Picking up significant backers in this round, the Beer Sheva-based team of academics brings an intriguing solution to password authentication
Beer Sheva-based cyber startup Secret Double Octopus announced on Tuesday the close of their Series A funding round, wrapping their tentacles around $6 million in new capital.
Taking part in the round was seed investor Jerusalem Venture Partners (JVP), which was joined by Liberty Media’s Israel Venture Fund, Iris Capital, Benhamou Global Ventures and angel investor Yaniv Tal.
Besides JVP, one of the most active investors in the cyber scene, this list of backers represents significant global interests. Liberty Media is the holding company for brands like SiriusXM, the Atlanta Braves, and big media and technology groups. Iris represents the interests of European players like Orange and Publicis Groupe, while Benhamou gives SDO a foot in the Valley.
Co-founded in May 2015 by Chief Science Officer and Professor Shlomi Dolev, CTO Dr. Shimrit Tzur-David, CEO Raz Rafaeli and VP R&D Chen Tetelman, SDO utilizes a security method based on information theory to keep important data out of the hands of would be interceptors.
Encryption of data using key infrastructures has become a leading solution for security, and rightly so as it provides an important layer of protection against “man in the middle” attacks. However there is still a risk that if one of the keys is compromised, then the attacker can access the entirety of the information being sent in the message.
Looking for an alternative, the SDO team turned to Adi Shamir’s concept of secret sharing, wherein they divvy up the information into multiple messages, using a variety of channels before restructuring it back together on the other side.
Speaking with Geektime back in 2015, Rahav explained that, “It’s like running a letter through the shredder and then taping it back together later. Only if the receiver has all the parts of the letter can they understand what’s in the message.”
SDO believes that they have found their market fit in solving the problem of authentication for B2Bs. VP Marketing and Business Development Amit Rahav tells Geektime that, “Authentication systems suffer from a thin level of protection and have been repeatedly penetrated over the past couple of years. Some rely on SMS, some on a key, some on push notification – all with a single layer of protection.”
“On the other hand,” he says, “many solutions offer an annoying user experience involving typing one time codes, carrying physical tokens or remembering meaningless strings of ‘strong’ passwords. In the real world, bad UX means that security will be circumvented by users.”
What they have come up with is an app for users that sends the user push notifications, asking them to verify that the login, payment, etc is legit. On devices like the iPhone that have fingerprint scanners, this verification can be as simple as putting your thumb on the button.
From the management side, Rahav explains that, “The Admin can control multifactor authentication policies for different networks, systems or transactions; integrate backend systems with a plug-and-play standard based interface; and synchronize with existing identity management systems such as Active Directory to quickly deploy the solution.”
Looking at their next step following the funding, the company will aim to grow their business in the US and Europe with the help of their strategic investors, as well as expand their R&D efforts in Israel. Rahav says that they are already selling to customers in the US and Asia.
Kicking user security up a notch
Essentially moving in a different lane from the majority of the industry that is working on improving encryption, (think WhatsApp, Signal, etc) SDO chooses not to bother. Focusing on dispersion, they indeed make the life of a hacker significantly tougher, demanding far more effort. By sending your critical data for authentication or other kinds of security through multiple channels, they force the attacker to chase down every bit in order to come up with the whole.
However, this solution is not foolproof. As with all kinds of hacking and surveillance, a determined attacker with the right resources will probably make it past your defenses if they decide that you are worth the effort. If an opponent is willing to chase down every part of the message, then they will succeed. Thankfully, this kind of attacker is pretty rare as most of us are simply not interesting enough.
The battle over cyber security, similar to physical security, comes down to the resources that someone is willing to expend. This is true for both the attacker and defender. Just as every CISO can only cover so much surface space with security and ask employees to take basic precautions, attackers are also limited in how much they are able to put into a single target. If encryption has made it that much more difficult to easily scoop up loose data, SDO’s method takes it yet another step and asks why limit yourself to only one method of authentication when there are so many at your disposal?
The bottom line: SDO basically takes authentication and makes it better. Not perfect, but much better.
Tips for better security
What I find to be most disturbing about the current state of authentication is that many institutions like banks are still relying on easily hackable two-step (TS) / two-factor authentication (2FA) options like SMS and email. This is likely due to two reasons: regulation and not wanting to bother their customers to take extra precautions. When it comes to financial institutions like banks, they often do not like to get creative with solutions that could come back to bite them later. If the regulators tell them that they can use SMS or email, then that is what they will do, not wanting to risk trouble with more effective forms of security. Secondly, try explaining what an authenticator app is to your grandma who is still annoyed with the small buttons on her touch screen.
One stellar and well publicized example of how SMS-based 2FA measures have failed is the hacking of Black Lives Matter activist leader DeRay Mckesson’s Twitter account this past year. Using social engineering, hackers impersonated Mckesson in a call to Verizon’s billing department, convincing them to change his number to one that was in their control. They then asked Twitter to reset the password, receiving the 2FA code to their number, thus gaining access to his account.
This instance was fairly minor. However the situation could end up being far more severe for cases of large brands getting their accounts hacked, or even a certain newly minted politician with a penchant for late night tweeting who could cause WWIII with the right post. As far as I know, there are no special Twitter protections for high profile users, meaning that we are all open to the same vulnerabilities.
All of this is to say that the need for proper authentication methods are becoming more apparent. SDO is currently offering their solution to businesses, some of which like financial institutions will be able to pass this on to their own customers.
For the average user, I recommend taking advantage of B2C options that are out there. These can be free services like Google’s authenticator app which works with a number of services, Authy, and even great options like the verification app from the folks at LastPass.
Wherever possible, avoid the option for SMS authentication that is offered on things like Gmail and other services. Finally, take your personal phone number off of places that it does not have to be like Facebook since hackers can use it to break into your account.
Some of these measures may feel like overkill, but they are small steps that you can take to avoid getting hacked.