Reinforcing protection for customer accounts

Since January 2017, the Security team at OVH have been trying out new methods to secure customer accounts, and detect any attempts to compromise their security. After a year of research and development, we have started rolling out a new algorithm. We would now like to explain what we have set up.

When you log in to the OVH Control Panel, you may have already received an email containing a code that you must enter in order to confirm your login request. If so, then congratulations! You are one of the first set of customers to see our new algorithm, which helps prevent your account being compromised. Since January 2017, we have worked hard to set up additional security measures on our customers’ accounts, on top of the measures that are already in place.

 

Why has this new algorithm been set up?

It’s always a difficult situation when a malicious party manages to take control of a customer’s personal account. Of course, it’s hard for the customer, whose business may be harmed directly, but it’s also hard for the Customer Advocates, who must find out who the hacker is really working for. Luckily, these are exceptionally rare scenarios. These days, data leaks that reveal user account passwords are becoming a more frequent issue for large companies, and 60% of the population admit that they still use the same password for all of their accounts. We want to prevent any potential threats, and maximize security for our solutions.

 

How does it work, from a practical point of view?

When you log in to your OVH Control Panel, our algorithm will try to determine whether your method of doing so matches your usual habits (e.g. which web browser you are using). If nothing is out of the ordinary, then you will not see anything different. If, however, our algorithm detects anything usual about your login, or if you have not logged in for a while, you will then be asked to enter a code sent to you via email. This two-factor authentication mechanism is triggered in order to prove that you are indeed the account holder.

At the same time, you are sent an email with a confidential code, which you use to confirm your login request. The code remains valid for a limited time period, and it must stay confidential, since it is the only way you can prove your identity when two-factor authentication is triggered. This email also acts as an alert, because if you receive it and are not trying to log in to your OVH Control Panel, it means for certain that a third party knows your password. If this happens, we strongly advise changing your password immediately.

 

How effective the new algorithm is

We have noticed that customers with two-factor authentication enabled have never experienced issues involving their accounts being compromised. The best practices to ensure high security are based on the following four factors: “what I know” (e.g. a password), “what I have” (e.g. a smartphone), “what I do” (standard habits), and “who I am” (biometrics). Even if a third party manages to obtain your password (“what I know”), with two-factor authentication they would need to prove their identity at a second stage, which would require something that only you own as the real account holder (“what I have”).

Based on this observation, we have worked hard to offer an equivalent level of security for accounts that do not have two-factor authentication enabled, whilst also respecting the account holder’s choice to keep it disabled.

The aim was to only request two-factor authentication if there is reason to doubt that the login attempt is really from the account holder. The challenge was to find ways of determining whether login requests are legitimate. After gathering a few statistics, we noticed that our customers showed certain habits when they log in to their personal accounts, like always logging in from the same computer, for example. The solution was then fully designed to identify unusual behaviour during login attempts. This is what we have implemented, with a small dose of machine learning which was designed and set up by our Security team.    

An algorithm can never replace your own vigilance

Security is everyone’s responsibility. Even if we deploy new security mechanisms, it is also vital that you take the right precautions to ensure that your customer account is secure. We recommend setting a different password for every platform you use, and using a password manager (e.g. KeePass, LastPass, 1Password), which will store all of your passwords for you.

But the best way of stopping your account from being compromised is to enable two-factor authentication. Its efficiency has been proven, and it is very simple to enable: simply log in to your account, go to the ‘My Account’ section, then ‘Security’.

This algorithm was launched along with U2F, which we have offered since October 2017. It is just the start of a much larger-scale project designed to give you even more flexibility and security when you log in to the OVH Control Panel. My colleague Thomas Soete will tell you more about this in the next blog post!   To find out more about data leaks,  I recommend reading an article by Troy Hunt, an Australian web security expert known for raising awareness on personal data protection, and founder of the website Have I Been Pwned.