About Piyush Bhatnagar

Piyush Bhatnagar is the Founder and CTO of Authomate Inc., an early-stage security startup. He a seasoned technology executive, entrepreneur and consultant with over 20 years of experience in technology development and management at companies like AT&T and Bank of America.

Successful Crisis Management: The Evernote Hack

evernote-logo-designAs data theft is on the rise it must be assumed that sooner or later, if you have data someone wants, your systems WILL most likely be compromised. It is important to put up strong defenses but it is even more critical you have a crisis management plan when things go wrong. 

With social media comes a whole new set of rules for your organization’s crisis communications and crisis management. We’re often given opportunities to learn about social media crisis management through the highly visible fallout from the experiences of others. How a company takes action and manages a hard-hitting crisis often gives customers a more honest insight at how they are run than any meticulously crafted press release could.

Evernote Crisis Management

Evernote, the online note taking service, suffered a serious security breach in March 2013 involving the theft of usernames, email addresses and encrypted passwords of up to 50 million users. Luckily, no payment details were stolen, and according to the company the hackers were not able to access notes that users had stored on the Evernote service. So, how did they manage the crisis and what lessons can be learned?

What went well? Open Communication 

Almost immediately, Evernote communicated with their users on Twitter, through a blog post and an email stating that their security team had “discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.” They also suggested all users reset their Evernote account passwords.

They advised users to choose a strong password and to be suspicious of reset password links sent to users via email. They also advised users to ensure that they did not use the same password on multiple sites. Within 24 hours they had updated (at least their Apple iOS app) to focus everyone on resetting their password.

Attentive Evernote reps responded to irate users on their site and carefully explained what was happening throughout the process. Some users praised the company for their transparency and timely communications and voiced their support. However, many complained they didn’t receive the notification email because they no longer had access to the email account they used to sign-up with the service.

Lessons Learned: What could have been handled better?

Although there was a blog post on the Evernote website, nothing was actually posted on the Evernote homepage. There was also an evident lack of post-hack communication.

A week after the event, there had been no blog update or further emails about what had happened, what they had subsequently done to improve security, or any attempt to diffuse the on-going comments. Initially many users asked about implementing two-factor authorization, used by Google to provide extra security for its users. However there was no immediate response. Evernote should have answered any FAQs and taken the opportunity to welcome feedback from users, making their crisis communications a two way process, which is often the best way to learn and adapt.

Do you have a crisis management plan in place? and if the answer is NO, it is about time you put one in place !

How two-step verification is the way forward

google_two_factor_authentication_heroTwo-step verification, or two-factor authentication is the technical term for requiring something you know and something you have when trying to log into an online account.

Take for example bank ATM machines, with a seemingly easy security system based around remembering a four-digit number. The system hardly sounds like Fort Knox, however think about it, one cannot simply gain access to the account through using the correct PIN code, they must present a physical card as well.  Before access is granted to online logins, websites should take note from the ATM system and ask for two separate forms of verification.

The question is, after the password is supplied, what should the second form of identification be? This could be a code that arrives in a text message to your mobile phone, as it would be difficult for a thief to acquire both your password and your mobile telephone at the same time. If this system, which uses passwords and smartphones in conjunction, were to be used on all limited-access websites then users would be able to use shorter and less complex passwords. Jackpot! No more 12-character upper, lower, symbols and hyphenated passwords would be necessary.

In Nick Berry’s analyses of large databases of hacked passwords to various websites, it was revealed that 3.4 million people use a password that is made up of nothing but 4 digits. Using a PIN code comprised of your birthdate, as a bank user, does not put your account in jeopardy.  The thief would have to guess the PIN code correctly within the first few tries before the system kicks into action and blocks the account. Online however, it is more of a risky business. Using a four-digit password, without a second form of verification, is just about the worst conceivable password out there.

Jeff Atwood, software developer and Co-founder of Stack Overflow, has acknowledged the suggested laborious nature of two-step verification. In a blog, he writes, “Is inconvenient in the same way that bank vaults and door locks are. The upside is that once you enable this, your e-mail becomes extremely secure.” Atwood suggests that ATM designers were onto something, a sense of legitimate security does not derive from a long and complex master password, it derives from two-step verification.

Be even more secure. Download Strong Pass now

How to remain digitally safe while travelling

White-sandy-beaches-in-the-CaribbeanWith an abundance of digital accessories, tablets and smartphones at our fingertips, traveling the globe has never been as easy. Whether it be navigating your way around uncharted territory or staying in touch with loved ones at home, digital devices can relieve some of the burdens that travelling creates.

However, according to a by F-Secure, certain areas of technology require a little more attention to ensure your safety when you hit the road.


While it may be costly, you must always rely upon your mobile network’s data plan while accessing your bank account on your travels. Using public computers and Wi-Fi can be risky and invite eavesdroppers and hackers where they’re not wanted. Banks may use secure connections, but why take the risk? If somebody gains access to your password, your travels could end up being a lot more costly than you had planned.

Public Wi-Fi and Internet cafes. 

As we travel, most of us are drawn into using free Wi-Fi spots to stay in touch with friends and family. However, be aware of the associated risks. Because of the fact these hotspots are public, someone could be spying on your online activity with the help of readily available spyware. Whilst the illusion of privacy is created through the use of your personal device, the fact remains that it is public. Internet cafes and Wi-Fi hotspots are recommended for browsing matter that does not pose any privacy risks, such as browsing the news.

Keeping your data safe. 

Maintain a backup at all times, especially before you set sail on your jollies. The data on your phone is potentially more valuable than the device itself therefore you could use a content synchronization device that allows you to share photos with family and friends while you are away, without needing to use large storage devices. You might also want to check out cloud storage, and share your content with anybody you like.

Are We Being Watched? Protect Your Online Privacy

Authomate Blog

06 Authomate Blog 6 - ImageMany internet users have become increasingly concerned about protecting their privacy online,  but it isn’t just thieves and hackers we need to be concerned with – what about your government accessing everything you do online?

Security expert Bruce Schneier, who worked on the Edward Snowden stories, told British paper, The Guardian recently that, “If the NSA wants in to your computer, it’s in. Period”.

“The NSA has turned the internet into a vast surveillance platform, but they’re limited by the same economic realities as the rest of us, and our best defence is to make surveillance of us as expensive as possible.”

For practical solutions, here’s what some of the top security experts suggest to deter both state spies and ordinary fraudsters:

• Passwords: Don’t use the same one all the time. Make it complex with upper- and lower-case letters, numbers and characters such as $%&!.

• Security or password reset questions: …

View original post 187 more words

Target Security Breach: 3 Lessons Learned

1389741976-target-security-breach-stresses-need-better-cyber-securityThe recent security breach at Target has sure made us focus on the growing problem of financial data theft. For those of you who don’t already know, a staggering 40 million credit and debit card records were stolen which led to data theft of as many as 70 million customers. The huge security breach appears to have been part of a broader and highly sophisticated scam that potentially affected a large number of retailers. Target was actually just one of six hundred publicly disclosed data breaches in 2013. So what are he main lessons learned from the Target security breach and will it change non-cash payment methods in future?

1. Credit cards offer better fraud protection

It is important that consumers know how credit and debit cards differ when it comes to fraud protection. The most important difference is that credit cards provide better fraud protection than debit cards. If someone was to steal your debit card they are stealing your money and you would have to argue with the bank to get it back whereas with a credit card, they are essentially stealing the bank’s money.  The law limits responsibility for unauthorised debit card charges to $50 if you notify the bank within two days. For those of you that don’t check your bank statement regularly, if you don’t report fraud within 60 days of receiving your statement, you could lose all the money that was stolen. However, credit cards have zero liability policies so the card owner will never lose a penny to fraud. In that case, why would anyone use a debit card? Well, not everyone qualifies for a credit card and some people that do, chose not to have one to reduce the risk of debt.

2. A security freeze won’t always protect you

After the Target security breach, experts advised customers to put a security freeze on their credit report. This would be the right thing to do if social security numbers had been stolen as it presents the thief from opening new accounts in your name. However, in the case of the Target security breach, it did not make any sense. A security freeze does not prevent fraud on an existing account nor can it stop someone using a stolen card number to shop online or clone a new card to use in store.

3. Will changing your PIN number make a difference?

Target confirmed that encrypted PIN numbers were stolen during the breach but does that mean you should change your PIN if you’re a victim of credit or debit card fraud? Changing it will prevent thieves from withdrawing cash from an ATM using a stolen debit card. To be completely safe, other measures must be taken. Customers need to ask their bank to issue them with a new PIN number.

So, will Target’s massive data breach change non-cash payments for good? Some believe that using cash is the only solution. However, it’s apparent that debit cards aren’t going anywhere anytime soon. The answer is simple; more fraud protection needs to be guaranteed for debit card holders. Perhaps one thing might change, increased information sharing among payments companies may lead to better security and perhaps the breach will lead to adoption of end-to-end encryption systems but time will tell.

Buffer Hack: A Guide to Successful Crisis Management

Buffer-logoWith social media comes a whole new set of rules for your organisation’s crisis communications and crisis management. We’re often given opportunities to learn about social media crisis management through the highly visible fallout from the experiences of others. Buffer, the social sharing platform was hacked in October 2013. Although this wasn’t a positive experience for them, because of their successful crisis management strategy, things actually turned out ok in the end. So where did Buffer go right and what can we learn from them?

Communication is key

Buffer communicated with the media, their customers and their social audience from the get go. They successfully created a social buzz which was largely positive across their channels. Customers praised the company for their transparency and timely communications and voiced their support. Buffer reps were tweeting in response to each and every mention they received at the peak of their crisis. Staff were communicating across their blog, Twitter, Facebook and through the media, to ensure customers were fully informed. They weren’t scared to get ahead of the story, making sure that their customers heard the details of the situation from them, before they heard it from any other source.

Effective Team Management

Buffer managed their team, processes and partners effectively to reduce the impact of the interruption and they even reinforced their core values to customers while doing so. Genius. Teamwork was key. As the hack occurred on a Saturday afternoon, staff were not in the office so they worked from home, connecting with Google Hangouts. They worked together to manage Twitter, emails, and blogs post comments, keeping the user front of mind giving them real time updates and answering any questions. They expressed true concern, care and sincerity – and were completely human.

Continued Post-hack Communication

Buffer continued to be informative by providing their users with step-by-step information for reactivating their accounts. Once the situation was resolved, they heightened their security measures so as to protect the situation from happening again and they restated and reassured that they had taken the situation seriously by declaring that new security measures had been put into place. Most importantly, they welcomed feedback from users, making their crisis communications a two way process, the best way to learn and adapt.

Buffer focused on communicating efficiently throughout the crisis, keeping their users updated and reassured and, as a result, their users trust and feel connected to the brand in a more positive way than they did before the hacking occurred. Every organisation can learn from Buffer and the way they chose to handle this, potentially disastrous, crisis situation. A strong brand culture, team empowerment and an open and honest, two way communication process is essential.

Keep yourself secure online: download Strong Pass now

Target Security Breach: 7 Ways to Protect Yourself

140113121845-target-shopperss-hack-620xaThe huge security breach that has affected Target recently appears to have been part of a broader and highly sophisticated scam that potentially affected a large number of retailers. It has now been confirmed that the attack that occurred last month has affected 40 million credit and debit card accounts and led to data theft including names and email addresses of as many as 70 million innocent customers. 

Is it just a matter of time before our personal information is compromised? While many shoppers have been left feeling angry and helpless, there are some steps consumers can take to protect themselves against fraud and identity theft. After all, the best solution to a problem is prevention. Before we begin it’s important to remember that retailers are not legally required to offer credit protection services to customers and we are all responsible for continued monitoring of our credit card and bank accounts. We must continue being vigilant in recognising fraudulent emails or phone calls from people claiming to represent retailers or banks.

So, how can you protect yourself in future? Use cash instead? No. Cash can be lost or stolen with little or no recourse. Credit cards offer better protection to the card holder especially when they are used without authority, a much safer option. Here are some top tips on how to protect yourself while still using plastic.

1. Be vigilant – check your credit and debit card statements regularly and report any unusual charges, even if it’s only small. Sometimes thieves place a small charge to check if the card is active.

2. If you notice an unauthorised charge, especially if it’s a debit card, ask your provider to cancel your current card immediately and issue you a new one.

3. Consider various options for monitoring your credit profile and credit card activity. Target offers a credit-monitoring service for customers, as do other retailers.

4. Be cautious of any correspondence claiming to be from your bank or the retailer you shopped at and never give any sensitive information such as PIN numbers. Double check the URL in the correspondence you have received. If you are suspicious, report it.

5. When there has been theft of personal data, thieves will often use ‘phishing’ to convince you to part with even more personal data such as passwords. This is not only done on the phone or over email, but also social media sites such as Twitter so be warned. If you use the same password for your online banking as you do for your social media accounts then change them, you can never be too careful.

6. Too many people have simple passwords for their accounts. If this includes you, make sure you change it. If you can’t think of one, use a password generator or add some capital letters to numbers to your current password to make it stronger.

7. Shred your documents – while online fraud and data theft is growing, it’s important not to forget about correctly storing and disposing your physical documents too.

Some believe that using cash is the only solution. This is not the case. Consumers need to be aware that data security is down to their own vigilance, and they should not solely rely on their bank or financial provider to protect their information. Attacks are inevitable and will continue to happen so it’s important to be prepared and protect yourself.