💾 Archived View for gmi.noulin.net › mobileNews › 6499.gmi captured on 2024-05-10 at 12:10:16. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-01-29)
-=-=-=-=-=-=-
2017-11-28 13:21:36
Sridhar Muppidi
November 27, 2017
We all know the basics of cybercrime, such as phishing emails with malicious links or attachments, or phone calls from fake help desks seeking to take over your computer.
But schemes in the cyber world continue to get more sophisticated. One of the latest scams has hackers stealing phone numbers to drain cryptocurrency accounts such as Bitcoin. How? Hackers have identified a weakness in the way we use our phones to authenticate our identities to mobile service providers, as well as to online accounts. They re exploiting this weakness to steal whatever they can get their hands on. And it all goes back to two-factor authentication, or 2FA.
If you ve enabled 2FA on Twitter, Facebook, or Google, you ve probably received a one-time password, through SMS text message, for logging in or making changes to the account. Many online cryptocurrency wallets and services also use SMS text messages as a second form of authentication, in addition to the password you use to access your account. With the recent mobile phone hijackings, what s being attacked is your phone number as a method of communication.
The end goal here is to get an individual s phone number ported over to a burner phone or SIM card that isn t traceable back to the attacker. Once the attacker can receive SMS texts intended for their target, they can use the handy Forgot Password? link on different login pages and verify their identity by impersonating the victim.
One-time passwords, whether delivered through SMS or email, are often the first form of 2FA that companies adopt to improve their security measures. Although mobile attacks have been a growing threat to it, this method has still been considered beneficial. In the recent cryptocurrency thefts, it could be argued that SMS authentication became more of an attack vector than a security measure.
So, how do we defend our information against this latest method and broader authentication fraud? Wouldn t it make more sense if we could make the authentication process more intelligent and aware of risk? One way forward is to use push notifications to tie your identity to a device rather than to your phone number. Authentication applications are a good place to start for this type of functionality (Disclosure: IBM Verify, offered by my company, is one of these).
While push notifications are a fix for this specific issue, the bigger solution for businesses is to better understand every authentication point in their security environment. Enterprises and SMBs should consider using identity access and management solutions to enable access to resources and applications, whether in the cloud, on premise, or in a hybrid cloud. Modern solutions handle onboarding and offboarding users, access certifications, and separation of duties to help organizations maintain compliance with regulations such as GDPR and PSD2.
Companies that take a hard look at their risk factors typically land on the strongest possible solution: multifactor authentication. Most larger financial institutions have adopted this layered approach to authenticate identities at various points throughout the user experience. For instance, the user will provide a PIN, password, or fingerprint to log in to a mobile banking app, and if the system detects any additional risk factors, other forms of authentication may be required. If the user s mobile device reports that it is at a location outside of the user s normal travel patterns, for example, the system might flag the session for potential fraud and push the next challenge to the user, to ensure they are who they claim to be.
The other security layer now being deployed to authenticate identities is behavioral analytics, which is used to complement multifactor authentication. This allows security teams to dial the required security up or down, depending not only on the value of the data or transaction but also on the security risks presented throughout the entire session. In situations where risk is determined to be low and user experience is paramount, additional authentication factors can be suppressed if no abnormal activity is detected, lowering the barrier of completing a transaction.
All of these mobile security improvements point to using the device itself for authentication, and not an easily transferrable phone number or a message that can be intercepted by mobile malware. Every layer of defense counts but as shown by these phone hijacking cases, authentication measures only work if they re not the weak link. The big picture here is that no single method of authentication will always be suited for every situation. Sooner rather than later, companies should adopt a risk-based approach that uses multifactor authentication, taking into account location, behavior analytics, and numerous other indicators of identity.
Sridhar Muppidi is an IBM Distinguished Engineer and Chief Technology Officer for Identity & Access Management Solutions in IBM Security Systems. In this role, Sridhar drives IAM technical strategy, architecture, and solutions, including mobile security and cloud security. He is a technical leader with about 20 years experience in security, software product development, and security solutions architecture for a number of industry verticals.