Breach Prevention: A New ApproachCA's Charley Chell on Passwords that Can't Be Stolen
Amidst a year of high-profile and costly data breaches, what can organizations be doing to help ensure they aren't the next victims? Charley Chell of CA Technologies discusses new authentication solutions.
In the wake of breaches such as Target, PF Chang, SuperValu, business and security leaders are well aware of the hard costs of such incidents - lost business, legal costs, regulatory fines. But the so-called soft costs are often overlooked.
"The soft costs are the bigger part of [breach impact]," says Chell, senior director of product management in CA Technologies Advanced Authentication line. "In a lot of cases, customers may end up going somewhere else with their business. The brand damage is just huge."
Because compromised credentials are often the entry point as well as the bounty of a breach, CA Technologies has been working to develop new solutions that eliminate the need to store and transmit passwords. Chell is enthusiastic about this authentication evolution.
"We have a solution that looks like passwords to end-users, but under the covers it doesn't actually store them," Chell says. "As crazy as it sounds, we can create a solution that doesn't store the passwords - doesn't require that they live anywhere but in the users' minds."
In an interview about breach prevention and authentication, Chell discusses:
- The most overlooked consequences of a breach;
- Why passwords are so susceptible to attack;
- How organizations can eliminate the need to transmit and store passwords.
Chell is Senior Director for Product Management for the CA Technologies Advanced Authentication product line. He focuses on risk-based authentication and fraud management and consults with many CA customers on their fraud and threat detection practices. Chell brings years of experience in payment and fraud management. Prior to joining CA, he directed product management and development teams at several leading eCommerce and eBanking companies, focusing in diverse areas such as on-line banking security, electronic commerce, back office fraud investigation, credit card and alternative payment.
TOM FIELD: Why are there so many security breaches happening today?
CHARLEY CHELL: It may be sort of a simple metaphor, but think about bank robbers. Why do bank robbers rob banks? Well, because that's where the money is. If we compare that to websites, all the assets that we have in our web properties - it's huge. There are all kinds of things that people can go after, [like] personally identifiable information, financial instruments. There is all kinds of stuff which is becoming more and more valuable as we go. It's all information, and it's all there for attackers to get to.
FIELD: It's less risky and more lucrative to do an electronic hack than to walk into a bank with a gun.
CHELL: You're absolutely right. A lot of times people think about this as a guy in his basement, and that's not how it works anymore. There is a whole value chain in the attack business. There are companies, generally not in the U.S., that specialize in this. There are people that go to offices, have health plans; their job is simply to focus on attacking legitimate websites and pull information out of them. Then they sell that information, and there tends to also then be people in this world that specialize in taking that information and creating a value from it. So you'll see an attack on a website, and some kind of breach that goes in and feels out what kind of information is there. And then a couple days later you'll see orders for stereo equipment or something that's easy to fence. This is happening all the time.
Implications of a Breach
FIELD: What do you see as the true implications of a security breach for a typical organization?
CHELL: The average breach now is quoted as somewhere around $7 million in costs. It's definitely in the millions. The hard cost comes from increased regulatory compliance and what companies have to do; but the soft costs are the bigger part of it. The inconvenience to their end users, in a lot of cases, the fact that end customers may end up going somewhere else with their business. You have a brand damage that's just huge, and not only to their web property, but also to their store as well. The Target breach last year, and everything that they had to go through to repair their brand damage, is huge. Think about the LinkedIn settlement that is recent and the fact that LinkedIn is actually going to settle with their premiere customers. These are real costs.
FIELD: Where do you see the main weaknesses of passwords?
CHELL: There are several things going on in our industry right now. We're all talking about what's going to replace passwords. We're all thinking about various different biometric credentials, things that we're going to move to in a few years. But right now passwords are still the mainstay, and that is what people are comfortable with. My guess is that we're going to be seeing passwords for a very long time.
Why are they susceptible? Passwords are susceptible for a number of reasons. One is that they're easy to guess; oftentimes customers will use [them] in multiple places. But the attack vectors have really changed in the last two or three years. Rewind a bit, and phishing was one of the main attacks. We had people that were sending out mass emails, they would mount these phishing attacks. And through them, they were collecting passwords one by one. Then they would go try that password against the site, maybe try it against other sites, and see what they could get from that account.
There are more efficient ways to do this, and attackers are figuring this out. So rather than try to get passwords one by one, what they're now doing is penetrating the sites and databases where these passwords are being stored, and getting the entire password hash file, or the password database file. They're getting that entire file at once.
Eliminating Password Storage
FIELD: How does CA eliminate the need to transmit and store passwords?
CHELL: We have a solution that uses what looks like passwords to end users, but under the covers doesn't actually store them and certainly doesn't transmit them anywhere. This is something we've had around this area for some time. We thought, how can we address these mass attacks of passwords? We had an aha moment, and figured that, as crazy as it sounds, we can create a solution that doesn't store the passwords, doesn't require that they live anywhere except in the user's mind.
We have a patented technique that we call "cryptographic camouflage." We won't get into the details of that here, but suffice it to say that we can do a local validation of the password. So the end user experience is the same. They still get to use the same kind of password experience they have right now. They still go to the site, enter a username and a password. But what we do is a local validation of that password so that it never gets sent anywhere. We do it with a method using our cryptographic camouflage capabilities that is not susceptible to brute force attacks, and doesn't ever save the password or store it or send it anywhere.
FIELD: Give us some examples of how customers are staying ahead of security breaches by using this product?
CHELL: We have a lot of customers in a number of different verticals: financial, health, oil, insurance. Pretty much everywhere there is information, we've got customers. They use this capability, we call it our CA Authentication ID, as a mechanism to provide multifactor authentication for their end users. Sometimes these end users are employees, sometimes they're consumers, a lot of times they're both. What we're doing with our capabilities for password management is looking at using the same technology to create a better password. I wouldn't call it a two-factor credential; that's not what we're targeting here. It's a very strong password that works without storing that information.
Best Place to Start
FIELD: Where is the place that organizations should start to help prevent security breaches and use passwords that cannot be stolen?
CHELL: Customers today are looking at a lot of different options for increased security. There are a lot of initiatives in play around 'How do we replace passwords and where should I go eventually?' All that stuff is good, we should all continue toward those goals. But there is an issue right here and now that we need to address with these current threats. Passwords aren't going to go away any time soon; it's going to take a while before we convert our entire user community over to some completely new paradigm. We've got an ability here where we can drop in a solution that doesn't require any change to the end user interface. It's fairly lightweight. It's something for everybody to consider because it solves the problem that we have today.
We put up a web page, CA.com/unbreachable, as a central resource that contains white papers, videos, things like that to help you understand what kind of solution we've got going here. You can make a decision there whether or not this is something that you're interested in.