Inspect
Labs / 01 Apr 2016

From SMS to post cards – better cybersecurity for one time passwords

Inspect

In the light of recent developments in the FBI vs. Apple case, it has become evident that a cyber-serious company like Nixu can not afford such degree of reliance on mobile phones. Therefore, the Nixu Risk Management Team decided to look for an alternative to text messages for delivering one-time passwords to reduce our cyber attack surface.

After accelerated negotiations we have achieved an agreement with the Finnish Post, and we are happy to announce that all passwords communicated previously through SMS will be now sent via postcards. This includes services such as VPN, report delivery, etc. Login procedures remain otherwise unchanged, except timeouts will be increased slightly to deal with the new transportmechanism. Fortunately we managed to agree on an exceptional SLA with a maximum Turn-Around-Time of 336 hours.

Our rigorous internal studies have shown that postcards lack essential cybersecurity features such as confidentiality. To mitigate the impact, Nixu will utilize its own proprietary next-gen pen-and-paper ciphersuite, PNRFNE-13 which was developed in-house by cybercryption experts following the industry best practices.

Additionally, our IT Support will start accepting tickets sent via postcards. Remember to use the aforementioned ciphersuite in this case as well. To protect against replay attacks, special pens with disappearing ink must be used. It is important to only use pens which have been pen-tested by our auditing zones (teams)!

Necessary equipment (pen, paper) may be obtained from the office supplies cupboards on Nixu Espoo premises. Trainings (how to hold the pen, etc.) will commence in the following weeks for every zone.

The changes are effective starting from 1.4.2016.

Let's all embrace this new cyberplus way of working!