Two-factor, or multifactor, authentication has become the standard for authentication and is now used globally for access to secure networks, banking accounts, email, and even Amazon. The idea of multi-factor authentication is easy to understand and execute and is fundamentally sound. Essentially, a user logs on to a web site or VPN and enters their user name and password. Once that’s done they are then required to enter a secondary password that is typically only valid for one-time use. The delivery of this password typically has been in the form of a random number that changes every 30 seconds from a token device (a small usb drive sized device that displays a random numbers every 30 to 60 seconds), however technology has now advanced to a point that the one-time password can be sent to the user via SMS or via ann app (on mobile devices). Once this secondary information has been entered the user is granted access to their account or network of choice.
Another trend has been self-service password resets. This tool has enabled users to change and recover their passwords without the assistance of IT departments, 24 hours a day. In most cases a user would pre-enroll by providing secondary information that would be unique to them and hard for others to identify, such as the make and model of their first car, their maternal grandmother’s maiden name, or the name of their first pet. In many cases at least four questions are asked upon set-up, and are then are later randomized when being used to gain access to an account to reset a password. Over the past few years, vendors have also implemented SMS password resets as they’re typically more convenient for the end-user since they don’t require remembering multiple challenge and response questions.
These technologies and approaches have increased security exponentially over simply requiring a single user name and password, however in some cases the implementation has become flawed over the years. The cardinal rule of IT security is to never weaken security for the sake end-user convenience. Unfortunately, although we are increasing the security footprint by implementing these technologies, we are weakening the effectiveness by implementing “convenience measures” such as SMS messaging.
In the “real world” a police officer simply being on patrol will deter 90% of crimes that may potentially take place – but 10% of crimes will happen regardless of the security present. IT security is no different, 90% of potential hackers will walk away from a multi-factor authentication hack, but 10% will see their mission through.
There are 2.1 billion smartphones in use globally, of which 207.1 million are being used in the United States, making SMS messaging a convenient method for secondary authentication and identification. That also means that there’s 207.1 million devices that are vulnerable to being hacked. Although most hackers like automated process as millions of devices can be exploited one at a time, it is important to point out that targeted hacks – although simple to execute – do require manual intervention.
The hack is simple:
- The target individual is identified. Most targets tend to work at the C-Level of small businesses (under a few hundred users), as these businesses tend to have gaps in security and processes.
- Identify the email system or computer system being used. This can be easily done with online tools such as https://mxtoolbox.com/SuperTool.aspx.
- Review DNS records for the target. Most companies that have remote access make it simple to identify the host by using URLs such as remote.xxx.com, vpn.xxx.com.
- Send an email to the target that will elicit a response – even if it’s an out of office reply. The information that the hacker is looking for is typically the cell phone number associated with the account and these days many people now include their cell phone numbers on their signature. If this does not work the hackers will then try getting the information the good old fashioned way – with a little bit of research via Google, LinkedIn, or the Wayback Machine (https://archive.org/web/).
Once the hacker has the necessary information, it’s time for the attack, which is fairly simple to execute at a high-level. First, the hacker will transfer the targets phone number to a different provider. Because phone numbers are now portable, you can transfer to any one of a thousand providers – the key is timing and the ability to receive text messages. Cell phone providers require basic information that is easily obtained to move from one service to another. Keep in mind the target still has their device in hand (this is why timing is critical) and the attacker will only have a small window of opportunity (in most cases 12 hours) to complete their objective, which is why most of these attacks come from over-seas.
When the hacker has control of the cell phone, they will refer back to the information obtained in the prior steps. They will start with resetting the corporate email password and, if they’re lucky, the password reset is done by sending an SMS message. Figuring out the user name is simple as, in most cases, it’s the target’s email address. Once the hacker has access to the email account, everything else is a matter of data mining, and unfortunately users often mix business and personal email together (this is truly the case with C-Level executives), which means that sensitive information such as their personal bank accounts may now also be accessible to the hacker.
As with everything else, the risk versus the reward must be weighed, and a risk assessment if fundamental to this process. The benefits of implementing strong security measures versus the likelihood that an organization or individual will be hacked – and the detrimental effects that the hack could have on the organization/individual – should be considered. Generally, a hack that is targeted and manual requires effort, and the benefit of self-service and multi-factor password resetting far out ways the risk of having no other security measure in place.
However, by taking just a few simple measures you can almost eliminate attacks completely.
- Have a limited number of cell phone managers. These are the people that can make changes to the accounts – such as transferring the service from one carrier to another. In many cases the individual employee that is assigned to a specific cell phone number has the ability to make changes to their accounts (whether a company realizes it or not). These privileges should be removed immediately and granted only to members of the IT department.
- Changes to the account should require the use of an account password as well as a call back to the company’s primary phone number so that they can be verbally confirmed/denied by someone with the appropriate authority.
These two steps will eliminate transferring of accounts.
- Require users to use an app rather than an SMS messaging, this will eliminate a huge amount of the risk, since even if the cell phone number is switched to a different carrier the hacker will not have access to the apps on that particular device.
- Install a mobile device management tool for greater control and insight to the end points. Thinking ahead when a device is lost or compromised, the ability to remotely wipe all data from the device is critical.
These steps will increase the strength of your two-factor authentication and align with the original principles of providing access via something you know (the password) and something you have (the unique token).
- Eliminate SMS password resets all together.
- Restrict challenge questions to non-public information, i.e. mother’s maiden name, place of birth, marriage date or location. All this information is easily obtained from www.ancestry.com or other public search services. The questions should reference things that only the user would know, such as the name of their first pet, the place they went on their first date, etc.
- Use technology to monitor geographic usage and connections. Microsoft offers a service (Enterprise Mobility Suite + Security) that does just that, as well as MDM and password resets. This will allow your organization to recognize if changes to a device are being made from across the globe – or even just the other side of the state.
- Monitor user names and password to ensure they have not been compromised.
Simple yet effective.
- Users should keep personal and business interests/accounts/etc separate at all times. If they are using their business email to handle their online banking and their corporate email is hacked they are not at even greater risk.
- User should not use the same password for business accounts as they do for personal account.
- Have users routinely check to see if public services that they use have been compromised by visiting https://haveibeenpwned.com/.
- Education your users – it’s the most simple and effective way to avoid potential security breaches. Take the social approach to education. https://secureshell.info/2016/11/16/information-technology-should-embrace-marketing/