TMCnet Feature
June 29, 2011

After the Data Breach

By TMCnet Special Guest
Jan Valcke, President & COO, VASCO

The data breach in the entertainment industry has been addressed and it is now time to move forward. Online games and online entertainment are a profitable target for criminals, making them ripe for up-to-date security standards. Many companies in the sector have long since anticipated this eventuality.

What starts out as a bit of fun can quickly end in tears. This has been only too true in recent times. Already hit by one tsunami, Japan quickly had to contend with a digital version. A hacker attack brought all the protective barriers crashing down, unleashing a flood of no fewer than 77 million personal datasets into the Internet, where they quickly seeped away into the dank sewers of the shadow economy.

Alarm broke out once again among all the authorities: data theft, especially of security-related files, not only severely damages reputations, but also brings the public prosecutor into play: according to German law for example, those who collect personal data are also responsible for their safe storage and must therefore also pay the cost of damage caused by their misuse. The Federal Commissioner for Data Protection, Peter Schaar, makes no bones about the fact that: “The company must be held liable for any damage caused.” And the compensation culture in the USA is traditionally even more rampant than Germany.

A catastrophe in the making – the main weaknesses

The data leaks that have hit the headlines are avoidable and are down to a string of lax security concepts: personal customer data, such as the password, continue to be saved without encryption, many customer and employee accesses continue to be protected with obsolete systems. Companies continue to try to increase security levels on the basis of questionable recommendations. However, other fundamental weaknesses will continue to prevail. Gaming platforms are still wide open to attacks by hackers.

Take the customer account for example. If accessed via a PC platform, there is a danger of attacks by keylogger or sniffer programs. They are often planted using Trojan horses, briskly log all password entries and transfer them to the hacker’s server, the so-called drop zone. Even if virus scanners are installed, even if the user is careful, they are powerless against the sophisticated ploys hatched by the hackers. Spy programmes still infiltrate the computer time and again, despite all warnings.

Experts agree: consumer terminals are invariably left out of a professional security system and therefore should be considered as fundamentally insecure. There is nothing groundbreaking about that. It is also widely acknowledged that there is not much point in putting the burden of responsibility for security on the user. Should they be expected to come up with a new monster password containing digits and special characters every week ... and commit it to memory if you please? This kind of concept fails to find the right balance between security and user-friendliness.

Better prevention – Strong Authentication

It doesn’t have to be this way, as shown by the example of the Japanese company Square-Enix. The game provider protects its online platform with a cutting edge two-factor authentication. All participants in its Final Fantasy XI role-play game receive a key-ring sized authenticator, such as the VASCO Digipass Go 6. At the click of a button, it generates a one-time password that is only valid for 32 seconds. Each time the user logs in, the device calculates a new value. This means that the passwords gleaned by the hackers are useless. Access is also possible via PlayStation 2 and Xbox 360 as well as Windows PCs, the one-time password applies for each of these terminals. In the case of Square Enix itself, the VASCO Vacman Controller authentication server takes over identification.

The online gaming business PartyGaming has also long since been protecting its players with strong authentication. After all, there is a lot of money at stake – money that the hackers also want to siphon away. PartyPoker, PartyCasino, PartyBingo and PartyGammon customers register by downloading the PartyGaming customer software. After registration, they can obtain an authenticator called PartySecure from the online store. This is again a Digipass Go 6 that has been completely adapted to the branding of PartyGaming. Here again, a Vacman Controller Server takes over the authentication. “The solution is highly scalable,” stressed a PartyGaming spokesperson. “It can grow with us and effortlessly cope with the growing number of online-players on our platform.”

You can also play poker and bet safely on the online-platform BetClick. Here again the Digipass authenticator range is used, backed up by a VASCO Identikey Authentication Server. “This has allowed us to increase the turnover per player and reduce the fluctuation rate of our VIP players,” commented Sargon Petros, IT Operations and Infrastructure Manager with BetClick. “The implementation of the new security solution has boosted our profits.”

A rewarding goal – the company network

Frequently, a company’s entire network can fall victim to a digital attack. The large amount of user data saved on the network is more than tempting for criminals. There is a brisk market for stolen accounts on the net. Even if each of them only generates a few cents on the black market, there are enough badly secured datasets out there to turn a hacker’s drop zone into a goldmine.

When it comes to the safety of a company network, the weak spot is usually human error. In many cases, a so-called spear phishing attack opens up the gateway to the company LAN. With this very personal attack, the hackers exploit the large number of freely available personal data. The modern internet user is networked on XING and Facebook (News - Alert), chat to friends via Twitter about what they are currently working on. What they don’t know is how many fake friends they have caught up in their net along the way.

Spear phishing – Personal data as bait

While the individual pieces of information may appear trivial in themselves – accumulated they can have quite an impact. If you are networked on XING (News - Alert) with your boss and your system administrator and then announce on Twitter that you are “stressed at the moment because of the database maintenance”, you provide enough ammunition for a cyber attack. An e-mail is suddenly sent from admin or from the departmental manager saying that there are problems with the database and that therefore the password must be changed: simply enter the old and a new one – following the enclosed link. While circumspect peers will immediately smell a rat and confirm the instruction with a telephone call, there is always one employee that will fall for the sophisticated spear phishing. The popular home office work stations with a VPN connection run a particular risk.

That is why the same applies to the employees as to the customers: static passwords for access control are no longer up to the job. VPN customers in particular must be equipped with an effective two-factor authentication. The user must know something – a PIN in this case – and have something – an authenticator, which calculates an individual one-time password that is only valid for a short time. Even if one of these passwords is lost, not all of the data doors are thrown wide open at the same time.

Digital Signature – protection against identity theft

A clear authentication of messages is as important as protection against falsification in electronic communication within companies in particular. Both are achieved by a digital signature. In doing so, the contents of a document are encrypted and included in a hash value. The sender and recipient have a special authentication device that guarantees the integrity of senders and mails. With security-relevant messages and requests, the digital signature should therefore become a standard within companies.

Scalable servers – Cloud computing creates margins for manoeuvre

The introduction of a strong authentication infrastructure for all employees and customers naturally requires the corresponding capacities within the authentication server. Hence the importance of also allowing for the fact that, in some areas of the online gaming industry, growth prospects of around 30 percent per annum are expected. The spiraling user numbers mean that many systems come up against their limits. Here it is necessary to opt for platforms that have proved their worth already in the major companies of the financial industry, for example the Vacman Controller. However, a cloud solution offers the biggest margin for manoeuvre for expansion, such as Digipass as a service. This allows global authentication of hosted systems. The customer does not need to purchase either hardware or software and only pays for the service that it actually uses.

Tsunamis and hacker attacks have one thing in common: The question is not whether they will take place, but when and with what severity they will strike. And past experience has shown that barriers need to be set up in good time – barriers with enough reserves to also deal with severe incidents on a scale yet to be seen. Targeted attacks on companies, especially in the entertainment industry, are already common. Only strong authentication and the digital signature protect against losses incurred by compensation claims and lost confidence. Hence the need to implement them across the board.

Jan Valcke is president and COO of VASCO

TMCnet publishes expert commentary on various telecommunications, IT, call center, CRM and other technology-related topics. Are you an expert in one of these fields, and interested in having your perspective published on a site that gets several million unique visitors each month? Get in touch.

Edited by Jennifer Russell
» More TMCnet Feature Articles


» More TMCnet Feature Articles