ProHoster > Blog > internet nhau > Chii chichaitika kune chokwadi uye mapassword? Dudziro yeJavelin inoshuma "State of Strong Authentication" ine mhinduro

Chii chichaitika kune chokwadi uye mapassword? Dudziro yeJavelin inoshuma "State of Strong Authentication" ine mhinduro

Chii chichaitika kune chokwadi uye mapassword? Dudziro yeJavelin inoshuma "State of Strong Authentication" ine mhinduro

Spoiler kubva pazita remushumo: "Kushandiswa kwehuchokwadi hwakasimba kunowedzera nekuda kwekutyisidzira kwenjodzi nyowani uye zvinodiwa zvekutonga."
Iyo kambani yekutsvagisa "Javelin Strategy & Research" yakaburitsa chirevo "The State of Strong Authentication 2019" ( Iyo yepakutanga mune pdf fomati inogona kutorwa pano) Uyu mushumo unoti: ndeipi muzana yemakambani eAmerica neEurope anoshandisa mapassword (uye nei vanhu vashoma vachishandisa passwords ikozvino); nei kushandiswa kwezviviri-zvinhu kuvimbiswa zvichienderana nekriptographic tokens kuri kukura nokukurumidza; Nei makodhi enguva imwe chete anotumirwa kuburikidza neSMS asina kuchengetedzeka.

Chero ani anofarira zvazvino, zvakapfuura, uye ramangwana rehuchokwadi mumabhizinesi uye nevatengi zvikumbiro zvinogamuchirwa.

Kubva kumushanduri

Maiwe, mutauro wakanyorwa mushumo uyu wakanyanya "kuoma" uye wakarongeka. Uye kashanu kushandiswa kweshoko rekuti "kusimbisa" mumutsara mupfupi hausi maoko akatsveyama (kana pfungwa) dzemuturikiri, asi chido chevanyori. Pakushandura kubva pane zvingasarudzwa zviviri - kupa vaverengi zvinyorwa zviri pedyo nepakutanga, kana imwe inofadza, dzimwe nguva ndaisarudza yekutanga, uye dzimwe nguva yechipiri. Asi ivai nemoyo murefu, vaverengi vanodiwa, zviri mushumo zvakakosha.

Zvimwe zvidimbu zvisingakoshi nezvisiri madikanwa zvenhau yacho zvakabviswa, zvikasadaro voruzhinji vangadai vasina kukwanisa kunzwisisa rugwaro rwose. Vanoda kuverenga rondedzero "isina kuchekwa" vanogona kuzviita mumutauro wekutanga nekutevera chinongedzo.

Zvinosuruvarisa, vanyori havasi nguva dzose vakangwarira nemashoko. Saka, mapassword enguva-imwe (Imwe Nguva Pasiwedhi - OTP) dzimwe nguva anonzi "password", uye dzimwe nguva "makodhi". Zvakatonyanya kuipa nemaitiro echokwadi. Hazvisi nyore nguva dzose kuti muverengi asina kudzidza afungidzire kuti "kutendeseka uchishandisa cryptographic keys" uye "kusimbisa kwakasimba" chinhu chimwe chete. Ndakaedza kubatanidza mazwi zvakanyanya sezvinobvira, uye mushumo pachayo pane chidimbu chine tsananguro yavo.

Zvakadaro, iyo rondedzero inokurudzirwa zvikuru kuverenga nekuti ine yakasarudzika mhedzisiro yekutsvagisa uye mhedzisiro chaiyo.

Zvose nhamba uye chokwadi zvinoratidzwa pasina kuchinja kuduku, uye kana iwe usingabvumirani navo, saka zviri nani kukakavara kwete nemuturikiri, asi nevanyori vemushumo. Uye heano maonero angu (akarongwa semakotesheni, uye akamakwa muzvinyorwa ChiItalian) ndiko kutonga kwangu kwekukosha uye ndichafara kukakavadzana pane chimwe nechimwe chazvo (pamwe chete nemhando yeshanduro).

tsananguro

Mazuva ano, nzira dzedhijitari dzekutaurirana nevatengi dzakanyanya kukosha kupfuura nakare kose kumabhizinesi. Uye mukati mekambani, kutaurirana pakati pevashandi kwakanyanya kutungamirwa nedhijitari kupfuura nakare kose. Uye kuti kudyidzana uku kuchave kwakachengeteka sei zvinoenderana nenzira yakasarudzwa yekusimbisa mushandisi. Vanorwisa vanoshandisa huchokwadi husina kusimba kubira zvakanyanya maakaundi evashandisi. Mukupindura, vatongi vari kusimbisa zviyero zvekumanikidza mabhizinesi kuchengetedza zvirinani maakaundi evashandisi uye data.

Kutyisidzirwa-kwakanangana nekutyisidzira kunowedzera kupfuura kushandiswa kwevatengi; vanorwisa vanogona zvakare kuwana maapplication ari kushanda mukati mebhizinesi. Kushanda uku kunovabvumira kutevedzera vashandisi vemakambani. Vapanduki vanoshandisa nzvimbo dzekuwana vasina humbowo husina kusimba vanogona kuba data uye kuita mamwe mabasa ehutsotsi. Sezvineiwo, pane matanho ekurwisa izvi. Huchokwadi hwakasimba huchabatsira zvakanyanya kudzikisira njodzi yekurwiswa neanorwisa, zvese pakushandisa kwevatengi uye pamabhizinesi mabhizinesi masisitimu.

Ichi chidzidzo chinoongorora: mabhizinesi anoita sei chokwadi chekuchengetedza ekupedzisira-mushandisi zvikumbiro uye bhizinesi bhizinesi masisitimu; zvinhu zvavanofunga pakusarudza mhinduro yechokwadi; basa rinoitwa nehuchokwadi hwakasimba mumasangano avo; zvinobatsira masangano aya.

Summary

Main mhedziso

Kubva 2017, kushandiswa kwekusimbisa kwakasimba kwakawedzera zvakanyanya. Nekuwedzera kwehuwandu hwekusagadzikana kunokanganisa mhinduro dzechinyakare dzechokwadi, masangano ari kusimbisa kugona kwavo kwechokwadi nehuchokwadi hwakasimba. Huwandu hwemasangano anoshandisa cryptographic multi-factor authentication (MFA) hwakapetwa katatu kubva muna 2017 pakushandisa kwevatengi uye hwakawedzera neinoda kusvika 50% yezvikumbiro zvebhizinesi. Kukura kwekukurumidza kunoonekwa mukusimbiswa kwenhare nekuda kwekuwedzera kuwanikwa kweiyo biometric authentication.

Pano tinoona mufananidzo wechirevo chokuti β€œkusvikira kutinhira, munhu haangazvipombi.” Nyanzvi padzakayambira nezvekusachengeteka kwemapassword, hapana aimhanya-mhanya kuita mbiri-zvinhu. Matsotsi paakangotanga kuba mapassword, vanhu vakatanga kuita mbiri-zvinhu.

Ichokwadi, vanhu vari kunyanya kushingaira kuita 2FA. Chekutanga, zviri nyore kwavari kudzikamisa kutya kwavo nekuvimba neiyo biometric authentication yakavakirwa muma smartphones, ayo ari kutaura asina kuvimbika. Masangano anofanirwa kushandisa mari kutenga tokeni uye kuita basa (chokwadi, rakareruka) kuashandisa. Uye chechipiri, vanhu vane usimbe chete havana kunyora nezvekuvhara kwepassword kubva kumasevhisi akaita se Facebook neDropbox, asi pasina mamiriro ezvinhu maCIO emasangano aya achagovana nyaya dzekuti mapassword akabiwa sei (uye chii chakaitika) mumasangano.

Avo vasingashandise huchokwadi hwakasimba vari kurerutsa njodzi yavo kune bhizinesi ravo nevatengi. Mamwe masangano asiri kushandisa zvino simbisiro yakasimba anowanzoona ma logins nemapassword seimwe yenzira dzinoshanda uye dziri nyore kushandisa dzekusimbisa mushandisi. Vamwe havaone kukosha kwemidziyo yedhijitari yavainayo. Mushure mezvose, zvakakosha kufunga kuti ma cybercriminals anofarira chero mutengi uye ruzivo rwebhizinesi. Zvikamu zviviri muzvitatu zvemakambani anoshandisa mapassword chete kuratidza vashandi vavo vanozviita nekuti vanotenda kuti mapassword akanaka zvakakwana kune rudzi rweruzivo rwavanodzivirira.

Nekudaro, mapassword ari munzira kuenda kuguva. Kutsamira papassword kwadzikira zvakanyanya mugore rapfuura kune ese mutengi uye bhizinesi zvikumbiro (kubva pa44% kusvika 31%, uye kubva pa56% kusvika 47%, zvichiteerana) sezvo masangano anowedzera kushandisa kwavo MFA yechinyakare uye kusimbiswa kwakasimba.
Asi kana tikatarisa mamiriro acho sese, nzira dzechokwadi dzakadzivirirwa dzichiripo. Nekutendeseka kwemushandisi, inenge chikamu chechina chemasangano anoshandisa SMS OTP (password yenguva imwe) pamwe chete nemibvunzo yekuchengetedza. Nekuda kweizvozvo, mamwe matanho ekuchengetedza anofanirwa kuitwa kuti adzivirire pakusagadzikana, izvo zvinowedzera mari. Kushandiswa kwenzira dzakachengeteka dzechokwadi dzechokwadi, dzakadai sehardware cryptographic kiyi, dzinoshandiswa kushoma kazhinji, mune ingangoita 5% yemasangano.

Iko kushanduka kwemamiriro ekutonga anovimbisa kukurumidza kugamuchirwa kwechokwadi chakasimba chekushandisa kwevatengi. Nekuunzwa kwePSD2, pamwe nemitemo mitsva yekudzivirira data muEU uye akati wandei eUS nyika dzakadai seCalifornia, makambani ari kunzwa kupisa. Vanoda kusvika makumi manomwe muzana emakambani vanobvuma kuti vanotarisana nekumanikidzwa kwakasimba kwekutonga kuti vape humbowo hwakasimba kune vatengi vavo. Inopfuura hafu yemabhizinesi inotenda kuti mukati memakore mashoma nzira dzechokwadi dzadzo hadzizove dzakakwana kuzadzisa zviyero zvekutonga.

Kusiyana kwemaitiro evamiriri veRussia neAmerica-European kune kuchengetedzwa kwe data yega yevashandisi vezvirongwa uye masevhisi zvinooneka zvakajeka. MaRussia anoti: vadikani varidzi vebasa, itai zvaunoda uye zvaunoda, asi kana admin wako akabatanidza dhatabhesi, tichakuranga. Vanoti kunze kwenyika: iwe unofanirwa kuita seti yematanho ayo haibvumiri dhonza base. Ndosaka zvinodikanwa zvekusimbisa-two-factor authentication zviri kuitwa ipapo.
Ichokwadi, zviri kure nechokwadi kuti muchina wedu wemitemo rimwe zuva hauzodzokeri mupfungwa uye uchifunga nezveruzivo rwekuMadokero. Zvino zvinozoitika kuti munhu wese anofanirwa kuita 2FA, iyo inoenderana neRussia cryptographic zviyero, uye nekukasira.

Kugadzira hwaro hwakasimba hwehuchokwadi hunobvumira makambani kuti achinje tarisiro yavo kubva pakusangana nezvinodiwa zvemitemo kuti isangane nezvinodiwa nevatengi. Kune iwo masangano achiri kushandisa mapassword akareruka kana kugamuchira macode kuburikidza neSMS, chinonyanya kukosha pakusarudza nzira yekusimbisa ichave yekutevedzera zvinodiwa zvekutonga. Asi iwo makambani anotoshandisa huchokwadi hwakasimba anogona kutarisa pakusarudza idzo nzira dzechokwadi dzinowedzera kuvimbika kwevatengi.

Pakusarudza nzira yekusimbisa yekambani mukati mebhizinesi, zvinodiwa zvekutonga hazvisisiri chinhu chakakosha. Muchiitiko ichi, nyore kubatanidzwa (32%) uye mari (26%) inonyanya kukosha.

Munguva yehutsotsi, vanorwisa vanogona kushandisa email yemakambani kuita scam kubiridzira kuwana ruzivo rwe data, maakaundi (ane kodzero dzekuwana dzakakodzera), uye kunyangwe kugonesa vashandi kuti vatore mari kuaccount yake. Naizvozvo, email yemakambani uye portal account inofanirwa kuchengetedzwa zvakanyanya.

Google yakasimbisa kuchengetedzeka kwayo nekushandisa huchokwadi hwakasimba. Anopfuura makore maviri apfuura, Google yakaburitsa mushumo wekuitwa kwezviviri-zvinhu kusimbiswa kwakavakirwa pakriptographic kuchengetedza makiyi uchishandisa iyo FIDO U2F standard, ichishuma zvinokatyamadza mhedzisiro. Sekureva kwekambani, hapana kana kurwiswa kumwechete kwe phishing kwakaitwa kune vanopfuura vashandi ve85.

kurumbidza

Ita huchokwadi hwakasimba hwemafoni uye online application. Multi-factor authentication yakavakirwa pacryptographic makiyi inopa dziviriro iri nani kubva mukubira pane echinyakare MFA nzira. Mukuwedzera, kushandiswa kwemakiyi e-cryptographic kwakanyanya nyore nekuti hapana chikonzero chekushandisa uye kuendesa rumwe ruzivo - mapassword, imwe-nguva passwords kana biometric data kubva kumushandisi wemushandisi kuenda kune yekusimbisa server. Pamusoro pezvo, kumisikidza mapuroteni echokwadi anoita kuti zvive nyore kushandisa nzira nyowani dzechokwadi padzinenge dzava kuwanikwa, kudzikisira mari dzekushandisa uye kudzivirira kubva kuzvirongwa zvekubiridzira zvakanyanya.

Gadzirira kuparara kwemapassword enguva imwe chete (OTP). Kusagadzikana kuri muOTPs kuri kuramba kuchibuda pachena sezvo matsotsi epamhepo anoshandisa social engineering, smartphone cloning uye malware kukanganisa nzira idzi dzehuchokwadi. Uye kana OTPs mune zvimwe zviitiko zvine zvimwe zvakanakira, zvino chete kubva pakuona kwekuwanikwa kwepasirese kune vese vashandisi, asi kwete kubva pakuona kwekuchengetedza.

Hazvibviri kusaona kuti kugamuchira makodhi kuburikidza neSMS kana Push zviziviso, pamwe nekugadzira makodhi uchishandisa zvirongwa zvema smartphones, iko kushandiswa kweaya mapassword enguva imwe chete (OTP) yatinokumbirwa kugadzirira kudzikira. Kubva pakuona kwehunyanzvi, mhinduro yacho ndeyechokwadi, nekuti itsotsi isingawanzo kuyedza kutsvaga password yenguva imwe chete kubva kumushandisi anonyepa. Asi ini ndinofunga kuti vanogadzira masisitimu akadaro vanonamatira kune inofa tekinoroji kusvika pakupedzisira.

Shandisa huchokwadi hwakasimba sechishandiso chekushambadzira kuti uwedzere kuvimba kwevatengi. Kusimbisa kwakasimba kunogona kuita zvinopfuura kungovandudza chengetedzo chaiyo yebhizinesi rako. Kuzivisa vatengi kuti bhizinesi rako rinoshandisa humbowo hwakasimba kunogona kusimbisa maonero everuzhinji nezve chengetedzo yebhizinesi iroro-chinhu chakakosha kana paine kudiwa kwevatengi kwemaitiro akasimba echokwadi.

Ita ongororo yakakwana uye yakakosha ongororo yedata yekambani uye chengetedza zvinoenderana nekukosha. Kunyangwe data yakaderera-njodzi senge ruzivo rwekufonera mutengi (kwete, chaizvo, chirevo chinoti "pasi-ngozi", zvinoshamisa kuti vanorerutsa kukosha kweruzivo urwu.), inogona kuunza kukosha kwakakosha kune vanobiridzira uye kukonzera matambudziko kukambani.

Shandisa simba rekusimbisa bhizinesi. Zvirongwa zvinoverengeka ndizvo zvinonyanya kutariswa nematsotsi. Izvi zvinosanganisira masisitimu emukati neeInternet-akabatana senge chirongwa cheakaunzi kana yekambani data warehouse. Huchokwadi hwakasimba hunodzivirira vanorwisa kuti vawane mukana usina mvumo, uye zvakare inoita kuti zvikwanise kunyatsoona kuti ndeupi mushandi akaita chiitiko chakaipa.

Chii chinonzi Strong Authentication?

Paunenge uchishandisa huchokwadi hwakasimba, nzira dzakati wandei kana zvinhu zvinoshandiswa kuratidza huchokwadi hwemushandisi:

  • Knowledge Factor: chakavanzika chakagovaniswa pakati pemushandisi neyemushandisi chinyorwa chechokwadi (senge mapassword, mhinduro kumibvunzo yekuchengetedza, nezvimwewo)
  • Ownership factor: mudziyo une mushandisi chete (semuenzaniso, nharembozha, kiyi yecryptographic, nezvimwewo)
  • Integrity factor: zvemuviri (kazhinji biometric) maitiro emushandisi (semuenzaniso, zvigunwe, iris pateni, izwi, maitiro, nezvimwewo)

Iko kudiwa kwekubira zvinhu zvakawanda kunowedzera mukana wekukundikana kwevanorwisa, sezvo kupfuura kana kunyengedza zvinhu zvakasiyana zvinoda kushandisa akawanda marudzi ehunyanzvi hwekubira, pane chimwe nechimwe chakasiyana.

Semuenzaniso, ne2FA "password + smartphone," anorwisa anogona kuita huchokwadi nekutarisa pasiwedhi yemushandisi uye kugadzira chaiyo software kopi ye smartphone yake. Uye izvi zvakanyanya kuoma pane kungoba password.

Asi kana password uye cryptographic token zvichishandiswa ku2FA, ipapo sarudzo yekukopa haishande pano - hazvibviri kudzokorora chiratidzo. Munhu anobiridzira achada kubira chiratidzo kubva kumushandisi. Kana mushandisi akacherechedza kurasikirwa nenguva uye akazivisa admin, chiratidzo chichavharwa uye kuedza kwemunyengeri kuchave pasina. Ichi ndicho chikonzero chevaridzi chinhu chinoda kushandiswa kwemichina yakachengeteka yakachengeteka (tokens) pane zvekushandisa zvakajairika (smartphones).

Kushandisa zvinhu zvitatu izvi kuchaita kuti iyi nzira yechokwadi idhure kuita uye isinganetsi kushandisa. Naizvozvo, zviviri zvezvitatu zvinhu zvinowanzo shandiswa.

Misimboti yezviviri-zvinhu zvokwadi inotsanangurwa zvakadzama pano, mu "Maitiro maviri-factor authentication anoshanda" block.

Izvo zvakakosha kuti uzive kuti chimwe chezvikonzero zvekusimbisa chinoshandiswa mukusimbisa kwakasimba chinofanira kushandisa public key cryptography.

Huchokwadi hwakasimba hunopa dziviriro yakasimba pane imwechete-chinhu chechokwadi zvichienderana nemapassword ekare uye echinyakare MFA. Mapassword anogona kuongororwa kana kubatwa uchishandisa keylogger, phishing saiti, kana social engineering kurwiswa (apo munhu anenge abatwa anonyengerwa kuti aburitse password yake). Uyezve, muridzi wepassword hapana chaanoziva nezvekuba. MFA yechinyakare (inosanganisira maOTP makodhi, inosunga kune smartphone kana SIM kadhi) inogona zvakare kubiwa zviri nyore, nekuti haina kubva paruzhinji kiyi cryptography (Nenzira, kune mienzaniso mizhinji apo, vachishandisa nzira dzakafanana dzeinjiniya dzemagariro, scammers vakanyengetedza vashandisi kuti vavape password yenguva imwe chete.).

Neraki, kushandiswa kwehuchokwadi hwakasimba uye yechinyakare MFA yanga ichiwana traction mune zvese mutengi uye bhizinesi zvikumbiro kubvira gore rapfuura. Iko kushandiswa kwechokwadi kwakasimba mumashandisirwo evatengi kwakakura zvakanyanya nekukurumidza. Kana muna 2017 chete 5% yemakambani akaishandisa, zvino muna 2018 yakanga yatove yakapetwa katatu - 16%. Izvi zvinogona kutsanangurwa nekuwedzera kuwanikwa kwematokeni anotsigira Public Key Cryptography (PKC) algorithms. Uye zvakare, kuwedzera kudzvinyirirwa kubva kuEuropean regulators zvichitevera kugamuchirwa kwemitemo mitsva yekudzivirira data senge PSD2 uye GDPR yakave nemhedzisiro yakasimba kunyangwe kunze kweEurope (kusanganisira muRussia).

Chii chichaitika kune chokwadi uye mapassword? Dudziro yeJavelin inoshuma "State of Strong Authentication" ine mhinduro

Ngatinyatsoongororai nhamba idzi. Sezvatinoona, chikamu chevanhu vakazvimiririra vanoshandisa multi-factor authentication yakakura nekukatyamadza 11% pagore. Uye izvi zvakanyatsoitika pamutengo wevanoda password, sezvo nhamba dzeavo vanotenda mukuchengetedzeka kwePush notisi, SMS uye biometric haina kuchinja.

Asi nehuviri-chinhu chechokwadi chekushandiswa kwemakambani, zvinhu hazvina kunaka. Chekutanga, maererano neshumo, 5% chete yevashandi vakatamiswa kubva papassword yekusimbisa kune tokens. Uye chechipiri, nhamba yeavo vanoshandisa dzimwe MFA sarudzo munzvimbo yekambani yakawedzera ne4%.

Ini ndichaedza kutamba muongorori uye kupa dudziro yangu. Pakati penyika yedhijitari yevashandisi vega pane smartphone. Naizvozvo, hazvishamisi kuti ruzhinji runoshandisa zvikwanisiro izvo mudziyo unovapa - biometric authentication, SMS uye Push zviziviso, pamwe chete-imwe nguva mapassword anogadzirwa nemaapplication ari pa smartphone pachayo. Vanhu kazhinji havafungi nezvekuchengetedza uye kuvimbika kana vachishandisa maturusi avanoshandiswa.

Ichi ndicho chikonzero chikamu chevashandisi vepakutanga "chinyakare" chechokwadi zvinhu chinoramba chisina kuchinjika. Asi avo vakamboshandisa mapassword vanonzwisisa kuti yakawanda sei panjodzi, uye pakusarudza chinhu chitsva chechokwadi, vanosarudza sarudzo nyowani uye yakachengeteka - cryptographic token.

Kana iri yemusika wemakambani, zvakakosha kuti unzwisise kuti ndeipi system yechokwadi inoitwa. Kana kupinda kuWindows domain kuchiitwa, ipapo cryptographic tokens inoshandiswa. Mikana yekuishandisa ye2FA yakatovakwa muWindows neLinux, asi dzimwe sarudzo dzakareba uye dzakaoma kuita. Zvakawanda zvekutama kwe5% kubva papassword kuenda kune tokens.

Uye kuitwa kwe2FA mune yekambani ruzivo system zvakanyanya zvinoenderana nekwaniso yevagadziri. Uye zviri nyore kuti vagadziri vatore akagadzirira-akagadzirwa mamodule ekugadzira-imwe-nguva passwords pane kunzwisisa kushanda kwekriptographic algorithms. Uye semhedzisiro, kunyangwe zvinoshamisa chengetedzo-yakakosha zvikumbiro senge Single Sign-On kana Yakasarudzika Access Management masisitimu anoshandisa OTP sechinhu chechipiri.

Kukanganisa kwakawanda munzira dzechinyakare dzekusimbisa

Nepo masangano mazhinji achiramba achivimba nenhaka imwe-chinhu masisitimu, kusadzivirirwa kwechinyakare multi-factor humbowo huri kuramba huchibuda pachena. Mapassword enguva imwe, anowanzo mavara matanhatu kusvika masere pakureba, anounzwa kuburikidza neSMS, anoramba ari akajairika nzira yekusimbisa (kunze kweiyo password factor, hongu). Uye kana mazwi ekuti "two-factor authentication" kana "two-step verification" ataurwa munhau yakakurumbira, anenge achigara achitaura nezveSMS imwe-nguva password yekusimbisa.

Apa munyori akanganisa zvishoma. Kuendesa mapassword enguva imwe chete kuburikidza neSMS hakuna kumbobvira kwave zvinhu zviviri-zvechokwadi. Iyi iri muchimiro chayo chechipiri nhanho yechokwadi-nhanho mbiri, uko nhanho yekutanga iri kupinda yako yekuisa uye password.

Muna 2016, National Institute of Standards and Technology (NIST) yakagadziridza mitemo yayo yechokwadi kubvisa kushandiswa kwemapassword enguva imwe chete anotumirwa kuburikidza neSMS. Zvakadaro, mitemo iyi yakadzikiswa zvakanyanya zvichitevera kuratidzira kwemaindasitiri.

Saka, ngatiteedzere zano. Mutongi weAmerica anonyatsoziva kuti tekinoroji yechinyakare haigone kuve nechokwadi chekuchengetedzwa kwevashandisi uye iri kuunza mazinga matsva. Miyero yakagadzirirwa kuchengetedza vashandisi vepamhepo uye nharembozha (kusanganisira dzekubhengi). Indasitiri iri kuverenga kuti imarii yaichafanira kushandisa mukutenga akavimbika echokwadi cryptographic tokens, kugadzirisazve maapplication, kuendesa veruzhinji kiyi yezvivakwa, uye "kusimuka pamakumbo ayo ekumashure." Kune rumwe rutivi, vashandisi vakagutsikana nekuvimbika kwemapassword enguva imwe chete, uye kune rumwe rutivi, pane kurwiswa kweNIST. Nekuda kweizvozvo, chiyero chakapfava, uye nhamba yehacks uye kuba kwepassword (uye mari kubva kubhengi zvikumbiro) yakawedzera zvakanyanya. Asi indasitiri yaisafanira kubvisa mari.

Kubva ipapo, kushaya simba kweSMS OTP kwave kuoneka. Matsotsi anoshandisa nzira dzakasiyana siyana kukanganisa mameseji eSMS:

  • Kudzokorora SIM kadhi. Vanorwisa vanogadzira kopi yeSIM (nerubatsiro rwevashandi vanofambisa nhare, kana vakazvimiririra, vachishandisa yakakosha software uye hardware) Nekuda kweizvozvo, munhu anorwisa anogamuchira SMS ine password yenguva imwe chete. Mune imwe nyaya yakakurumbira, vapambi vakatokwanisa kukanganisa iyo AT&T account ye cryptocurrency investor Michael Turpin, uye kuba ingangoita madhora 24 miriyoni mu cryptocurrencies. Nekuda kweizvozvo, Turpin akataura kuti AT&T yaive yekukanganisa nekuda kwemaitiro asina simba ekusimbisa izvo zvakakonzera kudhindwa kweSIM kadhi.

    Zvinoshamisa logic. Saka ichokwadi chete AT&T imhosva? Kwete, hapana mubvunzo kuti imhosva yemufambisi wenhare kuti vatengesi muchitoro chekutaurirana vakaburitsa kadhi reSIM kadhi. Zvakadini nezve cryptocurrency exchange authentication system? Sei vasina kushandisa yakasimba cryptographic tokens? Zvaisiririsa here kushandisa mari pakuita? Michael pachake haasi iye ane mhosva here? Sei asina kuomerera pakuchinja nzira yekusimbisa kana kushandisa chete iyo yekutsinhana iyo inoshandisa mbiri-chinhu chechokwadi kubva pane cryptographic tokens?

    Kuunzwa kwenzira dzechokwadi dzechokwadi dzechokwadi kunononoka nekuti vashandisi vanoratidza kusangwarira kunoshamisa vasati vabira, uye mushure mezvo vanopomera matambudziko avo kune chero munhu uye chero chinhu kunze kwechinyakare uye "leky" yechokwadi tekinoroji.

  • Malware. Rimwe remabasa ekutanga enharembozha malware yaive yekubata uye kutumira mameseji kune vanorwisa. Zvakare, man-in-the-browser uye man-in-the-middle kurwisa anogona kubata mapassword enguva imwe chete kana apinzwa pamalaptops ane hutachiona kana desktop zvishandiso.

    Kana iyo Sberbank application pa smartphone yako ichipenya chiratidzo chegirini mubhawa yemamiriro, inotarisawo "malware" pafoni yako. Chinangwa chechiitiko ichi ndechekushandura nzvimbo isingavimbike yekuuraya yeyakajairika smartphone kuita, ingangoita neimwe nzira, yakavimbika.
    Nenzira, iyo smartphone, sechinhu chisingavimbiki zvachose chinogona kuitwa chero chinhu, chimwe chikonzero chekuishandisa kuti ive chokwadi. hardware tokens chete, iyo yakachengetedzwa uye isina mavhairasi uye Trojans.

  • Social engineering. Kana scammers vakaziva kuti munhu akabatwa ane maOTP akagoneswa kuburikidza neSMS, vanogona kubata munhu akabatwa zvakananga, vachizviita sesangano rakavimbika sebhangi ravo kana mubatanidzwa wechikwereti, kunyengedza munhu akabatwa kuti ape kodhi yaachangobva kugamuchira.

    Ini pachangu ndakasangana nemhando iyi yekubiridzira kakawanda, semuenzaniso, pakuedza kutengesa chimwe chinhu pane yakakurumbira online flea market. Ini pachangu ndakaseka tsotsi raiedza kundinyengedza kusvika pamwoyo pangu. Asi nhamo, ndaigara ndichiverenga munhau kuti mumwezve akabatwa chitsotsi "haana kufunga," akapa kodhi yekusimbisa uye akarasikirwa nemari yakawanda. Uye izvi zvese imhaka yekuti bhangi haingodi kubata nekuitwa kwekriptographic tokens mumashandisirwo ayo. Mushure mezvose, kana chimwe chinhu chikaitika, vatengi "vane mhosva."

Nepo dzimwe nzira dzekutumira dzeOTP dzinogona kudzikisira kumwe kusadzivirirwa mune iyi nzira yechokwadi, kumwe kusadzivirirwa kuchiripo. Standalone kodhi yekugadzira manyorerwo ndiyo yakanakisa dziviriro kubva kune eavesdropping, sezvo kunyange malware isingakwanise kupindirana zvakananga neiyo kodhi jenareta (zvakakomba? Munyori weshumo akanganwa nezve remote control?), asi maOTP anogona kuramba achibatwa kana apinda mubrowser (semuenzaniso kushandisa keylogger), kuburikidza neyakavharwa mobile application; uye inogonawo kuwanikwa zvakananga kubva kumushandisi uchishandisa social engineering.
Kushandisa akawanda maturusi ekuongorora njodzi akadai sekuzivikanwa kwemudziyo (kuonekwa kwekuedza kuita kutengeserana kubva kune zvishandiso zvisiri zvemushandisi wepamutemo), geolocation (mushandisi achangobva kuMoscow anoedza kuita oparesheni kubva kuNovosibirsk) uye ongororo yemaitiro yakakosha pakugadzirisa kusasimba, asi hapana mhinduro iri panacea. Kune yega yega mamiriro uye mhando yedata, zvinodikanwa kunyatso ongorora njodzi uye kusarudza kuti ndeipi tekinoroji yekusimbisa inofanira kushandiswa.

Hapana mhinduro yechokwadi ndiyo panacea

Mufananidzo 2. Tafura yekusarudza kwekusimbisa

Kusimbiswa Factor tsananguro Makiyi ekushaya simba
Password kana PIN Zivo Fixed value, iyo inogona kusanganisira mavara, nhamba uye nhamba yemamwe mavara Inogona kubatwa, kusoriwa, kubiwa, kutorwa kana kubiwa
Kuziva-kwakavakirwa chokwadi Zivo Inobvunza mhinduro iyo chete mushandisi wepamutemo anogona kuziva Inogona kubvumwa, kutorwa, kuwanikwa uchishandisa social engineering nzira
Hardware OTP (muenzaniso) Pfuma Chinhu chakakosha chinogadzira mapassword enguva imwe chete Iyo kodhi inogona kutambirwa nekudzokororwa, kana mudziyo unogona kubiwa
Software OTPs Pfuma Chishandiso (chinhare, chinowanikwa kuburikidza nebrowser, kana kutumira macode ne-e-mail) chinogadzira mapassword enguva imwe chete. Iyo kodhi inogona kutambirwa nekudzokororwa, kana mudziyo unogona kubiwa
SMS OTP Pfuma Pasiwedhi yenguva imwe inotumirwa kuburikidza neSMS meseji Iyo kodhi inogona kubatwa uye kudzokororwa, kana iyo smartphone kana SIM kadhi inogona kubiwa, kana SIM kadhi inogona kudhindwa.
Smart makadhi (muenzaniso) Pfuma Kadhi rine cryptographic chip uye yakachengeteka kiyi yekuyeuka iyo inoshandisa yeruzhinji kiyi yezvivakwa zvehuchokwadi Inogona kubiwa panyama (asi munhu anorwisa haakwanisi kushandisa mudziyo asingazivi PIN code; kana pakaedza kanoverengeka zvisirizvo, mudziyo unovharika)
Chengetedzo kiyi - tokens (muenzaniso, mumwe muenzaniso) Pfuma Chishandiso che USB chine cryptographic chip uye yakachengeteka kiyi yekuyeuka inoshandisa yeruzhinji kiyi yezvivakwa zvekusimbisa Inogona kubiwa panyama (asi munhu anorwisa haakwanise kushandisa chishandiso asingazive iyo PIN kodhi; kana paine akati wandei zvisirizvo kuedza kupinda, mudziyo uchavharwa)
Kubatanidza kune mudziyo Pfuma Maitiro anogadzira chimiro, kazhinji achishandisa JavaScript, kana kushandisa mamaki akadai sekiki uye Flash Shared Objects kuve nechokwadi chekuti imwe mudziyo iri kushandiswa. Zviratidzo zvinogona kubiwa (kukopwa), uye hunhu hwechishandiso chepamutemo hunogona kutevedzerwa neanorwisa pachigadzirwa chake.
Maitiro Inherence Inoongorora kuti mushandisi anodyidzana sei nemudziyo kana chirongwa Maitiro anogona kutevedzerwa
Fingerprints Inherence Zvigunwe zvakachengetwa zvinofananidzwa neaya akabatwa optically kana nemagetsi Mufananidzo wacho unogona kubiwa uye kushandiswa kuratidza chokwadi
Eye scan Inherence Inofananidza hunhu hweziso, senge iris pateni, ine nyowani yemaziso scans Mufananidzo wacho unogona kubiwa uye kushandiswa kuratidza chokwadi
Kuzivikanwa kwechiso Inherence Hunhu hwechiso hunofananidzwa nehutsva hutsva hwemaziso Mufananidzo wacho unogona kubiwa uye kushandiswa kuratidza chokwadi
Kuzivikanwa kwezwi Inherence Hunhu hwesainzi rekodhi rekodhi hunofananidzwa nemasampuli matsva Rekodhi inogona kubiwa uye kushandiswa kuratidza chokwadi, kana kutevedzerwa

Muchikamu chechipiri chekubudiswa, zvinhu zvinonaka zvakatimirira - nhamba uye chokwadi, pane izvo mhedziso uye mazano anopiwa muchikamu chekutanga. Huchokwadi mumashandisirwo evashandisi uye mumasisitimu emakambani zvichakurukurwa zvakasiyana.

Ona iwe nokukurumidza!

Source: www.habr.com

Voeg