Skip to main content

The WiKID Blog

Viewing posts from January, 2009


At a number of recent events and discussion forums the topic of ‘selling’ security investments to top management has been addressed. The question posed is that if there is no positive return from a security investment, how do security professionals propose a security solution to a CFO or CEO? What is the return on a strong authentication, a firewall or IDS system that neither saves money (except perhaps in employee time, an argument that may fall on deaf ears) nor generates revenue? Importantly to me, how can you justify the investment in strong authentication? The answer lies in what really creates value for an enterprise.


Here is a great article about why passwords just don't cut it. mention of WiKID's two-factor authentication system. Too bad.
They do mention SecurID by RSASecurity as "Unfortunately the most well-known two factor authentication solution. Unreasonably expensive, not well supported on non-Windows platforms and generally not very flexible."


The core problem is that you are relying on the security of the carriers for the security of your system. Once you cede that control, you are at their mercy. And their idea of security might not be the same as yours. Consider this recent post at Consumerist about how easy it is to hijack a Sprint Account:

Remember, all I knew about this guy was his cellphone number, that he was in his 20's, and that he lived in DC. That's it. That's all it took to completely hijack his entire Sprint account.
There are implications beyond Sprint. Any system that uses credit bureau information is potentially susceptible. Security people knew this because, after all, credit bureaus sell this information, but the implementation makes it much, much worse:
In the comments on this post, a former Sprint rep says it's even worse than we thought. They say that every question about cars has three luxury models and one typical one. He says that "none of the above" for "which properties have you owned" was correct 99% of the time. And worst of all, you only need to answer two of the questions correctly to gain access to an account. I was shocked at the number of times I was able to access an account by simply guessing the answers," he writes. "Fortunately I am an ethical person, but if I wasn't I could've done a LOT of damage very easily."


WiKID is pleased to announce that we've released an open source version of WiKID. We've been working on this for the last few months. We needed to replace the Ntru encryption packages we use with open source 1024-bit RSA encryption and we needed remove the proprietary Radius server we had embedded into the WiKID server.


I have come across a number of sites across the Internet that discuss why strong authentication is a good idea and many go into good detail (such as , but I haven't ever seen a broad discussion of the reasons why in one place.

Recent Posts







RSS / Atom