Duo Security Presents

A Modern Guide to
Retail Data Risks
Avoiding Catastrophic Data Breaches
in the Retail Industry
Contents

1. Introduction

2. The New Risks to Retail

3. The Business Case Written by Thu Pham

Designed by Chelsea Lewis
4. PCI DSS Compliance Produced by Peter Baker
Presented by Duo Security
5. Two-Factor Authentication
©2014 Duo Security, Inc.
6. Success Stories
First ePub Edition: November 2014
ISBN: 978-0-9862184-1-5 (ePub)
7. Conclusion
First PDF Edition: November 2014
8. Resources ISBN: 978-0-9862184-0-8 (PDF)
 There’s a lot to lose.

With an annual U.S. GDP totalling $2.5

2,500,000,000,000
trillion, the retail industry is comprised of
more than 3.6 million retail establishments.
The industry also ranks as the top employer
in the nation at 19% of total US jobs,
$
outpacing both healthcare (13%) and
manufacturing (8%).1 GDP of the U.S. Retail Industry
A recent string of retail breaches have
placed media and consumer focus on the
security practices of retailers and those that

$ 18,000,000,000
support the industry. And rightly so – U.S.
credit card fraud losses totaled nearly $18
billion last year, according to Javelin Strategy
& Research.2
As the nation’s largest employing industry,
2013 Credit Card Fraud Losses
remote attacks compromising the security
of retail organizations are not to be taken
lightly - they could significantly affect

14,400,000
the nation’s economy and workforce, as
more and more attackers attempt to steal
financial information, sell data dumps and
make a profit off of fraud.
Total Jobs in U.S. in Retail

1
Retail’s Facts and Stats; National Retail Federation; 2014
2
Supervalu Reports Data Breach; Wall Street Journal; August 15, 2014

1 2
 A few high-profile breaches have
also questioned the security
We’ll also discuss how
traditional security solutions
There were 62%
practices of retailers and those
that support the industry.
can no longer effectively
protect us the way they once
more breaches in
Starting with Target’s massive
40 million credit card numbers
did, and how a modern two-
factor authentication solution
2013 than in 2012,
breach, several retailers followed
subsequently, including Neiman
can be the answer to protecting
the new IT model. Concluding
and over 553
Marcus, Michaels, Sally Beauty,
P.F. Chang’s and more.
with several two-factor
authentication case studies,
million identities
Affecting millions of consumers
each online retail organization’s
story includes the business
stolen, up from
worldwide, even big-name
retailers haven’t been able to
drivers behind the adoption
of the technology and their
93 million in 2012,
defend against recent attacks.
The prevalence of breaches
deployment experience.
an increase of
calls for stronger, more effective Ideal for security, compliance
security measures in a rapidly and risk management officers, more than 594%.
evolving IT environment. IT administrators and other
professionals concerned with
In this guide, we’ll explore new
information security, this guide
risks presented by cloud, mobile
is for IT decision-makers that
and Bring Your Own Device
need to implement strong
(BYOD), as well as the business
authentication security, as
and compliance drivers for
well as those evaluating
strengthening authentication
security. The retail industry has
two-factor authentication 2013 2014
solutions for organizations
their own particular risk profile,
in the retail industry.
as well as a slew of new threats
and threat actors. = 10 million identities stolen

3 4
 Chapter 2

The New Risks to Retail:

Bring Your Own Device
& Cloud Services
 Antivirus software catches just 45% of cyberattacks, as
estimated by Symantec’s VP for Information Security Brian
Dye. Ineffective technology is reflected in the numbers, too -
according to The Wall Street Journal,3 Symantec’s earnings are
forecasted to be down about 5 percent from the previous year,

In Too Deep while revenue has fallen in each of the past two quarters.
This is just one example of how ineffectual security tools

with Defense-
are quickly becoming outdated and unprofitable in the
rapidly changing IT landscape. Consumer-driven technology
has changed the IT industry for good, introducing multiple

in-Depth
unsecured and unstandardized personal devices into the
workplace.
This wave of BYOD has also emerged as a result of the
Defense-in-depth is the concept of building pervasiveness of personal mobile devices, making it both
layers of different technology solutions cost-effective and convenient to leverage one device for both
to secure your IT infrastructure. But as personal and work purposes.
the IT model changes to a perimeterless
Enterprises now need to deal with the security risks those
environment, with data now located both in
devices introduce into their environments, as well as find a way
the cloud and on-premises, older security
to centrally manage said devices in order to strengthen their
solutions are falling by the wayside.
security profiles.

3
Symantec Develops New Attack on Cyberhacking; The Wall Street Journal; May 4, 2014

6 7
 As a result, data and applications no longer exist only on-
How to Protect Cloud Data premises. That also means cloud-based systems are most
likely housing sensitive data, whether that’s proprietary
with Strong Authentication business information, customer financial data, protected health
information, etc.
Two increasingly commonplace conditions in the workplace
model require a solution that makes corporate networks and Consequently, remote access to these systems via web-based
resources available whenever, wherever. logins is an easy and extremely valuable target for attackers
targeting internal company networks. As described in the Cloud
Security Alliance’s document, Top Threats to Cloud Computing,4
the threat of account or service hijacking ranks high for
organizations that use cloud, or web-based applications.
Account or service hijacking is not new. Attack methods such
Employees often work Large enterprises are
as phishing, fraud, and exploitation of software vulnerabilities
odd hours, remotely, while employing armies of
still achieve results. Credentials and passwords are often reused,
traveling – often from vendors and subcontractors
which amplifies the impact of such attacks.
untrusted access points as outsourcing becomes
(ie. public Wifi networks). more cost-effective. Cloud solutions add a new threat to the landscape. If an attacker
gains access to your credentials, they can eavesdrop on your
activities and transactions, manipulate data, return falsified
Cloud-based, or web-based services can provide affordable and information, and redirect your clients to illegitimate sites. Your
convenient remote access to these corporate resources; also account or service instances may become a new base for
known in the industry as software as a service (SaaS). Common the attacker. From here, they may leverage the power of your
examples of SaaS include Google Apps, DropBox, Salesforce and reputation to launch subsequent attacks.
Box.
In remediation, the Cloud Security Alliance recommends that
SaaS has become popular as it is a more cost-effective way to organizations leverage effective two-factor authentication
outsource hardware and software hosting and maintenance to techniques where possible as well as prohibit the sharing of
providers, which reduces the need to hire an in-house team of account credentials between users and services.
staff to support the same services.
4
Top Threats to Cloud Computing V1.0 (PDF); Cloud Security Alliance; March 2010

8 9
 Point of Sale Intrusions
Certain threats are specific to Getting access to the devices
the retail industry, including doesn’t require sophisticated
attacks against POS systems, hacking techniques, as

Modern
particularly POS remote devices are typically publicly
access software that allows accessible to the Internet
users to remotely access with no password in place,

Threats to the
and manage POS systems. or they’re protected by weak
Other threats could affect any or default passwords.
industry, such as the exploit of
Verizon’s DBIR reports that 38

Retail Industry
default or weak passwords.
percent of hacking varieties
As the 2014 Verizon Data Breach used in POS intrusions exploited
Investigations Report (DBIR) stolen credentials, claiming
Within the retail industry, threats to report details,5 POS intrusions that many attacks against
cardholder data and corporate networks start with the compromise of a environments with retail
are abound, with third-parties, vendors, POS device. After initial entry, transactions (food services and
cloud applications and other points of attackers can install malware retail industries) were the result
access that open up companies to a to collect magnetic strip data of “truly awful passwords.”
potential breach. from credit and debit cards
and then transmit the data
back to their own servers.
5
2014 Verizon Data Breach Investigations Report; Verizon; 2014

10 11
 Top 3 POS Hacking Methods
When it came to hacking, the top three BRUTE FORCE 53%
methods included brute force (53 percent),
the use of stolen credentials (38 percent) STOLEN CREDENTIALS 38%
and offline cracking (9 percent).
OFFLINE CRACKING 9%
In one example, attackers used stolen POS
vendor credentials to access the internal
network of their client. After installing
malware, they transmitted stolen data
offsite. In another case, a single breached
POS vendor was using the same password
for many different organizations they
managed, resulting in a default password
that could be used against their entire
customer base.

12 13
 POS Software Exploits POS Software Malware
Another scenario targeted POS running RDPs (Remote Desktop An alert from the US-CERT wireless networks that
remote access software used by Protocol). The RDPs provided a (United States Computer include a POS machine
a car wash company, according backdoor for hackers, allowing Emergency Readiness Team)9 and physical access
to KrebsonSecurity.com.6 them to crack passwords, details how certain types of (unauthorized or misuse)
Attackers were able to exploit install keyloggers, and steal malware targeting POS software are all also candidates for
a set of default credentials customer credit card data may use a variety of methods to infection.
to get remote access to their passing through POS systems.7 access POS systems:
The US-CERT also recommends
POS software, allowing them
The attackers made away with Researchers surmise that updating POS software
to steal credit card numbers.
the credit card data of 80,000 Dexter [a type of POS malware] applications, a basic when
The breached car wash
Subway customers, effectively and some of its variants could it comes to best security
companies were also running
hacking 100 Subway sandwich be delivered to the POS systems practices:
older, unpatched versions of
shops and other retailers. They via phishing emails or the
the software that left them Ensure that POS software
are linked to more than $10 malicious actors could be taking
susceptible to security threats. applications are using the
million in fraud losses, with $3 advantage of default credentials
latest updated software
In 2011, the Subway franchise million attributed to Subway.8 to access the systems remotely,
applications and software
was hacked via remote desktop both of which are common
application patches. POS
software that was installed infection vectors.
systems, in the same way as
on computers connected to
computers, are vulnerable
POS devices. The attackers Network and host-based
to malware attacks when
conducted a port scan of blocks vulnerabilities, such as
required updates are not
of IP addresses available on weak credentials accessible
downloaded and installed on
the Internet to detect devices over Remote Desktop, open
a timely basis.

6
Card Wash: Card Breaches at Car Washes; KrebsonSecurity.com; June 23, 2014
7
How Hackers Gave Subway a $3 Million Lesson in Point-of-Sale Security; arstechnica.com; December 21, 2011 9
Alert (TA14-002A): Malware Targeting Point of Sale Systems; U.S. Dept. of Homeland Security; January 2, 2014
8
Breach Exposes POS Vulnerabilities; BankInfoSecurity.com; September 19, 2012

14 15
 Another US-CERT details a privileged accounts, they were recommends defining complex
different type of retail malware able to install POS malware and passwords parameters,
that targets remote POS steal consumer payment data.10 requiring two-factor
software, specifically, called authentication for remote
This type of malware has
“Backoff.” They name certain access, limiting administrative
advanced capabilities, including
publicly-available remote privileges, requiring two-factor
the ability to reinstall itself if
desktop solutions as primary authentication when accessing
it detects it isn’t running any
targets, including: payment processing networks
longer on the POS systems (via
(even if a virtual private network
`` Microsoft’s Remote Desktop the injection of a malicious stub
(VPN) is used), and more.11
into explorer.exe).
`` Apple Remote Desktop
With counts of more than
It can also log your keystrokes
`` Chrome Remote Desktop 1,000 retail businesses affected
(effectively stealing passwords);
by this malware, the United
`` Splashtop scrape memory for track
States Secret Service released
data (the PINs (personal
`` Pulseway an official advisory for retail
identification number),
organizations to check with
`` LogMeIn expiration date, and other info
their managed service providers
on credit/debit cards); and send
and POS system vendor to
The alert describes how once requests between a designated
assess if they were vulnerable
these applications are located, command and control server
or compromised.12
remote attackers attempt to and the breached system.
brute-force the login feature Find out more in U.S. Gov
When it comes to hardening
of the solutions. Once they Recommends 2FA for POS Remote
remote desktop access
gain access to administrator or Access Security.
defenses, the US-CERT

10
US-CERT Alert (TA14-212A): Backoff Point-of-Sale Malware; U.S. Dept. of Homeland Security; July 31, 2014
11
US-CERT Alert (TA14-212A): Backoff Point-of-Sale Malware; U.S. Dept. of Homeland Security; July 31, 2014 12
 Backoff Malware: Infection Assessment; U.S. Secret Service; August 22, 2014

16 17
 It All Starts with a Phish
While many remote access attacks may According to Mandiant’s 2014 Threat
involve scanning for open ports and access Report, most phishing emails were sent,
to remote software, many other attacks unsurprisingly, during weekdays, with a
start with a simple, low-tech phishing email spike on Wednesdays. The report also
attempt to harvest employee credentials. found that 44 percent of those observed
phishing emails were IT-related, meaning
A phishing email may attempt to
they attempted to impersonate the IT
impersonate a member of the retail

44
team of the target company in order to
organization’s IT, C-level or managerial
get employees to click on malicious links
%
teams, and could ask employees to log
or download malware attachments, as
into their network accounts, or to click on
mentioned earlier.13
malicious links/attachments.
Find out more about phishing emails and
Convincing emails can also involve spoofed
spoofed websites in Protect Against Google of phishing emails
websites, that is, websites designed to look
Phishing Emails. impersonated the
like credible login prompts, but are really
IT team of the
linked to attacker databases that steal user
target company
IDs and passwords.

13
MTrends: Beyond the Breach 2014 Threat Report (PDF); Mandiant; 2014

18 19
 Third-Party & Vendor Security
Large companies often use Target’s vendors, as well as only as secure as their vendors provider to store, process, or
third-parties and vendors for their applications and portals and third-parties that have transmit cardholder data on their
critical business functions, such used to submit work orders.15 access to their networks. behalf, or to manage components
as payroll or HR. In the case With a little research, anyone Vetting the security practices such as routers, firewalls,
of Target’s breach, attackers can figure out who to target and access privileges of databases, physical security, and/
exploited the credentials of with phishing emails in order third-parties should be a key or servers. If so, there may be
a heating, ventilation and to steal credentials and gain step before contracting with an impact on the security of the
air conditioning (HVAC) access to corporate networks. them, particularly in order to cardholder data environment.16
company that gave them Attackers often target smaller meet PCI DSS compliance:
According to the guidelines,
access to Target’s electronic service providers to get into
a retail industry service
billing, contract submission large corporations, since For service providers required
provider must undergo
and project management small companies typically lack to undergo an annual onsite
either an independent PCI
online software, according to the resources and security assessment, compliance
DSS audit and show proof
their released statement.14 knowledge to keep them out. validation must be performed
of it, or they must concede
on all system components in the
KrebsonSecurity.com describes While a corporate retail to an audit when their client
cardholder data environment.
how easy it is, via a simple organization may be secure undergoes a PCI DSS audit.
A service provider or merchant
Google search, to find a list of within their own walls, they’re
may use a third-party service
14
Statement on Target Data Breach (PDF); Fazio Mechanical; February 2014 16
P ayment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures (PDF); PCI
15
Email Attack on Vendor Set Up Breach at Target; KrebsonSecurity.com; February 12, 2014 Security Standards Council; Version 3.0; November 2013

20 21
 Cloud Services Law Firms
If your company outsources these accounts even more The consequences can be Another type of vendor that
your data storage and/or valuable to potential attackers. severe - in June, after an needs to be vetted carefully
processing to a third-party attacker gained access to for security are law firms as
And, if those credentials are
cloud vendor, it’s imperative to hosting company Code they deal with many different
stolen or exploited, it can be
take extra precautions when Space’s Amazon EC2 (cloud) types of sensitive data for retail
very difficult to get account
it comes to authentication environment, they wreaked clients.
control back. While ‘cloud
security. Using infrastructure havoc. Deleting backups,
security’ can mean many As The New York Times Dealbook
as a service (IaaS) cloud machine configurations and
different things, guarding reported,17 big corporate
providers can offload the offsite backups effectively
the front door is an integral clients are demanding that law
management and hosting shut the company’s doors.
first step to protecting firms take data security more
of your IT infrastructure,
data, networks, resources The costs to recover proved seriously to guard against online
but in this scenario, security
and other company assets too much for the company, breaches to sensitive data,
becomes more important
located in the cloud. as they stated the cost of including clients in the financial,
than ever as your company
resolving the issue as well banking and government
assets move offsite. As mentioned earlier, auditing
as the cost of refunding sectors.
your cloud hosting provider is
A cloud hosting provider’s customers would put them in an
one way to ensure their security The FBI has also voiced
services also often include “irreversible” financial position.
practices are sound. Enabling concerns over law firm security,
a management dashboard
two-factor authentication on Implementing two-factor citing the potential for state-
allowing an organization to
administrative cloud account authentication may have sponsored cyber espionage
manage their cloud services
logins can also strengthen prevented the initial account as a reason, which could
(typically for administrators).
account security; making it takeover in this situation. allow foreign states to spy
This means the username
difficult for attackers to access Find out more about multi- on American corporations or
and password to your cloud’s
your accounts remotely without factor authentication with government agencies.
administrative dashboard or
both knowing your password AWS, and how to enable
accounts are the master keys
and having possession of two-factor authentication for
to your entire IT infrastructure,
your personal device. your third-party accounts. Law Firms Are Pressed on Security for Data; The New
17

making the entry points to York Times Dealbook; March 26, 2014

22 23
 Chapter 3

The Business Case

24 25
 SOURCE: Ponemon Institute’s 2014 Cost of a Data Breach Study

$3.5m
Average cost of a data breach

$145
Average cost per stolen record

The Rising
Costs of a
Data Breach
The primary business driver to invest
in authentication security includes the
expensive fallout of a data breach - the
costs after a data breach are rising year Up Up

9 %
15 %
over year.

from 2013 from 2013

26 27
 According to the Ponemon Institute’s 2014 Cost of a
Data Breach Study: Global Analysis,18 the average total
$961m
cost of a data breach increased 15 percent to $3.5
million. Additionally, the average cost paid per lost
or stolen record containing sensitive and confidential
42 %
information has increased more than 9 percent from
$136 in 2013 to $145 in 2014. Costs of data breaches
include many other unforeseen expenses, such as legal
fees, government fines, subsequent lawsuits and more.

$520m
In the case of Target’s 40 million credit card breach,
negative press can have a very adverse effect on
profits. With a highly publicized data breach breaking
just before the holidays, the company’s profits fell
46 percent in the fourth quarter of last year, down to
$520 million in the fourth quarter, while earnings were
$961 million the same quarter a year before (2012).
Earnings per share also fell from $1.47 to 81 cents,
according to The NYTimes.com.19

2013 Pre-Breach 2014 Post-Breach

18
19
2014 Cost of a Data Breach Study: Global Analysis (PDF); Ponemon Institute
Data Breach Hurts Profit at Target; The New York Times; February 26, 2014
Target’s Q4 Profits
28 29
 An attacker gained access to their Amazon
EC2 environment and deleted backups,
machine configurations and offsite
backups, effectively shutting the company’s
doors. The costs to recover proved too
much for the company:

Code Spaces will not be able to operate beyond

this point, the cost of resolving this issue to date
Worst Case Scenario: and the expected cost of refunding customers who

Going Under
CLOSED
have been left without the service they paid for will
put Code Spaces in a [sic] irreversible position both
In other cases, just one bad breach can financially and in terms of on going [sic] credibility.
lead to closed doors - even though they
aren’t a retailer, Code Spaces was a
Subversion (SVN) and Git hosting provider
that had their IT infrastructure destroyed
beyond repair,20 a cautionary tale for any
Allocating budget for the most effective
company using cloud-based resources.
security technology can prevent a disaster
of this magnitude, and is far less expensive
and messy than dealing with the aftermath
of a data breach.
20
Hacker Puts Hosting Service Code Spaces Out of Business; Threatpost.com;
June 18, 2014
30 31
 More Than Just Profits:
The Indirect
Consequences
By compromising a few employee login credentials, attackers
were able to access eBay’s corporate network, according to a
statement they released.22 According to an article from eWeek.

of a Breach
com, notifying users to reset their passwords after the breach
resulted in lower user activity on their site.
While 85 percent of the affected users eventually reset their
In May 2014, eBay Inc. notified users of a breach that affected passwords, an unknown percentage haven’t returned to previous
a 145 million user database of encrypted passwords and other activity levels on their website. eBay’s CEO cited their targeted
information, including customer names, email addresses, physical marketing efforts in an attempt to re-engage users, but it’s
addresses, phone numbers and birthdates.21 clear that a data breach has a deeper impact on the trust that
individuals have in an online business.

21
eBay Hacked, Bleeds Data And Why You Need To Act; Forbes; May 21, 2014 22
eBay Inc. To Ask eBay Users To Change Passwords; eBayInc.com; May 21, 2014
32 33
 “…be extra wary of phishing emails that Despite the fact that financial data wasn’t
stolen in this particular case, the bad press
spoof eBay and PayPal and ask you to alone can be enough to impact a business
of eBay’s size. According to eBay’s CFO, a
decline in eBay’s operating margin could
click on some link or download some be attributed to expenses related to the
breach, as well as their new focus on
security tool; attackers are likely to spending to “increase the vibrancy of the
site.” That decrease was 24.4 percent non-
GAAP (Generally Accepted Accounting
capitalize on this incident to spread Principles) operating margin.23
This demonstrates that remediation
malware and to hijack accounts.” costs can also include scrambling to save
face after a breach, as well as extensive
rebranding efforts that may or may not
effectively restore user activity or traffic to
company websites, let alone user trust in
— KrebsOnSecurity.com their brand.
eBay Urges Password Changes After Breach

23
The Real Cost of the eBay Breach; eWeek.com; July 17, 2014
34 35
 After a breach, the common threats of phishing attacks, fraud
Phishing, Fraud & Lawsuits: attempts and class-action lawsuits hang heavy over a victim
company. Even if no financial data was stolen in the initial attack,

Life After a Breach personal information can be sold to criminals who use it for
phishing attacks or identity theft.

Phishing Attacks
One example of a seemingly legitimate phishing email could be
one pretending to be from the victim company, asking affected
users to log in and change their passwords, allowing attackers to
steal credentials and get full access to user accounts.
With particular insider knowledge of the company, an attacker
can also sprinkle credible information throughout the emails in
order to make them appear more legitimate and increase the
chances of an employee clicking through or opening a malicious
attachment. Armed with that kind of knowledge, it’s more likely
that a company breached once can be breached again.

36 37
 18,600
In the Internet Threat Trends
Report 2014 by CYREN, a 73
percent increase in PayPal-
related URLs and website
phishing attacks was seen
in the first quarter of this
year.24 The report also found
that 18,600 PayPal-related
phishing websites were found
within a two-week span, which
outranked the 2,261 Apple-
related phishing sites in the
same timeframe.
eBay’s breach in May of this
2,261
year (see More Than Just
Profits: Indirect Consequences 1,720
of a Breach) reportedly did not
expose the personal or financial
information of PayPal users. 830
However, eBay does own PayPal
and uses their services for
their online store - prompting
some in infosec to warn against
potential phishing emails that
may spoof either company.

24
Internet Threat Trends Report 2014 (PDF); CYREN;
April 2014
Phishing Websites
38 39
 Fraud Lawsuits
In another case, the POS restaurants. At one location, Lawsuits are also very common even though they knew that
systems of certain Marriott both the property management after a major data breach. hashing was more secure and
hotels managed by the system used to process card eBay was recently reported to preferred by security experts.
independent hotel management information and their POS be facing a class-action suit
They also contend that eBay
company, White Lodging system were affected.25 in a U.S. federal court over
failed to notify affected users
Services Corporation were their breach, filed by Collin
Subsequently, Marriott released on a timely basis — even
infected with malware, affecting Green on behalf of himself
a statement in February to though they had knowledge
the credit cardholder data and others affected.27
warn their customers of rising of the breach in February
of customers that used their
incidences of fraud linked to the After suffering from identity 2014, they didn’t notify users
cards at hotel gift shops and
management company breach: theft directly related to the until the end of May 2014.
breach, they sought to cover
the damages from the improper
disclosure of their personal
information, including time
One of our franchise management companies has spent and out-of-pocket identity
theft mitigation expenses.
experienced unusual fraud patterns in connection
The lawsuit claimed eBay
with its systems that process credit card transactions
didn’t encrypt most of the
at a number of hotels across a range of brands, stolen information, including
customer names, email
including some Marriott-branded hotels.26
addresses, birthdates and more.
They also contested that eBay
did not use the most secure
form of encryption (hashing),

25
Additional Information About the Press Release Dated February 3, 2014; White Lodging, February 2014
26
 Marriott’s Response to White Lodging Data Breach; Marriott.com; February 1, 2014 27
Collin Green vs. eBay, Inc. (PDF); U.S. District Court for the Eastern District of Louisiana; July 23, 2014
40 41
 Part of the problem with breach notification in the retail industry So, breached retail organizations
is the fact that PCI DSS compliance doesn’t dictate a required are only responsible for
timeline for notifying users/consumers. They only go as far to notifying payment brands (at a
recommend that in standard 12.10.1 to: minimum). The only other way
they would be required to notify
consumers is by per-state laws,
such as the California Bill 1386,
Create the incident response plan to which requires the notification
of affected consumers in the
be implemented in the event of system
event of an actual or suspected
breach. Ensure the plan addresses the compromise for any business
with California residents in their
following, at a minimum:
database.
•Roles, responsibilities, and
Simply satisfying PCI DSS
communication and contact strategies compliance requirements isn’t
the best way to implement
in the event of a compromise including
security, but it’s a good start
notification of the payment brands, at a to familiarize yourself with the
standards in order to determine
minimum28
just how high the bar is set for
retail organizations.

28
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures (PDF); PCI
Security Standards Council; Version 3.0; November 2013
42 43
 Chapter 4

PCI DSS Compliance

A main driver for most retail organizations that If you store, process, transmit or accept credit
deal with credit cardholder data, specifically, online cardholder payments, or if you support the retail
transactions, is the framework of PCI DSS (Payment industry in any way, you may fall within scope of the
Card Industry Data Security Standard) compliance29 PCI DSS guidelines. That includes any software as a
that dictates data security guidelines for corporate service (SaaS) company that may provide ecommerce
networks and point of sale systems. software applications to the retail industry.

29
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures (PDF); PCI Security Standards Council; Version 3.0; November 2013
 Retail organizations and vendors that deal with customer payment information
must abide by the 12 very specific technical standards outlined by PCI
DSS regulations designed to protect customer data, including:

Build & Maintain a Secure 1. Install and maintain a firewall configuration to protect
Network & Systems cardholder data
2. Do not use vendor-supplied defaults for system passwords
and other security parameters

Protect Cardholder Data 3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public
networks

Maintain a Vulnerability 5. Protect all systems against malware and regularly update anti-
Along with the Management Program virus software or programs
standards are 6. Develop and maintain secure systems and applications
testing procedures,
intended for the Implement Strong 7. Restrict access to cardholder data by business need-to-know
security and IT Access Control Measures 8. Identify and authenticate access to system components
teams of retail 9. Restrict physical access to cardholder data
organizations to
follow, as well as for Regularly Monitor & Test Networks 10. Track and monitor all access to network resources and
auditors to assess cardholder data
an organization’s 11. Regularly test security systems and processes
level of compliance.
Maintain an Information 12. Maintain a policy that addresses information security for all
Security Policy personnel

46 47
 More specifically, PCI DSS requirement 8.3 mandates:
Incorporate two-factor authentication for remote network
access originating from outside the network by personnel
(including users and administrators) and all third parties,
(including vendor access for support or maintenance).
Note: Two-factor authentication requires that two of the three
authentication methods (see Requirement 8.2 for descriptions
of authentication methods) be used for authentication.

PCI DSS Using one factor twice (for example, using two separate
passwords) is not considered two-factor authentication.

Standards
Examples of two-factor technologies include remote
authentication and dial-in service (RADIUS) with
tokens; terminal access controller access control
system (TACACS) with tokens; and other technologies
The PCI DSS requirement 8.0 mandates
that facilitate two-factor authentication.
that retail organizations identify and
authenticate access to system components, The testing procedures include:
meaning individuals are assigned a unique
8.3.a - Examine system configurations for remote access servers
user identification and password, with
and systems to verify two-factor authentication is required for:
a strong password policy in place.
• All remote access by personnel
The authentication standards hold
true for all accounts within the retail • All third-party/vendor remote access (including
organization, including point of sale, access to applications and system components
administrative, and any accounts for support or maintenance purposes).
used to view/access cardholder data.
8.3.b - Observe a sample of personnel (for example, users and
This includes vendor and third-party
administrators) connecting remotely to the network and verify
accounts for support or maintenance.
that at least two of the three authentication methods are used.
48 49
 Third-Party Remote
Access Security
Third-party remote access security This includes any employees that may
is especially important for larger be connecting remotely with VPNs.
enterprises that may have a more Ensuring two-factor authentication is
complex business network comprised enabled can prevent remote attackers
of different vendors for many different from impersonating and exploiting
roles and responsibilities within their stolen employee credentials (which
company, such as payroll or HR. can be easily obtained via social
engineering that targets certain
Keeping an inventory of vendors
employees, particularly, ones with
and their access privileges gives you
administrative access and privileges).
insight into who has access to credit
cardholder systems and environments, For more on PCI DSS, two-factor
and can be valuable in the case of authentication and the differences
a breach or security incident. between versions 3.0 and 2.0, read PCI
DSS 3.0 and Two-Factor Authentication.
50 51
 Solutions for With this in mind, a new an attempt to mitigate risks.

Authentication wave of security providers

are moving forward with the
philosophy that a breach is
Some include solutions that
scan networks searching
for malicious code. Another

Security inevitable; almost embracing

the fact that hackers will
exploit weak authentication
goes as far as placing fake
data within firewalls to
distract hackers searching
Remote access to POS systems via at some point. Given that for the real thing, as The
logins is an easy but valuable target for fact, the starting point Wall Street Journal reports.30
attackers attempting to access internal for their new technology Other services include
company networks. Stealing credentials begins within the network, entire teams of investigative
can be as simple as launching a social after an initial breach. security detectives to conduct
engineering or phishing email attack, forensics after a breach.
New tools on the market
and exploiting those credentials can give
take very different angles in
attackers full access to company assets.
 Symantec Develops New Attack on Cyberhacking; The Wall Street Journal; May 4, 2014
30

52 53
 Other tools aim to strengthen your security profile a few
steps ahead by stopping a breach before it happens, instead
of detecting it in real-time or mitigating after the fact. One
security strategy is to implement one effective security solution
instead of several that can only help you after being breached.
When it comes to effectiveness, the right solution should

76
be engineered to guard against the most varied attacks.
% In this new era of IT, the security of users, devices and
access become more important than ever, with the need
for always-available data and networks also opening up
retail organizations to potential external attacks.
As the 2013 Verizon Breach Report found, 76 percent of network
intrusions exploited weak or stolen credentials,31 putting
of network intrusions passwords and authentication security in the limelight. It’s
exploited weak or no longer enough to rely solely on users and the ability for
passwords to supply a sufficient amount of security. It’s
stolen passwords time to take the emphasis off of passwords and redirect it
to reliable authentication technology that actually works.
That’s where tools like two-factor authentication come into the
picture. By implementing a solution that relies on more than
just your username and password as the keys to your network,
security starts sooner. Protecting data no matter where it lives,
whether in the cloud or on-premises, ensures a balance between
always-available data and the need for secure and limited access.

 2013 Verizon Breach Investigations Report (PDF); Verizon; 2013

31

54 55
 Chapter 5

The Two-Factor
Authentication Solution
Two-factor authentication requires two • Something you know: a unique username
different methods of verifying your identity and password
when logging into an account to provide a
• Something you have: a smartphone
second layer of protection. The two factors
with an app to approve authentication
may include:
requests

56 57
 Two-Factor
Authentication
Devices Smartphone passcode
With the help of a mobile app, a one-time
Depending on the software used for passcode is generated that you can type
authentication, you may have these methods into a prompt to complete authentication.
as a choice of your second factor:

Push authentication Token

ï
ïï
With the help of a mobile app, login Through the use of a traditional

ïï
and transaction details are sent to your hardware token or modern U2F device,
smartphone. Users choose either ‘Approve’ a one-time password is generated
to complete authentication or ‘Deny’ to to complete authentication.
report a fraudulent authentication attempt.

Text message Phone call

Login passcodes are sent via text Answer a phone call and
message. Enter this passcode online press a key to authenticate.
to authenticate the second factor.

58 59
 How do
I Protect Other recommended controls to protect

Against against POS intrusions include:

Segment the POS environment

Point-of-Sale from the corporate network

Conduct only POS-related

Intrusions? activities on POS systems

Restrict remote access to POS systems

by your third-party management vendor
After analyzing the data, the 2014
Verizon DBIR singled out two-factor
Enforce password policies (make sure
authentication as one of the top
passwords used aren’t defaults)
recommended controls to securely
authenticate third-party and internal
Monitor network traffic to and
users for larger franchise companies.
from the POS network
60 61
 Protection for Remote Users
Main Office

Two-factor authentication is an
optimal security measure to protect
against online fraud and unauthorized
access for clients that connect to their
networks from a remote location.
Most organizations use a VPN (Virtual
Private Network) that allows their
users to securely connect and access
INTERNET
corporate networks, resources and
assets remotely, ideal for employees
that need to work while travelling or at
odd hours, or from home. This secure
connection is typically protected by
a unique username and password.

Regional Regional Remote

Office Office users

62 63
 username

••••••••••
?

Enter username and Use your phone to Securely logged in

password as usual verify your identity

But with that convenience the VPN connection. Simple your physical device to log in. credentials. Find out more in
comes the security threat of authentication methods based Two-Factor Authentication for
Combining two-factor
a stolen password that could on static passwords are subject VPNs.
authentication with your VPNs
be exploited for unauthorized to password “cracking” attacks,
is ideal for any organization With a cloud-based two-factor
access. Cisco referenced “user- eavesdropping, or even social
concerned with keeping remote solution, set up doesn’t require
credential-related risks” as one engineering attacks. Two-
access to intellectual property any hardware or software
of the general security risks factor authentication, which
and sensitive data secure, installation or management.
when it comes to SSL VPNs, consists of something you know
especially anyone in the retail Find out how easy configuration
and recommends two-factor and something you have, is
industry that must secure credit can be by reviewing the
authentication as a way to a minimum requirement for
cardholder data. documentation on how to set
provide secure remote access: providing secure remote access
up two-factor authentication
to the corporate network.33 Integrating two-factor
VPN security is only as strong with Juniper SSL VPN. Or,
authentication with your VPNs
as the methods used to Two-factor authentication can find out how to integrate two-
and remote logins can help
authenticate the users (and the prevent a remote attack by factor with other VPN types in
protect against phishing attacks
devices) at the remote end of requiring an attacker to have Documentation.
and the exploitation of stolen
33
SSL VPN Security; Cisco
64 65
 Protecting Your Cloud Services
Protecting your web-based applications
requires an easy-to-integrate, modern
two-factor authentication solution that
can be deployed quickly and scaled as GOOGLE APPS BOX
needed for your retail organization.
Larger retail enterprises may use
popular cloud applications such as
Salesforce, Office 365, Google Apps or
Box. A good two-factor authentication
solution should support enterprise-
level cloud apps while providing easy
user and administrative management.
Find out more in Two-Factor
Authentication for Cloud Apps. SALESFORCE OFFICE 365

66 67
 Modern vs Traditional
Two-Factor Traditional Two-Factor
Authentication Authentication
Older, legacy two-factor authentication solutions Traditional two-factor authentication solutions
often require hardware and can be difficult to manage. required hardware tokens, also known as key fobs or
With the rapidly changing IT landscape, two-factor cards, that users would carry with them in order to
authentication methods need to adapt in order to authenticate as their second factor. The tokens would
survive - if a security solution isn’t easy to implement, generate one-time passwords that the user would
manage and use, security will never be fully effective. subsequently have to type into a prompt to get access
to their accounts.
Hardware tokens can, however, be very costly to
purchase upfront, distribute, track and replace when
they break. They aren’t always secure by design, either.
68 69
 In the case of RSA’s breach in 2011, an advanced An APT in 2011 cost RSA

66,000,000
persistent threat (APT) prompted the company to

$
replace millions of SecurID tokens, resulting in $66
million in remediation costs due to the compromise
of information related to their two-factor solution, as
reported by DarkReading.com.34
Attacks against defense contractors used stolen
RSA token information, including Lockheed Martin.35
Naturally, the incentive to replace tokens and
or roughly the equivalent of

1,320,000
strengthen their defenses was strong, as it was
motivated by the need to protect sensitive information
such as military secrets and intellectual property.

SecurID tokens

-FAIL-
FAIL
34
RSA SecurID Breach Cost $66 Million; DarkReading.com; July 28, 2011
35
Security Firm Offers to Replace Tokens After Attack; The New York Times; June 6, 2011

70 71
 Modern Two-Factor Managing and securing access these days requires
better security, not just more solutions. With a new
Authentication IT model comprised of cloud, mobile and BYOD; a
smarter, leaner and more effective security solution
is a necessity. When it comes to comparing modern
While tokens aren’t always secure, and they can be
two-factor authentication solutions, ask the following
difficult to use, a modern two-factor solution is what
questions:
most organizations need to stay lean and secure.
A solution designed with users in mind lets them How Secure Is Your Solution?
authenticate easily via mobile apps and push
Two-factor authentication solutions (hardware
authentication, letting them use methods they’re
tokens or SMS passcodes) that rely solely on the
already familiar with, and a tool they already carry with
effectiveness of one-time passwords (OTP) may leave
them - their smartphones.
logins vulnerable to a Man-in-the-Browser attack
when paired with the use of malicious code (a Trojan).

72 73
 How does it work? Is It Easy to Implement and Deploy?
An attacker might attempt to infect a user’s computer When looking for a two-factor solution, take into
with malicious code by sending a phishing email to the account how easy it is to set up and deploy the
victim. When the victim clicks on a link or opens the solution - buying and managing hardware tokens as an
malicious attachment, the code infects their device administrator can quickly become a headache, as well
and resides in their web browser. as very costly to replace if they’re lost or broken.
If a user attempts to log into a certain website, the Check to see if your provider offers thorough
malware can track the credentials used to login for documentation or a guide to setting up two-factor
primary authentication. It can also gain access to an authentication with your particular platform,
account that uses a one-time password for secondary application or device. Also, check to see if they offer
authentication. APIs that allow you to easily integrate their two-
factor authentication solution into your custom-built
Using an out-of-band authentication method designed
environments.
to protect against man-in-the-browser attacks, as well
as other credential theft attacks can bring down the
success rate of OTP/SMS bypass attacks.
Instead of using a one-time password or pin, modern
two-factor solutions allow you to authenticate via push
notifications on your smartphone. The design of the
security solution and authentication method matters
- your users’ phones and your modern two-factor
provider’s servers should be set up to validate each
other to prevent network-level attacks against the
authentication process.

74 75
 Is It Easy, Convenient and Does It Provide Adequate
Flexible For Your Users? Controls For Your Admins?
A versatile two-factor authentication solution gives With a centralized management dashboard,
your users many different authentication options to fit administrators should be able to easily provision,
their different needs in any given scenario, including manage and maintain a large number of users and
ones in which they may not have cell service or an devices.
Internet connection.
Some of the controls an administrator might be
In addition to usability, check to see if your solution interested may include:
comes with a self-service portal that lets users
• Add, edit and delete users
manage their own devices, enroll and remove devices,
reactivate mobile services, etc. This puts less strain • Manage authentication methods available to your
on administrators, reducing the amount of help desk users
tickets related to your two-factor authentication
• Control lockout and fraud options
solution.
• Manage trusted devices and networks
• Access telephony, administrator and user logs

76 77
 What Is the Total Cost of Ownership? Is it Cloud-based?
The total cost of ownership can include the upfront, A cloud-based two-factor authentication solution can
implementation, support and operational costs offload the IT infrastructure of virtual servers needed
over time. A modern two-factor solution cuts down to host the solution, saving you the hassle of managing
on capital and personnel costs by eliminating the authentication servers.
hardware and software costs to buy, install and
With a pricing model based on per-user payments,
manage.
it’s often more cost-effective than a multi-year,
That includes these types of costs: subscription-based contract that legacy two-factor
providers may require.generated that you can type into
• Authentication devices for each of your users
a prompt to complete authentication.
• Authentication servers and backups
• Maintenance and support for software and
customers
• Replacement and redeployment of lost or damaged
devices
• Implementation costs, if additional products are
required

78 79
 Chapter 6

Success Stories
For a few major online retailers, a modern, Find out how these companies dealt with
cloud-based two-factor authentication certain security challenges, why they chose
solution can secure internal employees two-factor authentication and more about
that need always-available remote their technical deployment experience in
access to their company’s network. these real-life company case studies.

80 81
 “It was more like building
a relationship instead
of just buying or being
sold on a product.
It’s very apparent that security is a prevalent

A PCI DSS &

concern for Dug; which is very good when
you’re running a security company.”

Juniper SSL VPN — Tristan Hammond

Case Study IT Infrastructure Manager, Threadless

Founded in 2000, Chicago-based Threadless is

a crowd-sourced e-commerce art and apparel
company with nearly one million users.

82 83
 PCI DSS COMPLIANCE & SECURITY TRUST, CONFIDENCE, USABILITY &
CONCERNS COST-EFFECTIVENESS
Tristan found Duo Security’s solution on
They needed to meet PCI DSS compliance in
recommendation from his developer friend, the former
order to securely process online orders - and after
CTO of Obama for America, Harper Reed. Attracted
undergoing a security audit, they were told they
by Duo Security’s ease of use and simplicity for both
needed to implement two-factor authentication
users and administrators, Threadless was also drawn
to protect the personal, financial and transaction
by the company’s cost-effective per-user payment
data of their customers, according to their IT
model. In addition, Tristan cited confidence and trust
Infrastructure Manager, Tristan Hammond.
as another deciding factor after great communication
with Duo Security’s CEO and co-founder, Dug Song.
SEEKING AN RSA ALTERNATIVE
While Threadless was using RSA’s two-factor TWO-FACTOR AUTHENTICATION FOR
authentication solution, their internal employees JUNIPER SSL VPN
were experiencing many authentication errors while
With two-factor authentication, employees can work
using their mobile app. Their customer service
remotely while still accessing local assets on the
also provided no relief - Tristan was unable to get
Threadless network via their Juniper SSL VPN (find
an answer to their authentication failures after
out how to easily integrate two-factor with Juniper).
spending hours with RSA’s customer service.

84 85
 The different teams at methods include everything
Threadless each use Duo’s two- from SMS passcodes to phone
factor solution to safeguard callbacks to Duo’s out-of-band
different types of sensitive authentication method, push
information, including: notifications via Duo’s secure
• Engineers and developers use
mobile application. “I haven’t gotten a single
two-factor to protect access
to their AWS (Amazon Web EASY TESTING &
complaint about it.
Services) infrastructure, DEPLOYMENT If no one’s talking about it, that’s a
including databases housing
Testing was easy with their
customer information
VMware setup. They easily lit
good thing — nothing’s broken. Our
• Finance use the solution to up a couple of virtual boxes and overall experience with Duo has
protect access to financial used another VPN appliance
documentation stored locally for internal testing, which let
been extremely easy— that’s not
and in the cloud them try out Duo’s two-factor something that always happens
without altering their current
• Product and creative teams
environment.
in the technology world…
use it to protect raw photo
assets Switching over was also
incredibly simple. “I changed
I would definitely
USER SELF- a few IP addresses and
hostnames, and we were
recommend it.”
ENROLLMENT done,” said Tristan. They rolled
Threadless employees used out the solution after testing
Duo’s self-enrollment feature it with a few users from each
to choose their preferred department first — after that,
authentication method after there was silence.
signing up. The different — Tristan Hammond
IT Infrastructure Manager, Threadless
86 87
 “This is the brilliance of
Duo — most people spend
so little time interacting
with it, as it’s so quick and
simple, that they barely
know they’re using it.”
An API & SSH
Case Study — Ben Hughes
Network Security Manager, Etsy
As a global online marketplace, specializing in
handmade and vintage goods, Etsy is determined
to redefine commerce by establishing a platform
for users to sell, buy and rate artists’ work.

88 89
 SECURITY:
INSTILLING USER
FRICTIONLESS,
CONVENIENT “Slickness of the
TRUST & INTEGRITY AUTHENTICATION application and the
Being an online marketplace, Etsy chose Duo Security
Etsy can only keep users safe for the convenience of their enrollment process are
if they keep their organization solution that allows you to use
safe first. To build trust smartphones for authentication the two things that
and integrity within their instead of an expensive,
community, they looked to two- unreliable and clunky token. leapt out at me. The
factor authentication. Etsy’s
Network Security Manager
Duo Security’s free mobile app
enables users to quickly and
latest iOS 7 application
Ben Hughes cites single-factor
authentication as the weak
easily authenticate via push
notification.
is beautiful and even
link in the chain as attackers
become increasingly more easier to use than
advanced in their methods.
before.”

— Ben Hughes
Network Security Manager, Etsy
90 91
 Chapter 7

Conclusion
The changing IT landscape to protect consumers from is more important than ever. However, traditional two-factor
requires better and more theft of their personal and One way to strengthen your authentication solutions used to
effective security solutions, financial information, while authentication security profile is be expensive and hard to deploy
ones that can prevent a meeting industry compliance with two-factor authentication. and use - making security
breach from happening requirements and modern Two-factor authentication harder for users to adopt.
instead of waiting to security best practices. is also required by PCI DSS The answer is to seek out a
remediate after the fact. (Payment Card Industry Data modern two-factor solution that
But the risks introduced by
Security Standard) to protect leverages the many advantages
Retail organizations in new points of access, including
remote access to networks with of cloud-hosted applications
particular need to guard the increased use of cloud
cardholder data. to give your retail organization
against remote attacks on their resources and BYOD, means
a convenient and easy way
POS environments in effort that authentication security
to implement security.
 Chapter 8

Resources
 Payment Card Industry (PCI) Data Security Standard: Requirements
and Security Assessment Procedures, Version 3.0 (PDF)
This is the official document outlining every standard, testing procedure
and guidelines for securing an environment with credit cardholder data.
Payment Card Industry (PCI) Payment Application Data Security
Standard: Requirements and Security Assessment Procedures,
Version 3.0 (PDF)
This is the official document that defines the security requirements and
assessment procedures for software vendors of payment applications.
PCI DSS Glossary of Terms
Get the definitions of commonly used terms, abbreviations and acronyms
used in the PCI DSS compliance guidelines.

Additional
Official List of Qualified Security Assessors
Need to get PCI DSS audited to prove your company’s compliance? Check
out this list of QSAs that have been approved by the PCI DSS Security

Resources
Standards Council.
Official List of Validated Payment Applications
Need to find a secure payment application for your retail business? Check
For those in the retail industry looking
out this list of validated payment applications that been audited to comply
for a primer in PCI DSS compliance
with the PA-DSS standards.
and information security guidelines to
protect against a remote attack, check Free Webinar: Preparing Your Organization for PCI 3.0 with Cloud-
out the following list of resources: Based 2FA
Learn more about how cloud-based 2FA can help you prepare your
organization to meet the latest PCI DSS compliance guidelines, version 3.0,
as well as the changes from version 2.0.

96 97
 What should I look for in a
two-factor authentication solution?

Cloud-based two-factor Easy integration, lots of Fast and easy Variety of

authentication documentation user provisioning authentication methods
This means no hardware or A modern, cloud-based two- For large deployments with SMS passcodes, phone
software to install on-premises, factor authentication solution thousands of users, your callbacks, passcodes
and no server to set up. That should make it easy for two-factor authentication generated via mobile apps,
equals less time and money administrators to integrate solution should support the even hardware tokens make
spent setting up, and more time two-factor into their existing ability to provision using it easy for users in different
for administrators to spend on application workflow. Check methods like Active Directory scenarios to authenticate,
other tasks - better for your to see if they offer extensive synchronization and bulk including on or offline, or with
organization’s bottom line. documentation for your user imports via .CSV files. or without phone service.
integrations, and how easily
Smaller deployments can
it can be done before you
take advantage of self-
sign the contract so you
enrollment to allow users to
don’t run into unexpected
sign themselves up, lightening
integration issues later.
the load for administrators.

98 99
 Secure, Advanced Try before Would you like more
out-of-band administrative you buy information?
authentication dashboard Ask your two-factor Download our free Two-Factor
Of course, using an out-of- A comprehensive two-factor authentication vendor if they’ll Authentication Evaluation
band method, like generating authentication solution let you try out their solution Guide for a more in-depth
push notifications via a mobile should come with an on an individual-basis or small analysis of what to look
app is one of the most secure administrative interface that deployment scale before you for in a modern two-factor
methods, as it eliminates gives you complete visibility decide to invest and deploy to authentication solution.
the threat of a potential into your security solution - your entire organization. That
OTP (one-time password) allowing you to create new way, you can determine if you
bypass. Plus, it uses your integrations; manage users, run into any major integration
personal phone, not an extra groups and trusted devices; or usability issues, and you can
token, making it easier to and have access to APIs. know what to expect when it
remember and harder to lose. comes to mass deployment.
Account recovery should
also be included in the
admin interface in the event
a user loses their device.
100 101
 About Duo Security
Duo Security provides cloud-based two-factor authentication to more
than 5,000 organizations worldwide. In as little as fifteen minutes, Duo’s
innovative and easy-to-use technology can be deployed to protect users,
data, and applications from breaches, credential theft, and account
takeover. Try it for free at www.duosecurity.com.
If you have questions or would like a demo walkthrough of how to
use Duo’s two-factor authentication solution, contact one of our Duo
representatives today!
617 Detroit St.
Ann Arbor, MI 48104
+1 (734) 330-2673

102 103