Two-factor
authentication is typically required and enforced by regulatory bodies, when
dealing with financial transactions or with extremely sensitive data. PSD2 for
instance, is a regulation meant to promote competition in the European banking
industry by requiring financial service providers to open their APIs to
“regulated 3rd parties”. These regulated 3rd parties are
required to enforce two-factor authentication when providing access to their
end users, when accessing their financial information.
Each
of the different variations of the OTP has its own pros and cons, but they
all share one commonality – they require you, the consumer, to carry something. From a security point of view, should the item fall into the wrong
hands, this paves the way to account takeover by a malicious party.
The
image below shows a quite original crook, using chopsticks to pickpocket
unsuspecting victims.
The
Good
Let’s
start with the user experience – OTPs remove the need to memorize passwords,
although they are typically coupled with another “memory-based” factor such as username
and password. OTPs also provide relatively good protection vs. replay attacks,
since the one-time code or token can only be used within a limited time span,
unlike passwords which are static and in the best case, are replaced every 2-3
months.
Perhaps
the biggest advantage of SMS based OTPs is that they work on any device, and
believe or not, some populations still use just “phones” as oppose to
smartphones.
Fun
Fact: Some Jewish Orthodox populations actually require a “Kosher” stamp on
phones that they use. For some Jewish communities, “smartphones” in general are
not considered Kosher, therefore they are required to non-smartphones, which
can only use SMS to deliver the OTP.
The
Bad
The
downside is that the user needs to carry something physical – a device with the
relevant SIM card, a token, or a registered device with a soft token.
A
true story – someone once shared with me that they were abroad and had to
access their bank account to do an urgent transaction. Surprise-surprise, they
forgot their password and had to go through the tedious “recovery” process.
However, since they were abroad, they could not receive SMSs (some banks
restrict sending SMSs if the person is in a foreign country, for security reasons)
and could not recover their password. In order to change their registered
number to the temporary local number, they needed their password. Quite the conundrum.
Eventually they had to call the helpdesk and waste precious time.
Aside
from the usability limitations, SMS OTPs suffer from an inherent security flaw
– the SS7 protocol used to send SMS has been declared by NIST and other
standardization bodies to be insecure and unfit to be used for 2FA. In this
case, hard tokens fare better from the security perspective, but who wants to
carry a token with them at all times?
Social
engineering is another phenomenon that has been the root cause for widespread
fraud in the financial industry. It usually goes something like this: Hackers
pull up a phony web site that is used to amass username, passwords and other
personal details from unsuspecting individuals. The malicious actor then uses
the credentials in an attempt to gain access to the targeted accounts. Once
prompted with the 2-factor authentication request, they place a specifically timed
call to the targeted user and impersonate as one of the bank’s employees,
usually claiming they need to check something with the system and ask for the OTP
that was just sent to the user. People are compliant by nature and most users
would gladly hand over their OTP on a silver platter, allowing the hacker to
circumvent the 2FA and gain access to their account.
This
attack has several variations, including sending an SMS stating that
someone attempted to access the account from an unknown location and in order
to properly secure the account, the user should reply with the code that they
will soon receive. After sending this message to the victim, the hacker inputs
the credentials and is prompted with the 2FA, that is bypassed using the OTP they just received.
Another
real-life example I came across - one of my acquaintances was robbed. The thief
snuck in, in the middle of the night and grabbed the victim's bag with all the personal
belongings including smartphone, credit cards and ID documents. Using the
credit card PIN recovery feature via SMS, the crooks managed to
withdraw thousands of dollars from the victim's bank account. Now you may be thinking, “I
lock my phone, so I’m good”. Well, the devil is in the details – in this
particular case the SMSs were actually visible, even when the phone was locked.
This is to allow for quick viewing of incoming messages, but a terrible idea
from a security perspective.
So,
what can you do? First of all, change your smartphone’s settings, so that SMS
cannot be viewed when the device is locked. Secondly, make sure you follow best
practices in regard to "phishy" websites and social engineering via phone
calls, as well as training your staff accordingly.
The
Ugly
Exploiting SS7 vulnerabilities is frighteningly simple, just check out this short YouTube video that demonstrates how easily it can be done: https://youtu.be/fDJ-88e_06A.
In
2011, an attack was conducted on RSA’s servers that supposedly exposed
information that could enable malicious actors to circumvent RSA's token
mechanism. Read about it here: https://www.theregister.co.uk/2011/03/18/rsa_breach_leaks_securid_data/
Several
months back, a group of Chinese hackers launched an attack targeting government
entities and managed service providers, using a combination of web server
vulnerability exploitation and lateral movement techniques. But the more
interesting part of the attack, was related to the way they managed to generate
valid RSA software tokens.
Read more about this attack here: https://www.zdnet.com/article/chinese-hacker-group-caught-bypassing-2fa/
Read more about this attack here: https://www.zdnet.com/article/chinese-hacker-group-caught-bypassing-2fa/
How
can Verifyoo help you?
First
and foremost, Verifyoo DrawID incorporates two factors in a single solution:
The possession factor (device) and the inherent factor (user behavior).
Therefore, replacing SMS OTPs or tokens with DrawID can immediately ramp up the
security posture and fraud resilience. Secondly, Verifyoo utilizes the push
notification infrastructure to initiate the 2FA process, which is much more
secure compared to the SS7 protocol. Lastly, using an existing infrastructure
without SMSs, means that organizations can cut down costs associated with
sending out masses of SMSs, that in some cases are received in a delay or not
received at all when the cellular reception is unstable.
For more information visit: https://www.verifyoo.com
To schedule a demo: https://www.verifyoo.com/Verifyoo/#contact-section
No comments:
Post a Comment