Connect with us

Cyber Security

Zero-Factor Authentication: Owning Our Data




Are you asking the right questions to determine how well your vendors will protect your data? Probably not.

Let’s say you own a small business, and you want to get a payroll service to help with withholding taxes and automatic deposits into your employees’ accounts. That’s a very useful, powerful service: You’re giving a third party the right to withdraw funds from your bank account and send them to others. 

Being switched on to security, you’d look for a payroll company that supports multifactor authentication (MFA) based on a time-based one-time password (TOTP) application, knowing that SMS-based two-step login is effectively (in the words of Allison Nixon and Mark D. Rasch at Unit 221B Research) zero-factor authentication.

The trouble is, as of about three weeks ago, none of the major online payroll companies offered this feature. If you ask those companies, they’ll say they offer SMS-based two-step login and then assure you they take security seriously. 

I found one firm that does support application-based MFA: I’ll call it Payroll Company B. PCB isn’t a payroll company as much as a professional employer organization, but still, it does payroll — for twice the price of the others I just mentioned. 

Anyway, you sign up. And after you go through the rigamarole to get the TOTP application working, if you’re attentive, you may discover a seedy backdoor: If you were to forget the Web front end,call PCB’s toll-free support number, and tell the company you need to make an account change, the entire authentication regime falls apart with these dreaded words:

“For security purposes, please tell me your full name and the last four digits of your Social Security number.”

Yes, it verifies your identity by asking you for public information. Once provided, no further authentication is required, and you can request a password change, or the removal of TOTP-based MFA, or, presumably, to send Bob’s paycheck to Alice. You’re in.

And you’re root because it has verified your identity. After all, who else could possibly know your full name and last four digits of your Social Security number?  

Who indeed?

Without installing, for example, a proper and secure multifactor, telephone-voice-based authenticator capability, these companies are left to improvise methods to hack together a security story to offer to security-conscious customers. After I discovered its glaring password reset vulnerability, I spoke with a helpful PCB supervisor and asked him to disable phone support. He cheerfully (and genuinely) promised to do so, saying he put a note in my account. I waited two weeks, phoned back, authenticated with a different rep using just my name and last four digits of my SSN, then asked the rep to close my account. In the company’s failure to fix the problem, it made liars out of dedicated and creative support staff.

Forget Password Policy. What’s Your Password Reset Policy? 
This vulnerability is so mind-thwackingly obvious that I cannot believe I need to say this, but it also raises an important issue that is relatively unaddressed by my colleagues in the financial services world: When we do vendor onboarding and qualify the vendor’s security policies, are we asking the right questions? 

Or are we sending them a 120-question spreadsheet containing lots of questions about firewall rules and antivirus? As a friend who is a very high-ranking financial services security leader said to me the other day, “Oh, that doesn’t happen. I’ve never sent a spreadsheet like that in the last week … “

This is not a theoretical issue. Recently, there was an attack that worked like this: The attackers had an in at a national mobile carrier and SIM-swapped the phones of some people in a targeted industry. They then used the pirated mobile numbers to call a firm that specializes in outsourced services to that industry, claimed to be the SIM-swapped employees, and requested — verbally —  password resets. That worked, as it would have worked at PCB.

This was an attack against a third party that for many firms would have bypassed entirely the security monitoring they have in place to defend their assets. The phone was swapped at the carrier, and the password reset was done at a third party, which also set up the fraudulent transactions when the crooks logged in to that service. The firms that didn’t fall victim to this last phase were those that did transaction anomaly detection fast enough to understand the transaction was weird. 

Would your firm have caught it? More importantly, would your vendor procurement process and onboarding have asked the question, “Do you allow password resets via voice call?” 

Many companies don’t ask the question. I spoke with colleagues at household names in the financial services space, and many firms are struggling to catch up.

What is clear is that we are all trusting cloud-based companies more often, if not exclusively, to handle those parts of the business we seek to outsource. Looking at the standard questionnaires, I see a lot of question-types missing. 

For example, rather than asking lots of questions about endpoint antivirus or whether the vendor’s facility is in a location with little to no risk of natural disaster, terrorism, or civil unrest, it might be good to ask whether the vendor has separate production and nonproduction environments, or how their admins and developers access the environments, or how customer password resets are done.

In other words, we need to ask questions designed to understand the ways someone could subvert the vendor’s authentication and access control regime. 

I’ll be speaking about some of these things at the RSA Conference 2020 in San Francisco on February 26. I hope you will leave comments here and chat with me there. 

Related Content:

Nick Selby is the Chief Security Officer for Paxos Trust Company, which creates contemporary infrastructure to support global institutional financial transaction settlement. Prior to Paxos, Nick served as Director of Cyber Intelligence and Investigations … View Full Bio

More Insights


Cyber Security

How do Safe Online Sportsbooks Protect your Data?




safe online Sportsbooks

There’s a growing trend to demand nothing but high-level security from online sportsbooks. From millennials to boomers, no one wants to use a betting website that exposes their personal and financial information.

How are sportsbooks responding? They have no choice but to protect their customers. Here are some of the measures they use.

Table of Contents

Compliance to Data Privacy laws

Since 2018, online sportsbooks have had to comply with the EU General Data Protection Regulation (GDPR). The law aims to protect EU-based sports punters against data violation. It also applies to all other Internet-based businesses, including giant social media companies like Facebook.

With GDPR protection, an online sportsbook must ask for consent before it collects your data. And in case of a breach, the company needs to alert data controllers immediately. On the flip side, you have a right to know what data is collected and even withdraw your consent.

The US doesn’t yet have data privacy laws. But that doesn’t mean there are no safe online sportsbooks. delves more into the topic. It also breaks down the exact date each state legalized sports betting, games allowed sports and the best bookmakers.

With that in mind, take time to read about a company’s data privacy policies before you create an account. Some businesses collect data for questionable reasons, like selling it for profit. But they don’t reveal this information until you read their policies.

Military-Grade and SSL Data Encryption

Military-grade encryption describes the technology used by the US government to protect classified information. It’s known as Advanced Encryption Standard (AES) and secures your data in such a way that it can’t be hacked.

On the flip side, SSL refers to Secure Socket Layer. It encrypts data while in transfer from a computer to the website and back. That way, anyone who attempts to hack it only views scrambled data and not the real information.

The best betting websites combine these two data protection methods. They use AES to protect your data while in storage. And they use SSL to protect your information while betting on their websites and apps.

Partnering With Safe Banks

You can’t bet real money at an online sportsbook without going through a bank. It could be an e-wallet like PayPal, a debit card like Visa, direct bank transfer or Bitcoin. Regardless, you’ll often share your data with both sportsbooks and banking companies.

The best sportsbooks work with safe banking companies so that your data stays safe when depositing and withdrawing money. They work with up to 20 payment companies: Skrill, Neteller, PayPal, Paysafe, Visa, MasterCard and Trustly, to name a few.

Bookmakers provide a variety of banking companies to ensure you transact where you feel safe. Gladly, many of these payment methods also prioritize customer security. Take PayPal as an example. Not only does it encrypt your data; but it also lets you pay betting websites without revealing your financial data.

PayPal keeps your financial data and only forwards your money to the sportsbooks. Another way the e-wallet protects you is through One Touch. This feature lets you log into multiple betting sites without filling payments forms repeatedly.

Pay by Phone

Besides working with safe banks, some casinos protect your data by avoiding it entirely…sort of. Through pay by phone e-wallets, some bookies let you place bets without creating an account and revealing your personal or financial information.

Pay by phone companies like Zimpler and Boku collect your data—name, credit card numbers and require that you complete KYC verification. After that, they give you login details you can use to get access to several betting websites.

Phone by phone sportsbooks provide a lot more benefits besides helping you bet without creating accounts. They allow you to gamble on sports without money in your account. To expound more, they loan you cash to wager and they ask for it plus interest by adding it to your phone bill.

Password Protection and 2-FA

This might seem obvious but it’s essential for online sportsbooks to support password protection. The best companies ensure you use a long, unique code that combines letters, numbers and symbols.

What’s more, they support 2-FA. For the uninitiated, two factor authentication (2-FA) is an added security layer that involves your email address or phone number. Basically, 2-FA ensures the only way to log into your betting account is if you get your password correctly and enter a code sent your cell phone number or email address.

Many security experts recommend you use your cell phone number for 2-FA protection. That’s because it’s less likely for someone to hack your password and also steal your phone than breaking into your email account.

Licenses and Certificates

Many betting license providers have a set of requirements operators must fulfill. One of these conditions is to protect customers’ data and funds. In other words, sportsbooks must protect your personal information by default.

That’s why it’s recommended to bet at sportsbooks licensed by a trusted regulator—the UK, Malta, New Jersey and Pennsylvania have respected agencies. Licensing aside, certifications are another way sportsbooks assure you of data protection.

A certificate from a security company like Norton, MacAfee or GLI provide proof the betting company takes online safety seriously. And that’s a better way to gain confidence from customer than to simply state they are safe.

Deleting Unnecessary Data

Your betting website requires your email address, name and IP address to for security reasons. But it doesn’t need to collect cookies about everything you do online. And if it collects unnecessary information, it has an obligation to delete this information.

By law, many sportsbooks are mandated to collect necessary data alone. However, not every company follows this guideline. And that’s takes us back to the importance of reading a bookie’s policies before you become a customer.

Find information related to how a sportsbook deals with your data once it no longer needs it. Does it share it with other companies? And what happens to your data after you cease to be a customer? A good sportsbook should get rid of sensitive data after some time.


Continue Reading

Cyber Security

Technological Innovations at the Tokyo Olympics





The Olympics are held in what could be considered a microcosm of the world. The village is a city within a city, and it offers a glimpse of what the world can expect in future years. The upcoming Tokyo Olympics stand to be the most technologically advanced to date, and there will undoubtedly be new technologies on full display. Take a look at some of the following technological innovations that are expected at the Tokyo Olympics.

Table of Contents

Autonomous Vehicles

One exciting technology is the use of autonomous vehicles. They expect as many as 100 autonomous vehicles or self driving cars from companies such as Nissan and Toyota to drive spectators from Haneda Airport, Olympic Village and other routes around the Olympics. In addition, in downtown Tokyo, Toyota will have an additional fleet that includes SAE Level-4 automated vehicles.


They plan to use Human Support Robots to help people find their seats and bring them items. Delivery Support Robots can deliver food items, and Field Support Robots can deliver and retrieve items from the fields while sports are being played. Toyota plans to have T-HR3 Humanoid robots that will help people who are in remote locations control a robot and interact with events. They will also be able to project images so that the remote spectators feel like they are a part of the game they are watching.

Artificial Meteor Shower

A company called Astro Live Experiences specializes in space entertainment, and they plan to create an artificial meteor shower during the opening ceremonies. On December 6, 2019, they launched ALE-2 into space, and this micro-satellite is expected to drop chemical pallets into space, which will create a meteor show while they are burning in space.

Virtual Reality

At the Olympics, Intel will have True VR at several events. It will be present in the opening ceremonies, the closing ceremonies, and even events such as beach volleyball, gymnastics, and boxing.

Facial Recognition

Neoface is a facial recognition software that will be launched by NEC Corp. They will be using it to identify as many as 300,000 people at the Olympics. This will benefit the athletes by allowing them to enter more quickly, and it will be available to media, volunteers, and staff members as well.

3DAT or 3D Athlete Tracking

This technology will help to connect fans and athletes with the use of normal cameras. In addition, cameras will be able to analyze the biometrics of athletes, which helps fans understand the sports and can help athletes with their training.

What Risks Come with This New Technology?

New technology always has pros and cons. New tech was used at the 2018 Winter Olympics, with the Olympic Destroyer attack that was launched during the opening ceremonies. In 2018, malware disrupted spectators, the broadcast of the opening ceremonies, the Wi-Fi in the stadium, and it created problems between feuding nations.

When a problem or a failure with new technology occurs, there can be major complications. The attack in 2018 in PyeongChang Olympic Stadium was 100 miles from a major city (Seoul). If it had occurred in a large or major city, it would have had a larger impact. Moving forward, new advancements and technology can lead to much larger problems in the future. It is important to safeguard this technology and prevent malware attacks and malfunctions.

Technological Advances

It is exciting to see the technological advances as they appear. Technology can enhance the Olympic experience for the spectators, the athletes, and the staff at the Olympics. These advancements can simplify many aspects of the logistics and help to improve the experience for everyone involved. Technology is exciting, but it is important to make sure that it is safe and that it doesn’t create more problems than it solves.

Final Words

The Tokyo and Euro 2021 Olympics will be the most watched events next year, both by sports lovers and bettors, who will be able to bet on favorites at Unibet – one of the most popular NJ Sports Betting operators. Not only will people tune in to enjoy the competitions, but they will surely enjoy the opening and closing ceremonies, including the artificial meteor shower. The virtual reality technology will allow fans to interact in ways that are new and unique, including advanced biometric analyses of athlete data. People all over the world will be watching and enjoying the Games when they occur in 2021.


Continue Reading

Big Data

Accendo Banco chooses global fintech infrastructure platform Nium to provide international money transfer capability




Accendo Banco chooses global fintech infrastructure platform Nium to provide international money transfer capability

Accendo Banco (“Accendo”), Mexico’s leading ‘digital-first’ challenger bank focused on providing innovative digital banking solutions, today announced that it has expanded its capabilities in international payments and remittances, through partnership with Global fintech infrastructure platform Nium.

The partnership further expands Accendo’s overseas money transfer capabilities, allowing its customers to send money to more markets overseas and in real-time[2].  The move supports Nium’s continued plans to utilise fintech tools to improve business efficiency and customer experience in LatAm, and follows several partnership announcements by Nium in Brazil, Costa Rica and El Salvador.

Accendo’s customers will be able to send, through an app, funds overseas to major corridors in Europe and Asia easily, and at a lower FX rate than other banks.  “International transactions services from Mexico were slow and expensive.  The partnership with Nium, together with our unique digital platform, makes us the first bank in Mexico to offer this type of operations to users easily and in real time,” said Javier Reyes de la Campa, CEO and President of the Board of Accendo Banco.

“This partnership also reinforces our positioning as the leading digital-first challenger bank in Mexico, where we are the first bank to offer BaaS (Banking-as-a-service) through our cloud-based open-banking platform to allow Fintechs to offer financial services to all the population, and especially the unbanked”, Javier concluded.

“We are thrilled to be the trusted provider for international money transfer services for Accendo Banco and its customers. In today’s competitive payments environment, cutting-edge technology improves customer experience and sets providers apart,” said Rohit Bammi, Global Head of Institutional Business, Nium.

 “Nium’s mission is to create a global fintech infrastructure that can enable banks, financial institutions and other fintech companies to launch and scale innovative digital financial services without the complexity, time and cost previously required to do so.  This partnership with Accendo Banco is a testament to that effort,” Rohit continued.


Continue Reading

Cyber Security

Different ways tech plays a key role in securing igaming platforms




Cache-Poisoned DoS

The tremendous growth witnessed by the gaming and online casino industry is well evident in the revenue figures reported by them in the world’s prominent economies. United States, United Kingdom and some other European countries are leading the pack today.

There’s no denying the fact that it’s the technological innovations which have led to this sudden explosion of the iGaming sector over the past few years. Today, gamers can indulge in the best of online casino games from anywhere they like, at any time of the day/night. There are top rated platforms like JackpotCity online casino and others which are making things possible and are successfully ushering in the next era of online gambling.

Other than further increasing the popularity of casino games like slots roulette etc., new-age technologies have also improved the quality and safety of the gaming experience, offering players highly secure environments wherein they can share their bank details and other crucial information in a worry-free manner. Let’s tell you about 3 such ways in which tech is playing a key role in securing online gambling platforms today.

SSL Encryption

SSL is the acronym for Secure Sockets Layer, a technology used by online casinos for protecting confidential user data against phishing attempts. Players share a lot of sensitive information, such as their credit card details, addresses, phone numbers, bank details etc., while registering at these online casinos. It’s the SSL encryption technology which keeps all this information safe.

These online casinos are also required to employ such high security protocols as per law, in order to legally continue their operations. However, some operators opt for TLS (Transport Layer Security) instead of SSL encryption, something that’s not as good as the latter, but is nevertheless better than an unencrypted network.

With SSL, the player data is locked in the form of different pieces of codes which can’t be broken into easily. Hence, the information stays 100% safe whenever it’s passed on to/from the servers over the Internet. Here’s more on why an SSL certificate is important for any business website today.

Financial security

All modern-day online casinos accept digital payments through debit cards, credit cards, wire transfers, e-wallets and even cryptocurrencies nowadays. Regardless of the payment method used, the servers make sure that the pertinent details stay secure from any type of unauthorised access.

Strictest security and verification protocols are employed by the financial institutions to prevent any fraud. Authentication emails and one-time passwords are good examples of few such measures. On the other hand, cryptocurrencies provide truly anonymous and safe transactions.


Random Number Generators are basically computer programs that make sure that the outcome of a casino game is completely fair, transparent and random for every player. These have the seed number algorithm at their core, which is basically a predefined mathematical formula for calculation of results based on odds. Several online casinos get their RNGs authenticated by third-party services, proving the transparency and fairness of their games.

Regardless of the measures taken by the casino platform, the onus is on the gamer to sign up with only platforms that can be trusted in every aspect.


Continue Reading
Bioengineer5 hours ago

COVID-19 studies should also focus on mucosal immunity, researchers argue

Bioengineer6 hours ago

UofL researcher uses fruit for less toxic drug delivery

Bioengineer6 hours ago

Fast-moving gas flowing away from young star caused by icy comet vaporisation

Blockchain12 hours ago

Bitcoin Clears Crucial Resistance Levels; ETH Buyers Take Aim At $600

Nano Technology19 hours ago

Nanoscopic barcodes set a new science limit

Blockchain19 hours ago

New York Times reports on Racism Allegations at Coinbase

Blockchain1 day ago

Revain source of reviews

Nano Technology1 day ago

Freeze like a star! Web exhibition explores the mysteries of the quantum world

Nano Technology1 day ago

Game-changer in thermoelectric materials: decoupling electronic and thermal transport

Blockchain1 day ago

Whales Flood Exchanges With Bitcoin, Take Over $15 Billion In Profits

Nano Technology2 days ago

An ionic forcefield for nanoparticles: Tunable coating allows hitch-hiking nanoparticles to slip past the immune system to their target

Blockchain2 days ago

Huobi introduces a Regulated Cryptocurrency Exchange in Malaysia

Esports2 days ago

Allay Their Fears WoW: How to Complete the Quest

Esports2 days ago

The Rock Expresses Interest in Fortnite Skin Modeled on Him

Esports2 days ago

Doublelift Retires: A Tale of Glory, Downfall, and Legacy

Esports2 days ago

Native Fortnite Locations: How to Complete the Challenge

Nano Technology2 days ago

One-way street for electrons: Scientists observe directed energy transport between neighbouring molecules in a nanomaterial

An artist
Nano Technology2 days ago

Quantum nanodiamonds may help detect disease earlier: The quantum sensing abilities of nanodiamonds can be used to improve the sensitivity of paper-based diagnostic tests, potentially allowing for earlier detection of diseases such as HIV, according to a study led by UCL research

This nanoparticle disrupts the metabolism of algae. CREDIT UNIGE/ Wei Liu
Nano Technology2 days ago

Phytoplankton disturbed by nanoparticles: Due to its antibacterial properties, nanosilver is used in a wide range of products from textiles to cosmetics; but nanosilver if present at high concentrations also disrupts the metabolism of algae that are essential for the aquatic food

Nano Technology2 days ago

Russian scientists improve 3D printing technology for aerospace composites using oil waste

Nano Technology2 days ago

Pitt researchers create nanoscale slalom course for electrons: Professors from the Department of Physics and Astronomy have created a serpentine path for electrons

Techcrunch2 days ago

Original Content podcast: Just don’t watch Netflix’s ‘Holidate’ with your parents

AR/VR2 days ago

XRI Launches Survey Examining Diversity & Inclusion Within XR Industry

Blockchain2 days ago

Malta’s Pivots to Becoming a Fintech Haven

Ecommerce2 days ago

Black Friday on track for $8.9B+ in online sales as shoppers stay away from brick-and-mortar stores

Blockchain2 days ago

Ripple to sell 33.3% of its entire Stake in MoneyGram in a surprise move

Blockchain2 days ago

Blockchain Voting is Possible: Dispelling Myths & Fears

Blockchain2 days ago

Chinese Banks Suspend New Gold Trading Accounts Creation Amid Price Slump

Techcrunch2 days ago

Tony Hsieh, iconic Las Vegas tech entrepreneur, dies aged 46

Blockchain2 days ago

NANO Rejected but Could Attempt Another Breakout Soon