identity authentication – Page 2

Tax prep firm reaches settlement with FTC over cybersecurity lapses

Posted on August 29, 2017 by Shaun Waterman

TaxSlayer, a tax preparation company hacked by a ring of identity thieves in 2015, has agreed to settle a Federal Trade Commission complaint about its cybersecurity and data privacy practices — consenting to adopt a new security program and pay for third-party audits of its services. “Tax preparation services are responsible for very sensitive information, so it’s critical they implement appropriate safeguards,” said Tom Pahl, acting director of the FTC’s Bureau of Consumer Protection in a statement. “TaxSlayer didn’t have an adequate risk assessment plan.” The FTC announced the settlement in a statement Tuesday, saying the company was in violation of the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to implement security safeguards to protect customers’ personal information; and its Privacy Rule, which requires financial institutions to tell customers about their privacy practices — the widely ignored “privacy notices” that they distribute. There is no direct financial penalty, but the company has to bear the […]

The post Tax prep firm reaches settlement with FTC over cybersecurity lapses appeared first on Cyberscoop.

Continue reading Tax prep firm reaches settlement with FTC over cybersecurity lapses→

NIST moving forward, cautiously, on framework revisions

Posted on July 25, 2017 by Shaun Waterman

Big changes to the National Institute of Standards and Technology’s Cybersecurity Framework, such as the introduction of a section on coordinated vulnerability disclosure, may be pushed off to a future major revision rather than be included in the forthcoming Version 1.1. That’s the takeaway from a report last week of the NIST public consultation workshop in May, in which the agency lays out plans to complete the overhaul of the popular cybersecurity guide by early next year. The commitment to “backwards compatibility” — ensuring users of the existing Version 1.0 can employ the new Version 1.1. — means that only smaller tweaks, like the addition of multi-factor identity authentication or new language for Internet of Things risks, can be addressed in the update. In the report, NIST laid out plans to inch ahead with a number of proposed changes to the draft V1.1 released in January. They include: Rewrites to the section on measuring cybersecurity — business leaders wanted it […]

The post NIST moving forward, cautiously, on framework revisions appeared first on Cyberscoop.

Continue reading NIST moving forward, cautiously, on framework revisions→

Pentagon now testing behavioral ID pilot that would replace CAC card

Posted on July 6, 2017 by Shaun Waterman

The Pentagon has finally inked a deal to pilot behavioral biometric technology to identify those using its computer network, more than a year after then-CIO Terry Halvorsen first pledged to get rid of the ubiquitous Common Access Card. Vancouver, Canada-based Plurilock announced the deal last week. The company’s BioTrack technology develops a unique profile of users based on the way they interact with computer keyboards, mice and touchscreens. “After just 20 minutes’ tracking a user’s keystroke style and speed, mouse use, and other behaviors, Plurilock’s software builds a biometric profile unique to that user,” states the company in the release. Behavioral biometrics are thought to provide additional security because they cannot be easily spoofed and they work continuously during the user session, rather than simply identifying the user at the start. “Today’s systems cannot verify user identity with certainty. Hackers steal passwords and tokens, create fake fingerprint impressions, and even re-route phone authentication […]

The post Pentagon now testing behavioral ID pilot that would replace CAC card appeared first on Cyberscoop.

Continue reading Pentagon now testing behavioral ID pilot that would replace CAC card→

United Nations backs blockchain-powered permanent identity tool for refugees

Posted on June 19, 2017 by Patrick Howell O'Neill

A U.N.-backed project built by Accenture and Microsoft aims to provide a permanent digital ID to 1.1 billion people around the globe who have no official identity, including many of the world’s refugees. The project, ID2020, on Monday unveiled a new blockchain-supported network designed to build a permanent and legal identity using biometric data on a person’s phone. Lacking access to identity excludes people from voting, health care, banking, housing and a wide range of modern rights. The new tool was unveiled at U.N. headquarters in New York on Monday during the second ID2020 summit, a “ID2020 is a public-private partnership dedicated to solving the challenges of identity” for individuals including the world’s 22 million refugees. The blockchain is a reliable, decentralized database that was first used publicly to track the bitcoin cryptocurrency. The method — also known as distributed ledger technology — is increasingly being explored to securely track data outside of currency. […]

The post United Nations backs blockchain-powered permanent identity tool for refugees appeared first on Cyberscoop.

Continue reading United Nations backs blockchain-powered permanent identity tool for refugees→

NIST urged to include multi-factor authentication in cyber framework

Posted on May 3, 2017 by Shaun Waterman

The U.S. government should specify some form of online identity security that goes beyond a username and password in the forthcoming update to its voluntary cybersecurity framework, advocates urged at an industry conference Tuesday. “Right now, you have a situation where Teen Vogue is recommending [two-factor identity authentication, or] 2FA and the [National Institute for Standards and Technology] Cybersecurity Framework isn’t,” pointed out Jeremy Grant, who headed up NIST’s effort to kick-start a market for identity security from 2011 to 2015. “Shouldn’t we take a look at that?” he asked the audience at the International Biometric Identity Association’s Connect:ID conference. NIST is preparing an update to its highly regarded Cybersecurity Framework and is in the midst of analyzing public comments on its initial draft ahead of a public workshop later this month. The article in cyber-savvy Teen Vogue was something of a high-water mark for popular awareness of 2FA, also called multi-factor authentication, or MFA. […]

The post NIST urged to include multi-factor authentication in cyber framework appeared first on Cyberscoop.

Continue reading NIST urged to include multi-factor authentication in cyber framework→

It’s time to put multi-factor authentication in the NIST Cyber Framework

Posted on May 1, 2017 by Brett McDowell

Many private and public sector organizations rightly look to NIST’s Cybersecurity Framework as a how-to guide for building a solid foundation for a cybersecurity strategy. But after a long public consultation and drafting process, one critical piece of any such strategy was missing from the original framework when it was published in February 2014: the use of multi-factor identity authentication. MFA, also often called two-factor authentication, means using some method beyond a simple username/password combination to prove who you are — another “factor” like a FIDO security keystick or a biometric, such as a fingerprint. Excluding MFA from the framework, according to NIST at the time, was necessary because there weren’t any widely accepted, interoperable standards for ensuring secure identity and because of usability problems with the technologies then available. NIST has drafted an update of the framework, but even though the section on identity and access management has been expanded and overhauled, there’s still no mention of MFA. We in the FIDO […]

The post It’s time to put multi-factor authentication in the NIST Cyber Framework appeared first on Cyberscoop.

Continue reading It’s time to put multi-factor authentication in the NIST Cyber Framework→