No One Can Afford an Attack - Find the best Cybersecurity Pros to Protect Your Business Data
Welcome Guest | Sign In
ECommerceTimes.com

Gadget Gives Passwords Pocket Protectors

By John P. Mello Jr. TechNewsWorld ECT News Network
Dec 9, 2015 7:23 AM PT

Denis Clermont and Jérôme Jadot last month launched a Kickstarter campaign for the OdyOne digital identity manager.

Gadget Gives Passwords Pocket Protectors

As much as many Web travelers and security experts would like usernames and passwords to disappear from use, the pesky credentials aren't going away anytime soon. That's why password managers are seen as a way to make the best of a bad situation.

They allow you to store scads of usernames and passwords in the cloud where they can be readily accessible. Moreover, because password managers can autofill credentials at websites, you don't need to remember all those login credentials.

Not only does that mean you don't have to reuse passwords -- a bad security practice -- it also means you can use crazy complicated ones that are difficult to crack. What's more, the password manager will create those crazy complicated passwords for you.

While all this sounds good, a few hitches exist.

For instance, password managers allow all your passwords to be accessed with a single master password to your account. In addition, you're at the mercy of the provider of your password manager. If its cloud is compromised, so are all your credentials.

Enter OdyOne

With OdyOne, you can store all your login credentials on a plastic puck small enough to slip in your pocket. It can connect to any device with a USB port, and it has a fingerprint scanner so the only one who can access the OdyOne is you.

"The biggest advantage OdyOne has over other password managers is that when you're not using your passwords, they are in OdyOne in your pocket," Clermont, an engineer, told TechNewsWorld.

"As long as they are in your pocket, you can be sure no one can find them," he said. "With password managers like LastPass, you just need one password to get to an account."

What's more, because the cloud of a password manager provider contains many accounts, it's a ripe target for hackers.

"Hackers don't have as much to win by getting into OdyOne because it's only one person," Clermont said.

September Target

OdyOne works only on Windows and Macintosh computers. That's because people use their phones differently than they do a PC.

"The difference between computers and phones is that computers can be used by anyone," Clermont said. "Phones are more personal. You always have your phone with you, and normally no one uses it but you."

Because of that, most people keep their accounts open on their phones, so there's less need to remember passwords, he reasoned.

Mobile platforms may have to be supported eventually, Clermont acknowledged.

With 32 GB of memory, the OdyOne can store important files as well as login credentials, he said.

The target price for the OdyOne will be US$100, and the first units are expected to be delivered in September.

Vulnerable Mobile Apps

Bluebox recently released a study of mobile financial applications for making peer-to-peer and consumer-to-retail payments.

Insufficient security controls are surfacing across consumer mobile payment apps, including five of the most popular solutions for both Android and iOS devices, the company found.

Those findings are disturbing because consumers are turning more and more to mobile devices to make online purchases. For example, 28 percent of all sales on Thanksgiving were made on mobile devices, IBM reported.

Seventeen percent of all sales in November and December will be made with mobiles, ComScore predicted.

As mobile payment apps grow in popularity this holiday season, Bluebox researchers noted, pervasive security flaws have created easy avenues for attackers to compromise mobile applications, putting consumers' hard earned dollars and enterprises' bottom line in peril.

"None of the applications encrypt their data or take precautions to prevent modification of an application," said Adam Ely, co-founder of Bluebox.

"These apps are really susceptible to malware attacks and to reverse-engineering attacks," he told TechNewsWorld. "The consumer is always being placed at some risk."

Other People's Code

One developer practice that places these apps at risk is the use of other people's code.

"A lot of these applications use third-party source code, making them vulnerable to far more attacks," Ely said.

Faulty third-party source code was at the heart of the nasty Stagefright Android exploit discovered earlier this year. That exploit allowed an attacker to seize control of a phone by sending a multimedia text message to it.

"The reason these platforms were vulnerable to this was they were using code from third-party developers to make development faster," Ely said.

"We found that a lot of these payment applications are doing the same thing," he continued. "They were pulling in a lot of source code from third parties, and we found a lot of vulnerabilities in some of that source code. The companies that were reusing it weren't really validating it all that well."

Those vulnerabilities were found in licensed third-party code, as well as open source code.

"When developers pay for code, they think it's safe, but often we find that code has as many security vulnerabilities as some of the open source software," Ely said.

Not even the mainstream app stores are safe places for mobile users anymore, he added.

"Downloading apps only from the app stores is a good, safe rule to start with, and it can cut out a large percentage of problems, but we are seeing more and more counterfeit applications, modified applications or just plain malware fool the review processes of both Apple and Google," Ely said.

Forget Mechanic, Call Exorcist

Much noise has been made about hackers targeting autos because of all the electronics built into motor vehicles these days, but members of the digital underworld aren't the only threat motorists need to worry about. Sometimes family members can instigate threats.

While driving down a freeway on a hot day in a pal's new high-tech electric car, "all of a sudden, the sun roof starts opening and closing and the heat got cranked up to 80 degrees," recalled Brian Contos, chief security strategist at Norse.

"Are we being hacked?" he asked his friend.

"You know what's happening? I have an app for my car on my iPad, and I bet my kids are playing with it," his friend replied after a few minutes of confusion.

"Sure enough, he called home and that's what was happening," Contos said. "I just wanted to get out of the car. I thought it was possessed."

Breach Diary

  • Nov. 30. Home Depot and MasterCard reveal in a filing with a federal court in Atlanta that they have a proposed settlement of the lawsuit against the home improvement chain over a massive data breach in 2014. Details of the settlement were not included in the filing, the Atlanta Business Chronicle reported.
  • Dec. 1. VTech, a maker of educational toys, reveals that 11.6 million accounts were compromised in a data breach reported last week. Compromised accounts included those of 6.4 million children.
  • Dec. 1. The Electronic Frontier Foundation files a complaint with the U.S. Federal Trade Commission against Google for collecting and data mining schoolchildren's personal information.
  • Dec. 1. Cottage Health Healthcare in California notifies nearly 11,000 patients their health care information was placed at risk when a server operated by a contractor was breached between Oct. 26 and Nov. 8.
  • Dec. 1. U.S. Office of Personnel Management launches a website to aid the 21 million people affected by data breach at the agency earlier this year.
  • Dec. 2. Target agrees to pay $39.4 million to settle a lawsuit against it by banks and credit unions for their losses connected to a massive data breach at the retailer in 2013.
  • Dec. 2. A federal district court in California dismisses lawsuit against Toyota, Ford and General Motors for breach of warranty, breach of contract and violation of consumer laws for making motor vehicles with software that hackers could tamper with, Forbes reported.
  • Dec. 2. New York Attorney General's Office announces a settlement with the University of Rochester Medical Center over a privacy breach earlier this year. The university agrees to train its workforce on policies and procedures related to patient health information, notify the Attorney General of future breaches, and pay a $15,000 penalty.
  • Dec. 2. A survey of 2,000 U.S. adult consumers by Pryvate and Criptyque reveals 57 percent of them are worried about hackers intercepting their private information shared on mobile devices.
  • Dec. 3. Georgia's secretary of state announces free credit monitoring will be offered to more than 6 million voters whose personal information was placed at risk when the data was burned to computer discs distributed to the public.
  • Dec. 3. Criminals within China were responsible for data breach at U.S. Office of Personnel Management which affected 21.5 million people, the Chinese government states. Criminals behind the breach were arrested in September, according to a report in The Washington Post.
  • Dec. 3. Kalahari Resorts announced in a legal notice that it has discovered data breaches at its food and beverage, retail and spa outlets at its facilities in Wisconsin and Sandusky, Ohio. The breach affects patrons who used their payments cards at the sites between March 9 and June 8.
  • Dec. 4. JD Wetherspoon notifies the UK government authorities that personal information of more than 650,000 patrons was compromised when intruders accessed a customer database.

Upcoming Security Events

  • Dec. 12. Threats and Defenses on the Internet. Noon ET. Northeastern University, Burlington Campus, 145 South Bedford St., Burlington, Massachusetts. Registration: $6.
  • Jan. 16. B-Sides New York City. John Jay College of Criminal Justice, 524 West 59th St., New York. Free.
  • Jan. 18. B-Sides Columbus. Doctors Hospital West, 5100 W Broad St., Columbus, Ohio. Registration: $25.
  • Jan. 22. B-Sides Lagos. Sheraton Hotels, 30 Mobolaji Bank Anthony Way, Airport Road, Ikeja, Lagos, Nigeria. Free.
  • Feb. 5-6. B-Sides Huntsville. Dynetics, 1004 Explorer Blvd., Huntsville, Alabama. Free.
  • March 18. Gartner Identity and Access Management Summit. London, UK. Registration: before Jan 23, 2,225 euros plus VAT; after Jan. 22, 2,550 euros plus VAT; public sector. $1,950 plus VAT.


John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.


Facebook Twitter LinkedIn Google+ RSS
Which form of smartphone security do you rely on most?
Face ID or Fingerprint
Strong Password
App Locks
Storage Encryption
VPN with Public WiFi
I don't use any smartphone security tech.