Thursday, February 27, 2020

"Hi, This is Google."

One-Time Passwords are the go-to solution for second factor authentication, and while they come in different variations, they all essentially do the same thing – prove “what you have”. The different variations include SMS based OTPs, hardware-based tokens and soft tokens that utilize an existing piece of hardware, such as a smartphone.

Two-factor authentication is typically required and enforced by regulatory bodies, when dealing with financial transactions or with extremely sensitive data. PSD2 for instance, is a regulation meant to promote competition in the European banking industry by requiring financial service providers to open their APIs to “regulated 3rd parties”. These regulated 3rd parties are required to enforce two-factor authentication when providing access to their end users, when accessing their financial information.

Each of the different variations of the OTP has its own pros and cons, but they all share one commonality – they require you, the consumer, to carry something. From a security point of view, should the item fall into the wrong hands, this paves the way to account takeover by a malicious party.

The image below shows a quite original crook, using chopsticks to pickpocket unsuspecting victims.

The Good
Let’s start with the user experience – OTPs remove the need to memorize passwords, although they are typically coupled with another “memory-based” factor such as username and password. OTPs also provide relatively good protection vs. replay attacks, since the one-time code or token can only be used within a limited time span, unlike passwords which are static and in the best case, are replaced every 2-3 months.

Perhaps the biggest advantage of SMS based OTPs is that they work on any device, and believe or not, some populations still use just “phones” as oppose to smartphones.

Fun Fact: Some Jewish Orthodox populations actually require a “Kosher” stamp on phones that they use. For some Jewish communities, “smartphones” in general are not considered Kosher, therefore they are required to non-smartphones, which can only use SMS to deliver the OTP.

The Bad
The downside is that the user needs to carry something physical – a device with the relevant SIM card, a token, or a registered device with a soft token.

A true story – someone once shared with me that they were abroad and had to access their bank account to do an urgent transaction. Surprise-surprise, they forgot their password and had to go through the tedious “recovery” process. However, since they were abroad, they could not receive SMSs (some banks restrict sending SMSs if the person is in a foreign country, for security reasons) and could not recover their password. In order to change their registered number to the temporary local number, they needed their password. Quite the conundrum. Eventually they had to call the helpdesk and waste precious time.

Aside from the usability limitations, SMS OTPs suffer from an inherent security flaw – the SS7 protocol used to send SMS has been declared by NIST and other standardization bodies to be insecure and unfit to be used for 2FA. In this case, hard tokens fare better from the security perspective, but who wants to carry a token with them at all times?

Social engineering is another phenomenon that has been the root cause for widespread fraud in the financial industry. It usually goes something like this: Hackers pull up a phony web site that is used to amass username, passwords and other personal details from unsuspecting individuals. The malicious actor then uses the credentials in an attempt to gain access to the targeted accounts. Once prompted with the 2-factor authentication request, they place a specifically timed call to the targeted user and impersonate as one of the bank’s employees, usually claiming they need to check something with the system and ask for the OTP that was just sent to the user. People are compliant by nature and most users would gladly hand over their OTP on a silver platter, allowing the hacker to circumvent the 2FA and gain access to their account.

This attack has several variations, including sending an SMS stating that someone attempted to access the account from an unknown location and in order to properly secure the account, the user should reply with the code that they will soon receive. After sending this message to the victim, the hacker inputs the credentials and is prompted with the 2FA, that is bypassed using the OTP they just received.

Another real-life example I came across - one of my acquaintances was robbed. The thief snuck in, in the middle of the night and grabbed the victim's bag with all the personal belongings including smartphone, credit cards and ID documents. Using the credit card PIN recovery feature via SMS, the crooks managed to withdraw thousands of dollars from the victim's bank account. Now you may be thinking, “I lock my phone, so I’m good”. Well, the devil is in the details – in this particular case the SMSs were actually visible, even when the phone was locked. This is to allow for quick viewing of incoming messages, but a terrible idea from a security perspective.

So, what can you do? First of all, change your smartphone’s settings, so that SMS cannot be viewed when the device is locked. Secondly, make sure you follow best practices in regard to "phishy" websites and social engineering via phone calls, as well as training your staff accordingly.

The Ugly
Exploiting SS7 vulnerabilities is frighteningly simple, just check out this short YouTube video that demonstrates how easily it can be done:
In 2011, an attack was conducted on RSA’s servers that supposedly exposed information that could enable malicious actors to circumvent RSA's token mechanism. Read about it here:

Several months back, a group of Chinese hackers launched an attack targeting government entities and managed service providers, using a combination of web server vulnerability exploitation and lateral movement techniques. But the more interesting part of the attack, was related to the way they managed to generate valid RSA software tokens.
Read more about this attack here:

How can Verifyoo help you?
First and foremost, Verifyoo DrawID incorporates two factors in a single solution: The possession factor (device) and the inherent factor (user behavior). Therefore, replacing SMS OTPs or tokens with DrawID can immediately ramp up the security posture and fraud resilience. Secondly, Verifyoo utilizes the push notification infrastructure to initiate the 2FA process, which is much more secure compared to the SS7 protocol. Lastly, using an existing infrastructure without SMSs, means that organizations can cut down costs associated with sending out masses of SMSs, that in some cases are received in a delay or not received at all when the cellular reception is unstable.

For more information visit:
To schedule a demo:

No comments:

Post a Comment