Industry Research : Google/Plaxo API Security Issue Highlights Need for Authentication
SecurEnvoy says that news reports of Plaxo shutting down its API-based `gateway' access into the Google platform - owing to concerns about possible misuse - highlights the security issues that these gateway services pose service providers.
According to Steve Watts, co-founder of the tokenless two-factor authentication (2FA) provider, the problem with these type of cloud-based gateways between popular services is that the recipient network cannot easily trace the IP address - and geographic location - of the user logging in via the gateway facility.
"This has been Google's problem – all it sees is a user `gatewaying' through Plaxo's systems, and are therefore less able to detect any potentially fraudulent activities. The problem is made worse with cybercriminals latching on to the fact that they too can gateway through these portals and escape detection using IP-tracing security measures," he said. "Users of Facebook and Google often encounter extra security questions when accessing their account from – say - a different country when on holiday or away on business. This is a standard security measure that works quite well in helping to weed out potentially fraudulent logins," he added.
But if a fraudulent user in, say, Russia, accesses a US users' Google account via a Plaxo gateway, Google cannot usually tell they are coming in from a given country – often, all they see is the Plaxo server details, he went on to say. And this, he says, is the root cause of Google's problems, and why Plaxo has had to suspend what was otherwise a useful service for its members.
The problem with all these gateway and screen scraping access services, he adds, is that whilst they have been incredibly useful for users to aggregate their account data on a single Web page dashboard, in the modern Wild West that the Internet has become, cybercriminals are become ever more innovative. And this, he explains, is where tokenless 2FA could enter the frame as the saviour of the Plaxo/Google API service and other similar gateway services, as it allows real users to authenticate themselves to far higher levels of security - yet without the inconvenience of toting around a portfolio of hardware authentication tokens – or simply `risking it' when accessing services from unusual locations.
The slightly bad news, says Watts, is that online operators outside the financial services sphere have yet to grasp the enormous additional levels of security, flexibility and convenience that tokenless 2FA technology brings to the better service table.
"The good news here is that a growing number of banks are waking up to the powerful resource that tokenless 2FA – which uses a simple mobile phone that almost everyone has in their pocket, briefcase or handbag to authenticate themselves – offers them and their customers," he said. "Even better is the fact that companies can now use tokenless 2FA as an add-on to their existing security login processes, by simply installing tokenless 2FA software onto their systems. That way they can enjoy high levels of security and convenience on an in-house and desktop basis," he added.
"Until online services wake and smell the security coffee – and employ tokenless 2FA technology on their systems – we are going to see similar convenient services like the Plaxo/Google gateway shutting down."
Today's Tip of the Day - Managing Your Outsourced Service Provider
More Editorial From SecurEnvoy
Published: Thursday, May 10, 2012