Securing Exscudo accounts
In Exscudo ecosystem, several products and services are operating with user accounts (e.g., Exscudo Exchange, or Channels app). A user account is the primary and in some cases, the only connection between the user and his or her assets.
While accessing and managing these accounts, one deals with hard-and software products, web services, Internet connection services, saved passwords, 2FA codes, or backed up images. The variety of tools and processes builds up an infrastructure to access and manage Exscudo accounts, and so shall be considered a system to be protected.
A failure in delivering the protection may result in theft of assets, inability to access them, or a long-term suspension of access/transactions to/of one’s funds.
The given article aims to provide a complete understanding of possible security threats, potential attack vectors, and effective countermeasures. Keep in mind that it is impossible to cover every single possible attack or vulnerability, therefore this article will focus on the general security best practices.
Nature of the threat
The risks outlined in the above description (loss of assets, inability to access them, or a long-term suspension of transactions) are typically realized as a result of Attacks, which, in their turn, are based on applicable Security threats resulting from actual Vulnerabilities.
Understanding the interdependencies and correlations between these three, provides a clear understanding of what Countermeasures can be, and the steps to be taken to keep the accounts secured.
A weakness which can be exploited to perform unauthorized actions. Such weaknesses may reside in a system’s design, implementation, operation, controls, or management, and can be exploited in the frame work of corresponding security threats. There is a number of key factors to be considered when identifying and covering the whole variety of vulnerabilities, but the most important ones with regard to protecting Exscudo accounts are:
One of the weakest link in any system, including an information security system, the human factor mostly refers to the immanent human quality of making unintentional security mistakes as a result of negligence, underestimation of risks, overall security ignorance, resulting in the absence of a basic and consistent security policy in place. All of which creates a group of specific vulnerabilities related to this factor, that can be exploited by their specific security threats (e.g., a chance of exposing entered credentials when demonstrating a screen during a Skype call).
Derives from the following features of modern hard- and software solutions:
- Complexity. With respect to a great variety of tools and processes used to access and manage one’s account, it is quite a job to properly manage, patch, and configure them. There is a huge possibility at any given point of time, that something is left exposed. The more devices, apps and services there is in use, the more likely it is to have seams with exposed vulnerabilities;
- Consumerization. Here, the term is used to name the fact that whatever hardware, software, or web services in use, the vast majority of them are aimed at providing ease-of-use in the first place, while the security always comes second.
Combined together, the above factors and features create numerous vulnerabilities that can be exploited.
A next-level substance of the discourse, referring to the very possibility of exploiting a vulnerability, or a number of vulnerabilities as a transition to a logically concluding attack. May, or may not be malicious by nature (intentional, or accidental).
Attacks are the actions that use vulnerabilities to realize a threat, either aimed at gaining unauthorized access, or at termination of such access.
How it works
Here is a couple of sample scenarios:
- No security process in place: Exscudo Exchange is accessed from uncontrolled devices:
- Using a corporate laptop to access Exscudo Exchange exposes the credentials, as there is a data loss prevention software logging activities of employees and data transferred;
- A corrupt security officer steals the account and associated assets;
- No PIN/Touch ID code required to access an Android phone:
- Device lost/stolen;
- Browser history exposing the use of Exscudo Exchange, plus a configured e-mail client to deliver Exscudo service/confirmation messages;
- An attacker requests password reset, stealing the account;
Being logically required to avoid loss of access to one’s account / assets in possession, countermeasures address two of the extreme points of the Vulnerability – Security threat – Attack chain:
- Vulnerability, and
Security threats are derived from vulnerabilities and are utilized in attacks, being a transitional substance. The countermeasures, in their turn, are the measures aimed at reducing the probability of an attack, or the impact of a threat, as well as to minimize the impact of an attack that has already happened. Therefore, they address vulnerabilities, and attacks, while not addressing the security threats.
In terms of countermeasures, there are two actors:
An important aspect in understanding Exscudo ecosystem is the sophisticated security policy to prevent scenarios that may lead to user’accounts and assets being compromised or stolen. While the countermeasures implemented and executed by Exscudo are not the subject of the article and will not be explained further, there are the following key features of the security policy to be considered:
- The security policy is aimed at protecting personal data and assets;
- Autodetection of untypical behaviors, and automatic suspension of corresponding operations;
- Security officers to investigate security issues and mitigate threats.
2. Users themselves
The users have to apply security measures aimed at protecting the following objects against unauthorized or breached access, as well as against loss or destruction, by themselves:
- Exscudo accounts, as well as their associated accounts (e.g., an e-mail, or a Google Authenticator account);
- Devices used to access Exscudo products and services (e.g., a phone, a laptop);
- Tools (e.g. a QR code used to generate codes with Google Authenticator app).
The proactive countermeasures are aimed at building a defense against future attacks to prevent the damage, addressing the vulnerabilities.
They are mostly referring to the cyber-hygiene based behavior. That is, being attentive, resistant against social engineering scenarios, aware of mal- and spyware and managing devices in use accordingly.
Common recommendations may include:
- Never sharing passwords with anyone, or revealing them otherwise;
- Avoiding using the same passwords for various accounts and systems no matter how strong;
- Enabling Two-Factor Authentication (2FA) for your accounts;
- Limiting the amount of personal data and credentials stored on various cloud services as they may suffer from data leak;
- Avoiding the use of untrusted VPN and proxy services;
- Enabling as many security layers to access the devices in use as possible, including PIN codes, Touch IDs, Face IDs, etc.;
- Minimizing the number of devices used to access Exscudo products and services;
- Paying close attention to the protection software warnings and notifications regarding various websites;
- Using password managers instead of typing passwords in every time you access your accounts;
- And so on.
Taken in scenarios, where an attack has already happened, or risks of an attack have grown significantly (e.g., a loss of device used to access Exscudo products and services), and the damage (to a full, or to a certain extent) has already been done. Reactive countermeasures are aimed at minimizing the damage.
There are three key points to be considered when designing and taking reactive countermeasures:
- There is no guarantee that the damage already done can be completely mitigated;
- In most cases, users are unable to properly execute reactive countermeasures on their own;
- The faster you contact the service providers, the more chances there are to minimize the damage.
Therefore, securing one’s account after an attack often implies a timely and active cooperation between a user and Exscudo team.
It is a dangerous world that we live in, where cyber crime is completely commercialized. The bad guys are creeping for your money in the shadows, 24/7, no day-offs or holidays.
Remember: a reckless user of financial services and technologies is an easy prey. Make sure you are not.
For more details, check the dedicated knowledge base article at https://exscudo.atlassian.net/servicedesk/customer/kb/view/419856546?applicationId=56095b4d-405d-376d-85a9-0266ae6f5342&spaceKey=EX&src=-1341225956&title=KB0258EN+Securing+Exscudo+accounts+and+the+associated+hard-+and+software+infrastructure