Some of the best online security features aren’t so secure anymore: Online “secrets” erode Multi-Factor Authentication efforts
Many of today’s secure online transactions require one of those nostalgic secret answers: Your high school mascot, favorite color, first pet’s name. Those security tokens are “known secrets” that both the user and the authenticator must know for a transaction to be completed. But today’s digital world — i.e. social media — means those secrets often aren’t all that secret.
The danger goes deeper, though. In recent months, we’ve seen how “known secrets” also can be used to compromise SMS or text messaging-based Multi-Factor Authentication through cellular cloning/porting attacks. Once compromised, these secrets no longer are secure and can be used to harm consumers. Public incidents such as the Equifax breach highlight the challenges related to knowledge-based transactions, as well as how vital protecting non-public information is to daily commerce.
Attackers know there’s a high likelihood of compromising your access controls if they utilize a password you’ve used for another site. The dark web offers several compromised account databases for sale. For as little as $28.24, you can purchase information for half a million compromised Gmail accounts, including passwords. Attackers not only use these passwords to gain access to other sites and systems where you’ve used the same password, they also try to steal gift cards and other goods and services. This practice is known as Credential Stuffing, and involves hackers using databases full of stolen passwords and automatically trying the email address and password combinations on multiple websites in attempts to buy goods or services from online retailers such as Amazon.
These attacks are so commonplace that the National Institute of Standards and Technology (NIST) recently announced new password complexity recommendations targeted at reducing their frequency and impact. Passwords and knowledge-based authenticators are so weak that NIST recommends using Multi-Factor Authentication (basically requiring two credentials, such as logging onto a website that then texts your phone a numeric passcode that you must enter quickly to access the site). But in the draft report, NIST indicates that text messages often aren’t a safe second authentication method in today’s world.
The reason: There’s been an increase in attacks focused on compromising the cellphone to gain access to the user’s Multi-Factor token. Attackers can use several methods: the first goes by several names, including port scamming, SIM swapping, or cloning. This attack continues to be on the rise and simply relies on the attacker being able to convince a cellphone provider employee to port your number to their phone. This enables them to use your password, then trigger the SMS multi-factor token to your phone. Once in, they can register their own authenticator token to maintain access and continue their attack.
Cellphone companies have attempted to address this by having subscribers set “passwords” or “PINs” to prevent changes to the account. However, in practice, many employees still give extremely broad hints to subscribers who are looking to port a number or get a new phone. These knowledge-based secrets are easily guessed and are easy enough to use to circumvent your company’s Multi-Factor Authentication solution.
Another attack method recently mentioned in an article on Vice news focuses on the use of a Sakari business marketing platform. For a small fee, this platform lets an attacker reroute a target’s text messages, while leaving the phone functioning normally on its cell network. These attacks are on the rise, so much so that Microsoft last November published an article urging companies to stop using SMS authentication altogether and move to application-based authentication and physical security keys.
Password-based attacks will continue to torment companies, and Multi-Factor Authentication provides the best protection. However, not all Multi-Factor Authentication is created equal. Just because it’s bundled with your solution does not make it the most secure or cost-effective option available. Biometrics, physical tokens, and one-time application approvals are the most secure forms of Multi-Factor Authentication on the market today. In terms of ease of use and cost to deploy, biometrics lead the pack.