1Password and Privacy.com let consumers create virtual cards to ensure safe online payments

Two companies founded on security and privacy are partnering to make online payments quicker and safer. Password manager 1Password and virtual card platform Privacy.com announced an API integration that lets users create virtual cards in their browser quickly and safely when they need to make a payment.

privacy cards

The FTC reports that credit card fraud is by far the most common type of identity theft, occurring in 41.8% of all identity theft reports. According to Javelin Strategy & Research, which advises card issuers on security banks, merchants and cardholders lost a combined $16.9 billion in 2019 due to credit and debit card fraud.

Privacy.com’s virtual cards mean users never need to share their credit or debit card information online, helping to protect both their money and their identity. Starting today, users can create, use and save Privacy Cards directly within their 1Password extension whenever they’re needed.

All virtual cards created in 1Password will have the same security benefits as other Privacy Cards – users can set monthly or annual spend limits, create single-use or merchant locked cards, and pause or unpause cards whenever they want.

“Partnering with Privacy.com is a no-brainer for 1Password,” said 1Password CEO Jeff Shiner. “We share a total commitment to online safety and privacy, and our goals couldn’t be more aligned. These are brand new features both for password managers and payment services, and I know both teams are excited to be bringing these new capabilities to our customers.

“What I’m happiest about is that this helps everyone, from our family customers right up to the largest enterprises. With the Privacy.com integration for 1Password, you can make payments online with more safety and privacy, whoever you are.”

“It’s the first time users will be able to generate virtual cards directly within their password manager, cutting down on the number of steps needed to protect their payment credentials,” said Privacy CEO Bo Jiang. “This simple and seamless integration demonstrates the breadth and power of both of our APIs.”

User benefits of 1Password’s partnership with Privacy.com

  • Easily create new Privacy.com virtual cards. When users are asked to enter a card number on a vendor’s site, 1Password will give the option to create and name a virtual card instead.
  • Set spending limits. When creating the card, users can set spending caps for a one-off payment, monthly or annual limits, or a total amount. In addition to enterprises capping expenses, consumers can, for example, create a “Spotify” card for monthly subscription payments or an “Amazon” card with a spending ceiling.
  • Unique cards for each merchant. Cards can only be used at a single site or service, so if the card details are ever exposed in a data breach, they can’t be used elsewhere.
  • Save card details in 1Password. When creating a card, users will have the option to save it in 1Password. Then, when it’s time to enter payment details, 1Password will show users any cards associated with that particular website. It’s also a quick and easy way to grab a CVV number when needed.
  • Enterprise grade. Combined, 1Password’s enterprise password manager (EPM) and Privacy.com now give enterprises greater financial safety and control.

By limiting cards to vendors and setting spending limits on those cards, users are better protected from online fraud, data breaches, overcharges and subscription scams. If the card details were ever exposed in a website data breach, the card would be instantly blocked if used anywhere else.

Meanwhile, enterprises benefit from virtual cards for a range of tasks, from managing and tracking vendor transactions to setting spending limits on employee expense accounts.

The service and integration will initially be available in the US. To get started, users can set up the integration from their Privacy.com settings. It’s available right away in 1Password’s browser app, 1Pasword X, with support in the 1Password Safari extension coming soon.

How do I select a password management solution for my business?

91 percent of people know that using the same password on multiple accounts is a security risk, yet 66 percent continue to use the same password anyway. IT security practitioners are aware of good habits when it comes to strong authentication and password management, yet often fail to implement them due to poor usability or inconvenience.

To select a suitable password management solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.

Simran Anand, Head of B2B Growth, Dashlane

select password managementAn organization’s security chain is only as strong as its weakest link – so selecting a password manager should be a top priority among IT leaders. While most look to the obvious: security (high grade encryption, 2FA, etc.), support, and price, it’s critical to also consider the end-user experience. Why? Because user adoption remains by far IT’s biggest challenge. Only 17 percent of IT leaders incorporate the end-UX when evaluating password management tools.

It’s not surprising, then, that those who have deployed a password manager in their company report only 23 percent adoption by employees. The end-UX has to be a priority for IT leaders who aim to guarantee secure processes for their companies.

Password management is too important a link in the security chain to be compromised by a lack of adoption (and simply telling employees to follow good password practices isn’t enough to ensure it actually happens). For organizations to leverage the benefits of next-generation password security, they need to ensure their password management solution is easy to use – and subsequently adopted by all employees.

Gerald Beuchelt, CISO, LogMeIn

select password managementAs the world continues to navigate a long-term future of remote work, cybercriminals will continue to target users with poor security behaviors, given the increased time spent online due to COVID-19. Although organizations and people understand that passwords play a huge role in one’s overall security, many continue to neglect best password practices. For this reason, businesses should implement a password management solution.

It is essential to look for a password management solution that:

  • Monitors poor password hygiene and provides visibility to the improvements that could be made to encourage better password management.
  • Standardizes and enforces policies across the organization to support proper password protection.
  • Provides a secure password management portal for employees to access all account passwords conveniently.
  • Reports IT insights to provide a detailed security report of potential threats.
  • Equips IT to audit the access controls users have with the ability to change permissions and encourage the use of new passwords.
  • Integrates with previous and existing infrastructure to automate and accelerate workflows.
  • Oversees when users share accounts to maintain a sense of security and accountability.

Using a password management solution that is effective is crucial to protecting business information. Finding the right solution will not only help to improve employee password behaviors but also increase your organization’s overall online security.

Michael Crandell, CEO, Bitwarden

select password managementEmployees, like many others, face the daily challenge of remembering passwords to securely work online. A password manager simplifies generating, storing, and sharing unique and complex passwords – a must-have for security.

There are a number of reputable password managers out there. Businesses should prioritize those that work cross-platform and offer affordable plans. They should consider if the solution can be deployed in the cloud or on-premises. A self-hosting option is often preferred by some organizations for security and internal compliance reasons.

Password managers need to be easy-to-use for every level of user – from beginner to advanced. Any employee should be able to get up and running in minutes on the devices they use.

As of late, many businesses have shifted to a remote work model, which has highlighted the importance of online collaboration and the need to share work resources online. With this in mind, businesses should prioritize options that provide a secure way to share passwords across teams. Doing so keeps everyone’s access secure even when they’re spread out across many locations.

Finally, look for password managers built around an open source approach. Being open source means the source code can be vetted by experienced developers and security researchers who can identify potential security issues, and even contribute to resolving them.

Matt Davey, COO, 1Password

select password management65% of people reuse passwords for some or all of their accounts. Often, this is because they don’t have the right tools to easily create and use strong passwords, which is why you need a password manager.

Opt for a password manager that gives you oversight over the things that matter most to your business: from who’s signed in from where, who last accessed certain items, or which email addresses on your domain have been included in a breach.

To keep the admin burden low, look for a password manager that allows you to manage access by groups, delegate admin powers, and manage users at scale. Depending on the structure of your business, it can be useful to grant access to information by project, location, or team.

You’ll also want to think about how a password manager will fit with your existing IAM/security stack. Some password managers integrate with identity providers, streamlining provisioning and administration.

Above all, if you want your employees to adopt your password manager of choice, make sure it’s easy to use: a password manager will only keep you secure if your employees actually use it.

25% of IT workers don’t enforce security policies

14% of IT workers are consumed with Identity and Access Management (IAM), spending at least an hour per day on routine IAM tasks, according to 1Password.

enforce security policies

IAM continues to be a significant productivity bog for IT and employees alike, with 57% of IT workers resetting employee passwords up to five times per week, and 15% doing so at least 21 times per week.

Shadow IT issues

IAM is often used to detect shadow IT, and 1Password’s survey revealed that it’s largely successful. Four in five workers report always following their company’s IT policy, meaning that just 20% of workers are driving all shadow IT activity in the enterprise. These employees don’t act out of malice but rather a drive to get more done, with 49% citing productivity as their top reason for circumventing IT’s rules.

“The shadow IT picture is more complicated than many think,” said Jeff Shiner, CEO, 1Password. “Most of us follow the rules, but a small group of employees trying to get more done circumvent policies and create openings for credential attacks. They’re sometimes enabled by IT workers who empathize with their pursuit of productivity.”

Ignoring the IT policy

Employees who break their company’s IT policy tend to be:

  • Speed demons: They’re nearly twice as likely to say convenience is more important than security—and almost 50% more likely to say strict password requirements aren’t worth the hassle.
  • Pessimistic about IT capabilities: Employees who break IT policies are nearly twice as likely to say it’s unrealistic for companies to be aware of and manage all apps and devices used by employees at work, and say the IT department is more of a hindrance than a help.
  • Millennials and Gen Z: Nearly three times as many workers who are 18-39 say they do not always follow IT policies, compared to those ages 56 and up.

Lack of tools amid the relentless quest for productivity

IT workers cited lack of suitable technology resources and concern for employee effectiveness as the reason nearly one in three IT workers are not fully enforcing security policies.

Twenty-five percent of IT workers say they don’t enforce security policies universally and 4% don’t enforce those policies at all due to the hassle involved with managing policies to concerns over workforce productivity.

Thirty-eight percent of IT workers who do not strictly enforce security policies said their organization’s method for monitoring is not robust, while 29% agreed “it’s just too hard and time consuming to track and enforce” and 28% said “our employees get more done if we just let them manage their own software.”

One in three IT workers say that strict password requirements at work aren’t worth the hassle.

The usage of enterprise password managers

89% of IT departments using a password manager say it’s had a measurable impact on security at their company.

IT departments using EPMs report that they save time and frustration for employees (57%), reduce time for IT departments (45%), enhance productivity (37%), reduce breaches/attacks (26%) and create happier employees (26%).

1Password launches domain breach report to address credential stuffing

1Password is launching a first-of-its-kind domain breach report. Now, companies using 1Password’s enterprise password manager can swiftly identify compromised accounts and take action to protect the enterprise by alerting users to create new secure passwords generated via 1Password.

1Password domain breach report

The domain breach report strengthens 1Password’s market-leading enterprise password management offering, deepening its value as the foundational layer of the identity and access management stack.

IT administrators enrolled in 1Password Business and 1Password Teams can quickly create a domain breach report which checks all company email addresses against a list of nearly 10 billion compromised accounts provided by HaveIBeenPwned.com.

The report identifies all company email addresses which have been caught in data breaches and provides details about each breach so that IT can take corrective action. Administrators can notify employees and direct them to create new secure passwords in affected accounts.

“Our domain breach report is designed to help IT better support every user in the enterprise,” said Matt Davey, chief operating officer, 1Password. “Rather than forcing employees and IT alike to go through frustrating blunt-force security processes like company-wide automated password resets, our partnership means IT can intercede surgically, reaching out directly to affected employees when they know there’s a real threat. This launch supports our mission to help IT departments in the never-ending challenge to protect the enterprise against credential-stuffing attacks and promote healthy password habits, all while helping workers to get more done.”

A 1Password survey of 2,100 workers found that one-third of respondents reuse memorable passwords for new accounts and nearly half use a pattern of similar passwords. Password reuse enables credential stuffing, whereby attackers target multiple accounts with exposed email addresses and passwords, leaving companies vulnerable to breaches. 1Password makes it easy to provide unique secure passwords for all accounts in the enterprise, limiting exposure in the event of a breach.

“The rate and scale of corporate data breaches has been increasing dramatically over recent years,” said Troy Hunt, founder of HaveIBeenPwned.com. “A dedicated password manager like 1Password not only provides essential protection against the impact of a data breach, but also makes passwords more user friendly than ever.”

Some commercial password managers vulnerable to attack by fake apps

Security experts recommend using a complex, random and unique password for every online account, but remembering them all would be a challenging task. That’s where password managers come in handy.

password managers vulnerable

Encrypted vaults are accessed by a single master password or PIN, and they store and autofill credentials for the user. However, researchers at the University of York have shown that some commercial password managers (depending on the version) may not be a watertight way to ensure cybersecurity.

After creating a malicious app to impersonate a legitimate Google app, they were able to fool two out of five of the password managers they tested into giving away a password.

What is the weakness?

The research team found that some of the password managers used weak criteria for identifying an app and which username and password to suggest for autofill. This weakness allowed the researchers to impersonate a legitimate app simply by creating a rogue app with an identical name.

Senior author of the study, Dr Siamak Shahandashti from the Department of Computer Science at the University of York, said: “Vulnerabilities in password managers provide opportunities for hackers to extract credentials, compromising commercial information or violating employee information. Because they are gatekeepers to a lot of sensitive information, rigorous security analysis of password managers is crucial.

“Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success.”

“In light of the vulnerabilities in some commercial password managers our study has exposed, we suggest they need to apply stricter matching criteria that is not merely based on an app’s purported package name.”

“I am not aware of the different ways a password manager could properly identify an app so not to fall victim to this kind of attack. But it does remind me of concerns we’ve had a long time about alternative keyboard apps getting access to anything you type on your phone or tablet,” Per Thorsheim, founder of PasswordsCon, told Help Net Security.

“The risk presented with autofill on compromised websites pertains only to the site’s credentials, not the user’s entire vault. It is always in the user’s best interest to enable MFA for all online accounts, including LastPass, since it can protect them further,” a LastPass spokesperson told us via email.

“While continued efforts from the web and Android communities will also be required, we have already implemented changes to our LastPass Android app to mitigate and minimize the risk of the potential attack detailed in this report. Our app requires explicit user approval before filling any unknown apps, and we’ve increased the integrity of our app associations database in order to minimize the risk of any “fake apps” being filled/accepted.”

Other vulnerabilities

The researchers also discovered some password managers did not have a limit on the number of times a master PIN or password could be entered. This means that if hackers had access to an individual’s device they could launch a “brute force” attack, guessing a four digit PIN in around 2.5 hours.

The researchers also drew up a list of vulnerabilities identified in a previous study and tested whether they had been resolved. They found that while the most serious of these issues had been fixed, many had not been addressed.

Some issues have been fixed long ago

The researchers disclosed these vulnerabilities to the companies developing those password managers.

Lead author of the study, Michael Carr, said: “New vulnerabilities were found through extensive testing and responsibly disclosed to the vendors. Some were fixed immediately while others were deemed low priority. More research is needed to develop rigorous security models for password managers, but we would still advise individuals and companies to use them as they remain a more secure and useable option. While it’s not impossible, hackers would have to launch a fairly sophisticated attack to access the information they store.”

Commenting on this research for Help Net Security, Jeffrey Goldberg, Chief Defender Against the Dark Arts at 1Password, said: “Academic research of this nature can be misread by the public. The versions of 1Password that were examined in that study were from June and July 2017. As is the convention for such research, the researchers talked to us before making their findings public and gave us the opportunity to fix things that needed to be fixed. The research, and publication of it now, does have real value both to developers password managers and for future examination of password managers, but given its historical nature, it is not a very useful guide to the general public in accessing the current state of password manager security.”

Shadow IT accounts with weak passwords endanger organizations

63% of enterprise professionals have created at least one account without their IT department being aware of it, and two-thirds of those have created two or more, the results of a recent 1Password survey have revealed.

Even more worryingly, only 2.6% of these 63% use a unique password when they create a new shadow IT account at work and just 13% use a password generator – the rest re-use a memorable password or use a pattern of similar passwords.

shadow IT passwords

The danger of shadow IT and weak passwords

As we wait for a more authentication secure solution to find its way into mainstream usage and achieve widespread acceptance, we have to find a way to minimize the risks that come with password use.

For enterprises, one of the risks is tied to shadow IT: the IT systems/solutions used by its employees without their use being authorized and supported by the IT department.

“Say Carlos [in marketing] populates Airtable with customer data for his email campaigns, and Anita [in legal] checks sensitive legal documents in Grammarly. Without thinking about it, they’re sharing a lot of important data with external companies that IT doesn’t even know about,” 1Paasword CEO Jeff Shiner explained.

“If one of these services suffers a breach, the company won’t know it affects them, which leaves them powerless to secure their data after the event. It also means they’ll be unable to disclose it to their customers. This could leave any company facing costly fines and a huge loss of trust in its operations.”

Individual accounts could also be compromised by attackers if they are secured by weak an/or re-used passwords or it the employee shared the password with a colleague in an insecure manner – as most who have did:

shadow IT passwords

Finally, former employees might retain access to their shadow IT accounts and their contents after they leave the organization.

“At worst, this company data could be shared with a competitor; at best, it’s left dormant and hidden, but it still puts the company at risk if the service is breached,” Shiner noted.

The solution

The pragmatic solution to the shadow IT problem is not banning it, but finding a way to bring it all back under the IT department’s control, he believes.

Promoting and encouraging the use of a password manager for creating strong, unique passwords for all accounts, storing them and sharing them securely can help with the unseen password problem.