Securing Nimera accounts and associated infrastructure
In Nimera ecosystem, there is a number of products and services operating with user accounts (e.g., Nimera Multibroker, or Nimera Swap). A user account is a primary connection (in some cases - the only connection) a user has to assets in possession.
While accessing and managing these accounts, one deals with hard-and software products, web services, Internet connenction services, saved passwords, 2FA codes, or backed up images. The variety of tools and processes builds up an infrastructure to access and manage Nimera accounts, and so shall be considered a system to be protected.
A failure in delivering the protection may result in theft of assets, inability to access them, or a long-term suspension of access/transactions to/of one's funds.
This article is aimed at providing a frame work for a complex understanding of the nature of the threat, key attack scenarios, and effective security measures. The article is not explaining every vulnerability, security threat or an attack scenario possible, rather referring to general security principles. Bad guys are creative, and so should be you.
Nature of the threat
The risks outlined in the above description (loss of assets, inability to access them, or a long-term suspension of transactions) are typically realized as a result of Attacks, which, in their turn, are based on applicable Security threats resulting from actual Vulnerabilities.
Understanding the interdependencies and correlations between these three, provides a clear understanding of what Countermeasures can be, and the steps to be taken to keep the accounts secured.
Vulnerability
A weakness which can be exploited to perform unauthorized actions. Such weaknesses may reside in a system's design, implementation, operation, controls, or management, and can be exploited in the frame work of corresponding security threats. There is a number of key factors to be considered when identifying and covering the whole variety of vulnerabilities, but the most important ones with regard to protecting Nimera accounts are:
Human factor
One of the weakest link in any system, including an information security system, the human factor mostly refers to the immanent human quality of making unintentional security mistakes as a result of negligence, underestimation of risks, overall security ignorance, resulting in the absence of a basic and consistent security policy in place. All of which creates a group of specific vulnerabilities related to this factor, that can be exploited by their specific security threats (e.g., a chance of exposing entered credentials when demonstrating a screen during a Skype call).
Technological factor
Derives from the following features of modern hard- and software solutions:
- Complexity. With respect to a great variety of tools and processes used to access and manage one's account, it is quite a job to properly manage, patch, and configure them. There is a huge possibility at any given point of time, that something is left exposed. The more devices, apps and services there is in use, the more likely it is to have seams with exposed vulnerabilities;
- Consumerization. Here, the term is used to name the fact that whatever hardware, software, or web services in use, the vast majority of them are aimed at providing ease-of-use in the first place, while the security always comes second.
Combined together, the above factors and features create numerous vulnerabilities that can be exploited.
Security threats
A next-level substance of the discourse, referring to the very possibility of exploiting a vulnerability, or a number of vulnerabilities as a transition to a logically concluding attack. May, or may not be malicious by nature (intentional, or accidental).
Attacks
Actions that use vulnerabilities to realize a threat. While there is a countless number of attack scenarios that can be grouped in any suitable way, depending on research type, there is no need in operating with a matrix of attacks to have an understanding of countermeasures to take.
The table below provides a couple of examples of vulnerabilities to be exploited against resultant security threats, and the consequent attacks aimed at either gaining unauthorized access to an Nimera Multibroker account, or at termination of such access.
|
|
VULNERABILITY |
SCENARIO |
SECURITY THREAT |
ATTACK |
|---|---|---|---|---|
| 1 |
No security process in place: Nimera Multibroker is accessed from various devices |
Using a corporate laptop to access Nimera Multibroker |
A time management / data loss prevention software logging employee activity and data transferred, including entered credentials |
An employee having access to the logged data (e.g., a corporate security officer) uses the logged credentials to access the account and withdraw assets |
| 2 |
No PIN/Touch ID code required to access an Android phone |
Device lost/stolen |
Browser history exposing the use of Nimera Multibroker, plus a configured e-mail client to deliver Nimera service/confirmation messages |
An attacker requests password reset, stealing the account |
| 3 |
Negligence |
An attacker contacts a user on behalf of Nimera support team, and provides a link to follow |
The link leads to a clone of Nimera Multibroker web site, which remains unnoticed by the user |
An attacker collects credentials entered when attempting to access account and then steals the accounts |
Countermeasures
Address the two extreme points of the Vulnerability - Security threat - Attack chain:
- Vulnerability, and
- Attack.
Security threats are derived from vulnerabilities and are utilized in attacks, being a transitional substance. The countermeasures, in their turn, are the measures aimed at reducing the probability of an attack, or the impact of a threat, as well as to minimize the impact of an attack that has already happened. Therefore, they address vulnerabilities, and attacks, while not addressing the security threats.
In terms of countermeasures, there are two actors:
1. Nimera
An important aspect in understanding Nimera ecosystem is the sophisticated security policy to prevent scenarios that may lead to user accounts and assets being compromised or stolen. While the countermeasures implemented and executed by Nimera are not the subject of the article and will not be explained further, there are the following key features of the security policy to be considered:
- The security policy is aimed at protecting personal data and assets;
- Autodetection of untypical behaviors, and automatic suspension of corresponding operations;
- Security officers to investigate security issues and mitigate threats.
2. Users themselves
The users have to apply security measures aimed at protecting the following objects against unauthorized or breached access, as well as against loss or destruction, by themselves:
- Nimera accounts, as well as their associated accounts (e.g., an e-mail, or a Google Authenticator account);
- Devices used to access Nimera products and services (e.g., a phone, a laptop);
- Tools (e.g. a QR code used to generate codes with Google Authenticator app).
Proactive countermeasures
The proactive countermeasures are aimed at building a defense against future attacks to prevent the damage, addressing the vulnerabilities. The below tables summarize key recommendations, grouped by objects to be protected:
Accounts / identity
COUNTERMEASURE | VULNERABILITY TYPE | COMMENT | |
|---|---|---|---|
| 1 | Never share passwords with anyone, or reveal them otherwise | Human Negligence | May be exploited in phishing, pre-texting, reverse social engineering, or other social engineering scenarios. Nimera team members never ask for passwords |
| 2 | Avoid using the same Password for various accounts and systems no matter how strong you believe it to be | Human Underestimation of risks | A password can be figured out or hacked so the more accounts you use the same password for the higher the risk. It is recommended to use password generators for complexity |
| 3 | Enable Two-Factor Authentication (2FA) for your account to bolster its security | Technological Complexity | Make sure to back up data allowing to recover a corresponding 2FA account. Disabling 2FA from our end is possible, but the procedure is time consuming, requires a security check and may result in temporary suspension of access to the account 2FA is disabled for, as well as to related transactions |
| 4 | Limit the amount of personal data and credentials you store on the various cloud services as they may be hacked as well or suffer from data leak | Technological Consumerization | The more third-party services you use to store the data, the higher the risk of losing it. Outsorcing security policy to a sole discretion of a cloud service provider is never a good idea. It is recommended to have extra layers, such as changing passwords on a regular basis |
| 5 | Never reveal any personal information or send any images or details of your personal documents or payment methods without encrypting the data / making sure the communication channel is secure enough | Human Security ignorance Technological Consumerization | Nimera team members always explain the meaning and the security measures taken to secure your sensitive information in any applicable scenario |
| 6 | Never follow any suspicious links claiming to be associated with Nimera that promise any rewards for entering personal information or account details in any form; Also, pay close attention to the emails claiming to be associated with Nimera and even ones ending in @nimera.io if you have any doubts about their origins*. | Human Underestimation of risks | Be careful while clicking on links, make sure to double check a domain name; Never enter your personal information and/or account details without reason; Pay close attention to the emails claiming to be associated with Nimera and never open them prior to contacting the customer service if you have any doubts about their origins; As Nimera customer service messages originating from genuine support will come from the @nimera.io domain. Any messages arriving from different addresses containing @nimera.io should be considered outside of the normal scope of operation and double-checked. If in doubt, contact Nimera customer service via standard procedure. Never provide any sensitive data in a reply to an email claiming to originate from Nimera customer service, unless you have previously raised a ticket via our Help page widget in the right corner, or contacted a customer service representative via Discord; Always check the links included in any suspicious emails by hovering your mouse cursor over the link and checking the address which appears in the lower left corner of the browser window (for Google Chrome). |
| 7 | Avoid using untrusted VPN and proxy services when accessing secure data such as your Nimera account. Traffic via a VPN or proxy can be intercepted by malicious parties | Technological Consumerization | If you have to use a VPN or a proxy, make sure you can trust the service provider and that you have a firewall program enabled on your device |
| 8 | Avoid accessing your Nimera accounts when in unprotected Wi-Fi networks (e.g., free public networks in cafes). If you use Wi-Fi at home, ensure that the network is secured by a password. | Technological Complexity | Unencrypted transferred data can be easily intercepted in public Wi-Fi networks infrastructure |
*For example, you may receive a message from an address such as [email protected] which contains a prompt to action such as following a link to "secure" your account or claim some kind of reward.
Devices in use
RECOMMENDATIONS | VULNERABILITY TYPE | COMMENT | |
|---|---|---|---|
| 1 | Enable as many security layers to access the devices as possible, including PIN codes, Touch IDs, Face IDs, etc. | Technological Consumerization | Not having to enter a code or a finger to access a device is much easier, but it is recommended to make it harder for an attacker. Device loss combined with lack of protection provides full access to one's accounts |
| 2 | Avoid leaving your device unattended (e.g., at public places) | Human Negligence | Growing risk of device loss |
| 3 | Minimize the number of devices used to access Nimera products and services | Technological Complexity | The more the number of devices in use, the harder it is to maintain security |
| 4 | Avoid use of devices located in public places/work/other uncontrolled environments to access Nimera products and services. | Technological Complexity | Devices not administered by you may have their backdoors (e.g., a time management system on a corporate workstation) |
| 5 | Avoid using suspicious browser extensions and apps downloaded from untrusted sources. They may be gathering information from your system, infect it, or run various scripts | Human Underestimation of risks Technological Consumerization | Two-click installations and making lives easier have their backsides, especially when it comes to browser extensions. Be careful when installing browser extensions and various mobile apps for the first time. Make sure you trust the source. |
| 6 | Use protection software such as anti-virus/anti-malware and keep it up to date | Technological Complexity | Updated and properly working protection software can effectively detect the newest viruses, trojans and other malware/spyware. |
| 7 | Keep your browser, applications and operating system/mobile firmware updated | Technological Complexity | Outdated soft- and firmware is an open door for various mal- and spyware that can infect your device |
| 8 | Pay close attention to the protection software warnings and notifications regarding various websites | Human Negligence | Ignoring protection software warnings is unacceptable in terms of security |
| 9 | Pay attention to the telltale signs which indicate that your device has been infected. | Human Negligence | If your device starts to perform in an unusual and unstable way, immediately scan it for viruses and malware |
| 10 | Use password managers | Technological Complexity | Keeps your passwords, PIN-codes, and other login information from being compromised by hard- or software keyloggers |
Tools
RECOMMENDATION | VULNERABILITY TYPE | COMMENT | |
|---|---|---|---|
| 1 | Back up any data that can be used to recover basic accounts associated with Nimera accounts, such as QR codes, passwords, etc. | Technological Complexity | E.g., associated e-mail or Google Authenticator accounts, backup QR codes, etc. There are a lot of interdependent tools and services to access Nimera account based assets. Make sure you have minimized the risks of losing access to them, since this may result in an inability to access tools required to sign in and manage Nimera accounts and the assets |
| 2 | Back up your devices | Technological Complexity | God only knows what happens next: a ransomware encrypting your device, a hardware failure, or else. Make sure you can roll back at any moment to recover data and access. |
Reactive countermeasures
Taken in scenarios, where an attack has already happened, or risks of an attack have grown significantly (e.g., a loss of device used to access Nimera products and services), and the damage (to a full, or to a certain extent) has already been done. Reactive countermeasures are aimed at minimizing the damage.
There are three key points to be considered when designing and taking reactive countermeasures:
- There is no guarantee that the damage already done can be completely mitigated;
- In most cases, users are unable to properly execute reactive countermeasures on their own;
- Time is of essense.
Therefore, securing one's account after an attack often implies a timely and active cooperation between a user and Nimera team. The table below provides a summary for a number of sample scenarios:
SCENARIO | COUNTERMEASURE | DRILL | COMMENT | |
|---|---|---|---|---|
| 1 | Nimera account stolen |
|
| You might be asked to provide an ID. |
| 2 |
|
|
| Time is one of the most important factors in this scenario. The more time passes between the loss of device / account and the contact with Nimera team, the more extensive the potential damage may be. |
| 3 | An unprotected (no PIN code, Touch- or Face ID required to access the device) phone used to access Nimera products and services, lost / stolen |
|
| One of the most dangerous scenarios, as the attacker has access to everything one needs to manage Nimera accounts. |
| 4 | The control over the device used to access Nimera account is lost due to virus infection / ransomware lock. |
|
| This scenario allows the user to prevent the actual loss of account if they act quick in securing it. It is also imperative to ensure that the account is accessed from a 100% virus free device. |
| 5 | The user's credentials are stored on a cloud service which suffers a data leak. |
|
| As with previous scenarios, the extent to which the damage caused by an attack can be mitigated is fully dependant on the speed with which the user acts. It is also advisable to store sensitive data in offline repositories to ensure its security. |