are ‘666666’, ‘654321’, ‘!@#$%^&*’, ‘charlie’, ‘password1’, and ‘donald’.

What’s more alarming though is that almost 40% of the people participating in the “Okta Business@Work 2019 Report” said they use the same 2-4 passwords for almost everything. Furthermore, a whopping 10% use the same password for everything! That means they use the same password for both their work-login and bank-app as for their Tinder account and Facebook-profile. If you think about a large number of hacks in recent years, you now see that a hacker easily can get access to far more places than the specific site they hacked. In fact, the study shows that 10 % of people have used one of the top 25 worst passwords (some of them stated above). So, a hacker doesn’t even need to hack a server to gain access to passwords. They can just try the ones on the list and they’ll be getting into far more places than they reasonably should in this day and age.

Of course, with all the information surrounding us today, remembering 10-20 different passwords, which should also be switched out regularly, is not an easy thing to do. This has caused a large number of users to write their password down. Unfortunately, they often keep it near their computer, so they always know where it is. More than half of the people in the survey store their password on either a piece of paper, on a sticky note, in a desktop file or the phone’s note-app. Neither of which can be considered very secure.

Luckily, there is also a huge rise in the use of multi-factor authentication apps and solutions. Even more satisfying is that a decreasing number of such systems are using SMS for the verification since SMS has been found very easy to reroute. The Okta-study shows that 70% of companies use two to four factors for authentication, and 29 % use more than four or more factors. This, however, increases the complexity for the users. And as we all know, complex systems are the mother of shadow-IT.

So, when choosing your multi-factor authentication system, security is not the only thing you need to consider. The users must find it easy to use, as well as feel that the system provides a reasonable level of security. A too complex system will both be frustrating to use and raise the question of why such a complex system is needed. In other words, you need to find a system that provides both security and simplicity of use. And please, find an app that can securely store your passwords so you don’t have to write them down on sticky notes and put on your screen.  

Covr visits Israel to learn from their very active start-up scene

If you would list the three main start-up scenes in the world that produce more Unicorns (+1 Bn USD companies) than any other, you would probably mention Silicon Valley, Sweden, and Israel. So, for a start-up tech-company in Sweden, it makes perfect sense to visit one of these hubs to learn from their experiences. In the next week Covr is doing just that, and the reason? To make smarter decisions and better business in a global market!

In today’s interconnected world, networking is one of the primary skills you need to master. Both companies and business gurus talk more about collaboration than competition, and as a company, in a small market, you quickly need to expand your network on an international market. Covr is, therefore, taking a trip to Israel to exchange ideas, get inspiration and gain insight into how companies on similar, yet somewhat different, markets do things. The Swedish and Israeli market is similar in the sense that they both are too small for a company to make it on that market alone. As a start-up, you must see yourself as a global company from the start, but that also brings a lot of new obstacles and challenges. To then take the opportunity to learn from others in similar positions is nothing but a smart investment for your future business development.

Peter Alexanderson, Founder of COVR Security, speaks in Tel Aviv Fintech week, 5th of March 2019.

Covr’s networking trip will hopefully generate ideas that will position the company for a rapid, and profitable expansion, as they are gearing up to bring their security solution to the global market. However, there’s a considerable difference between expanding globally with the experience others have already gained, or going at it alone, much like learning how to drive with or without a tutor. Preferably the earlier before the latter.

We look forward to hearing the tales and lessons learned, and above all to see them implemented, as Covr takes identity validation and digital security to the next level for individuals and companies around the globe.

Yet another example of why SMS-authentication is a really bad idea!

You’d think that in today’s high-tech society, nobody uses text-messages as part of their 2-factor authentication system. But despite hoping that this was dead and buried practice, every now and then we see examples of when it’s being used and subsequently hacked. Recently, Metro Bank in the UK and its customers suffered the consequences from this, which goes to show it’s time we start using better and safer solutions.

Telecom operators use what’s called an SS7 protocol to reroute both text messages and calls, and also offers the possibility of geo-positioning cellphones. The problem is that the owner of the cellphone doesn’t need to be informed of this, meaning anyone with access can reroute text messages and track the whereabouts of the phone as they choose. This could, for example, be the Telecom operator itself, a government agency, or the not-so-friendly hacker.

All the hackers need to do is figure out the user’s login and password to their bank, things that are relatively easy to get your hands on these days. They then simply use the SS7- protocol to reroute the authentication text message to their own phone and immediately get full access to the bank account. This exact thing happened to customers of the Metro Bank in the UK recently, as reported by “Motherboard”. The SS7-attacks drained the accounts of “an extremely small number” of customers according to representatives of the bank. But regardless of the number of victims, this should really not be a hack that is possible to perform any more. Especially not at a bank that millions of individuals and companies trust with their money.

Metro Bank, Crawley, UK. (Photo Robin Webster)

The victims were of course compensated by Metro Bank, and hopefully, both the bank and customers have learnt their lesson and immediately abandon these inadequate practices.
There are however still thousands of services, banks and others that rely on text- messaging for their 2-factor authentication, apparently living in the belief that their system is secure. But implementing just any 2-factor authentication protocol does not mean your system is secure, much like having a seat-belt made out of paper won’t do you much good in a car crash.

So, take a good look at the service providers you use. if they use text messaging as part of their two-factor authentication inform them of their errors and find yourself another supplier. You simply aren’t safe where these practices are being used.

Read more about the attack to Metro Bank here >

Prevent fraud and build trust with your customers by simply buffing up your FDP-system

You don’t want to lose money due to online fraud, do you? Then you better buff up your FDP-solutions, because retailers are expected to lose $ 130 billion in CNP-fraud in just the next 5 years.

As online shopping and digital solutions are becoming more common, we are also seeing a rise in online fraud, and the no-good-doers are getting more creative every day. As an online retailer, you, therefore, need to increase and expand your Fraud Detection and Prevention (FDP) measures in order to keep the bad guys at bay and prevent your business from sustaining heavy losses in the upcoming years.

Catching fraudsters with their hand in the digital cookie-jar simply isn’t as easy as it used to be.

If you are like most eCommerce merchants, you have probably focused mainly on detecting fraud at the point of transaction. This makes sense since this used to be the place where fraud was common, and it’s was also fairly easy to detect certain types of fraud there. But nowadays the fraudsters have become better at hiding their intentions, and you need to look for suspicious behaviour earlier during the session in order to identify them. Catching them with their hand in the digital cookie-jar simply isn’t as easy as it used to be.

The reason why most online retailers don’t invest in a multi-layer FDP is that it seems like a waste of money. There is a perception that an advanced system like that can only detect fraud, and thus it makes little sense investing in a costly system that only does one thing. It can sometimes also be hard to calculate the exact amount of money lost to fraud, so calculating the ROI of such a system becomes trickier. But now that a recent study from Juniper Research indicates a potential loss of $ 130 Bn the coming five years in Card Not Present (CNP) fraud alone, getting a better system might prove to be a good investment after all.

There are also added benefits of having a better FDP-system in place. One of the authors at Juniper Research, Steffen Sorrell, explains, A layered FDP solution naturally helps directly preventing fraud, but it also offers major gains in terms of recovering potentially lost revenue through false positives. This is something about which retailers remain undereducated, and has allowed fraudsters to capitalize on relatively low FDP spend,”

Online-shoppers love a retailer they can trust

This means that a well implemented FDP-solution will quickly earn its money back. And not just by preventing fraud, even though the staggering losses Juniper Research calculate might be enough already, but also from increasing consumer-trust.

So, by having a multi-layer FDP you can build a secure and trustworthy shopping experience for your customers. And trust me when I say this: online-shoppers love a retailer they can trust. If you are worried about the ROI, fret no more, buffing up your anti-fraud system will quickly prove to be a good investment for both you and your customers.

Digital shoplifting is the new black

Black Friday brings the picture of chaos to mind when people go berserk in stores, right? And true, not long ago the standard protection gear was helmets, knee – and elbow pads in the brawl for Black Friday doorcracker deals. But, this is rapidly changing as more and more people (naturally) avoid the in-store ruckus and instead hunt for Black Friday deals online, from the comfort of their own home.

People’s desire to grab top Black Friday and Cyber Monday deals for their friend’s and family’s Christmas lists is a monumental threat for both retailers and consumers. In the midst of the online shopping frenzy people click-search for bargain after bargain and tend to ignore elementary security procedures.

If it walks like a duck, klucks like a duck – it’s probably a duck

As online retailer’s email campaigns ramp up with irresistible offers, cybercriminals are getting ready to get in on the action into action too. The holiday season provides a golden opportunity for fraudsters to dispatch millions of phishing emails with too-good-to-be-true discounts that land in our inboxes mingled with legitimate offers.

The smartphone security dilemma

It’s not just online frauds that presents a threat – all digital or electronic means of payment like card transactions and ATM withdrawals are equally vulnerable to fraud, this we already know. But – there is one major device that in recent years has become the most exposed and undefended – the smartphone. This fact is particularly disheartening as the smartphone is also the preferred means of payments and shopping for an ever increasing amount of people. One security pitfall is for example that mobile browsers have short address fields and it can be hard to see the full URL because of this which makes it more difficult to see the deceptive link.

The regulation that comes to the rescue – PSD2

The EU regulation PSD2 (Second Secure Payment Directive), which comes into effect next year, is simply put about opening up bank’s APIs to third parties, but the directive also requires that transactions from €30 and up must go through heavy authentication before an approved purchase. To handle this the customer experience can in many cases take a blow, as it means more clicks and difficult set up of various authentication applications on people’s own devices and more advanced security procedures to go through than before.

How about Covr?

With this in mind, we developed the Covr app which circumvents the paradox between user friendliness and security. Covr is both ultra secure and convenient for people to use – and the shopping holidays can become a fun, safe and happy experience again for your customers.

Who are you? Three simple advice to convince your users of the benefits of MFA

You want to know that the person you’re dealing with really is who they say they are. You do, and this is why an up-to-date secure customer authentication method is the cleverest of business strategies.

Saying it like it is – companies and organizations that continue to depend on passwords alone as their first method of identity verification are seriously negligent. It is not just about the disaster that come in the wake of a security breach, it’s also about owning up to your promise to keep your customers safe. We’d like to disentangle how you can remedy this slip without overloading yourself, your users, customers or workforce.

Nobody wants to be the prey of identity thieves

You can no longer dispute that there are severe security vulnerabilities that come with the evolvement of third-party payments services, connected IoT-devices, or the already known problems with unsecure public WIFIs as well as BYOD (Bring Your Own Device) policies in workplaces. This is the constant headache for IT-professionals and management in most industries providing digital services today (and honestly, what company doesn’t?).

By basing your cyber protection strategy on watertight verification of the user underlaid by smart, tested multi factor MFA-tools that authenticates and grants your customer access to systems and services you are well on your way! This can be done in many ways, of which the worst is using many different tools for mobile identity management as cost and complexity can quickly spiral out of control.

Is MFA really necessary, and if so, how do I get my customers onboard?

People nowadays have colossal amounts of online accounts for banking, social media, digital utility tools, health records – the list goes on and on. By illustrating and communicating the need for identification, authentication and verification on a basic level you can help your users to better understand why MFA is so crucial. Here’s some bullets on how to break it down in a way that makes sense to the average user.

  1. Explain multi-factor authentication to your customers/users very basically
    It takes just one carelessly crafted password to invite an attack – it’s just like leaving the door open and unlocked when you go to work. In worst case, depending on what is stored in the account, sensitive data like credit card numbers, passwords recklessly stored in a text file on Google Drive, pincodes or just fraudulent emails can result in a person’s entire identity is hijacked. Inform your users that this can happen everywhere, anywhere, on any account.
  2. Be persistent and provide plenty of support, guides and information. 
    Change is often tough and convincing a user to trust a new app doesn’t come easy. By being open and giving the users all the support they need, easy-to-read manuals you could win your customers over. Even better – by choosing a security app that you can white label makes the transition easier as the customers sees that the app comes from a familiar and trusted source (you).
  3. Make it easy 
    The best way to convince your users of the benefits of multifactor-factor authentication is to supply them with an all-in-one mobile app that authenticates, verifies, and grants the user access. Choose an app that provides MFA with as little hassle as possible.As with everything, there are learning curves to implementing MFA. Everyone may not understand the necessity for it, but once implemented the benefits outweighs any and all potential drawbacks and protects everything – whether it be identity, data, or money.As for which app to use, Covr offers a lean user experience backed by a company with a exemplary security record!

Market outlook: The need for protection creates explosive growth in the mobile cyber security industry

A new market segment is rapidly emerging within the tech sector that perhaps is one of the fastest, if not the fastest, segment of market growth – mobile security software and services.

Mobile transactional security and cyber defence has become increasingly critical since companies continue to collect, handle, and store enormous amounts of confidential information and sends that data across networks – many of them scarily unsecure and unprotected. There is also a “bring-your-own-device” (BYOD) culture in almost all modern companies today and that is one reason cyber security is crucial for all points in the network, including smartphone connectivity. Cyber security is not just a matter for the IT-department anymore, but for all executive decision makers in a company.

“Protecting mobile devices is in fact harder than to protect a traditional company IT environment”, says Peter Alexandersson, CEO of mobile security company Covr Security.
It’s because employees have personal control over their own device and can choose to download any type of app and can decide what protection to use – or in worst case, not use.”

What is driving the growth in cybersecurity?

Cybersecurity isn’t new, but it’s definitely a red-hot area when it comes to protecting mobile devices. The ransomware epidemic and sensational rise in cybercrime has in recent years leapfrogged from PCs and laptops to smartphones and other mobile devices affecting companies and consumers resulting in catastrophic losses globally. So, there is a snowballing demand for secure mobile transaction solutions across all industries world wide which is, according to most analysts, expected to drive massive market growth in the coming years. One well-known example is Bank of America that has said that they have an unlimited budget when it comes to fighting cyber attackers, fraud and hackers.

“Every year, banks and other financial players are spending enormous amounts of money to stop fraud”, Peter Alexanderson continues. 
“And every year, their losses multiply. This is why the solution to combat cyber crime, especially for mobile devices, has to be more holistic than just installing security software on a server. This is exactly the reason we have developed Covr.”

Peter Alexandersson, CEO COVR Security

According to an article in Forbes market research firm Cybersecurity Ventures expects that companies will spend more than $1 trillion over the next five years in cybersecurity for PCs, mobile devices, and Internet of Things (IoT) devices. In addition Business Insider’s research service BI intelligence has estimated that $113 billion will be spent on protecting mobile devices alone. A recent compilation article from Nasdaq also discloses that Bloomberg and IDC considers mobile security to be one of three that has the biggest market growth potential.

A glimpse into the near future for the market

As companies and consumers grow increasingly nervous about new and gruesome cyber threats entrepreneurs rush to develop a multitude of innovative solutions – and venture capitalists are (sad to say?) seeing big openings here and pour money into the sector.  While most tech industry sectors are operating on a more mature market with big competition, forced to improve profitability – cybersecurity is driven by online fraud, crime and felonies where innovation needs to evolve quickly to keep up with elaborate new threats.

New and innovative solutions, Covr in particular, guarantees extreme protection from advanced epidemic threats like phishing, malwares, viruses, network spoofing, connection to unsecure public networks and inadequate company policies for data protection. According to the predictions in this article we firmly believe that Covr is in pole position to protect enterprises and individuals on a large scale.

The best way to handle security threats is simply to prevent them from happening altogether

It’s spine-chilling to imagine that sensitive information about you could have been accessed by a cybercriminal or published somewhere on the public or dark web, isn’t it? Regrettably, the chances are that this has already happened.

With the apparently endless bombardment of malware and phishing attacks, navigating the digital world is a risky business. The nagging and constant feeling of unease is the reality for almost every person using any type of online service – and today that is all of us. If people don’t know which information that is sensitive, and which isn’t, where their information is stored and who has access to their data, then they are in a dangerous position from a cybersecurity perspective. Perhaps we should delete our Instagrams, stop sending emails, uninstall our banking apps and move to a desert island? This common fear is a very real challenge for companies that handle their users’ credentials. Everything relies on security – no matter what trade a company is in – they are all in the trust business.

Despite arduous efforts to continuously reinforcing security, data protection is only as strong as its’ weakest link, no matter how many precautions that are taken to keep users safe online. As it traditionally has been expensive to invest in security soft- and hardware, recruit data security experts or employ entire data security departments one fallback, especially for online retail, has been to just rely on credit card issuers or the banks’ security systems to handle it all. Some services still even offer only one-factor authentication in the form password “protection” (we put the word “protection” in quotation marks as passwords are useless when it comes to online security).

Cybercrooks can decipher even the longest, most complicated password imaginable within minutes.

However, more and more companies have started to offer their users two-factor authentication (2FA) via a second channel – the mobile device. Not long ago text messages were used for this purpose (and still are in too many cases). Okay, the least difficult way to implement two-factor is with SMS, where the user receives an access code each time they log in to a secured account. And of course this is better than nothing, but 2FA via SMS has an abundance of drawbacks (but that is another blog post). One of them is that hackers nowadays can “reroute” the two-factor SMS notifications to their own devices by hijacking your SIM-card and stealing your phone number.

For better protection, digital giants like Google and Microsoft are now instead of pushing for their Authenticator apps, which, sorry to say, just work within their own systems. Authentication over a mobile app relies heavily on several pieces of the puzzle falling in place and most security apps today are not user-centric, i.e., user-friendly or intuitive. This is where Covr differs, its beauty is in its simplicity: not only does our app build on unique multi-factor, second channel out-of-band authentication – it also caters for an easy journey for the user. Instead of having to login into applications one by one as with other authentication apps, Covr’s centralized single sign in and user authorization system needs only one set of login credentials that can be used to access numerous applications.

Just tap “Yes” or “No” and Bob’s your uncle.

What is Two-Factor Authentication?

Two-Factor Authentication, also known as 2FA is a method of identifying a user with two different pieces of information. It can be a combination of any two of the following three pieces of information.

  • Something you know – Password, Pin or passphrase
  • Something you have – Chip-enabled bank card or token
  • Something you are – Iris, fingerprints or voice

Two-factor authentication works by demanding that two of the above three factors be correctly entered before granting access to a system or website.

Why use multiple factors of authentication?

Using multiple factors of authentication can drastically reduce the occurrence of online identity theft and online fraud because having access to a user’s password is not enough authentication information for a fraudster to gain access to your information.

Multiple factor authentication is highly recommended for any system or network that contains sensitive data. If you would like a comprehensive list of web sites and services that offer two-factor authentication visit twofactorauth.org