The recent Heartbleed vulnerability has potentially exposed millions of passwords, credit card numbers and other personal identifiers.
The flaw created an opening in OpenSSL, the most common encryption technology on the Internet. OpenSSL is designed to protect data in transit including email, instant messaging and e-commerce transactions. The vulnerability in OpenSSL enables hackers to access server memory that could allow hijacking of accounts or theft of private keys used to decrypt communications.
Since Heartbleed went undetected for so long, the scope of compromised information is still unclear, but many online businesses are urging users to change their passwords as a precautionary measure.
“Today it’s Heartbleed and tomorrow it will be another data breach or vulnerability,” says Alisdair Faulkner, chief products officer, ThreatMetrix. “Passwords are a static means of security and are frankly obsolete as a stand-alone authentication solution in today’s cybersecurity landscape. Once account login information is obtained, cybercriminals have access to personal data used for committing bank fraud or falsifying credit card transactions – the possibilities are endless. Security should not just rely on point-in-time authentication solutions. Instead, continuous evaluation of trust is required based on what the user is attempting to do.”
The Heartbleed security flaw does not only impact websites, but also mobile applications and networking equipment that connects homes and businesses to the Internet (also known as the Internet of Things), such as routers and printers. As more and more devices move online through the Internet of Things, hacks and cybersecurity breaches are becoming more common.
Businesses need to stay one step ahead of threats such as Heartbleed and implement preventative cybersecurity strategies in place of passwords and other forms of static authentication. Suggested strategies include:
Real-time trust analytics: Move beyond just big-data collection and improve effectiveness of controls with real-time analysis of device, location, identity and behavioral context for every authentication attempt. Real-time trust analytics offer unprecedented identity authentication policies for businesses and enterprises by comparing against global benchmarks derived from peers in their industry, the size and scale of the enterprise, geographic location and more.
Enhanced mobile identification: Detects jailbroken devices and offers location-based authentication, protecting mobile transactions by indicating when the mobile operating system has been breached and the security of applications has been compromised.
“To protect against future attacks like Heartbleed, businesses need to move beyond legacy verification and authentication solutions and recognize the benefits of leveraging a collective approach to cybersecurity,” says Faulkner.
In addition to businesses implementing real-time trust analytics and other collective cybersecurity strategies, consumers can also take responsibility for protecting their online identities. Specifically, consumers can protect against threats such as Heartbleed by ensuring location information on social networks is encrypted, using different passwords across sites and not storing passwords on any devices.