2017-11-28 13:21:36
Sridhar Muppidi
November 27, 2017
We all know the basics of cybercrime, such as phishing emails with malicious
links or attachments, or phone calls from fake help desks seeking to take over
your computer.
But schemes in the cyber world continue to get more sophisticated. One of the
latest scams has hackers stealing phone numbers to drain cryptocurrency
accounts such as Bitcoin. How? Hackers have identified a weakness in the way we
use our phones to authenticate our identities to mobile service providers, as
well as to online accounts. They re exploiting this weakness to steal whatever
they can get their hands on. And it all goes back to two-factor authentication,
or 2FA.
If you ve enabled 2FA on Twitter, Facebook, or Google, you ve probably received
a one-time password, through SMS text message, for logging in or making changes
to the account. Many online cryptocurrency wallets and services also use SMS
text messages as a second form of authentication, in addition to the password
you use to access your account. With the recent mobile phone hijackings, what s
being attacked is your phone number as a method of communication.
The end goal here is to get an individual s phone number ported over to a
burner phone or SIM card that isn t traceable back to the attacker. Once the
attacker can receive SMS texts intended for their target, they can use the
handy Forgot Password? link on different login pages and verify their
identity by impersonating the victim.
One-time passwords, whether delivered through SMS or email, are often the first
form of 2FA that companies adopt to improve their security measures. Although
mobile attacks have been a growing threat to it, this method has still been
considered beneficial. In the recent cryptocurrency thefts, it could be argued
that SMS authentication became more of an attack vector than a security
measure.
So, how do we defend our information against this latest method and broader
authentication fraud? Wouldn t it make more sense if we could make the
authentication process more intelligent and aware of risk? One way forward is
to use push notifications to tie your identity to a device rather than to your
phone number. Authentication applications are a good place to start for this
type of functionality (Disclosure: IBM Verify, offered by my company, is one of
these).
While push notifications are a fix for this specific issue, the bigger solution
for businesses is to better understand every authentication point in their
security environment. Enterprises and SMBs should consider using identity
access and management solutions to enable access to resources and applications,
whether in the cloud, on premise, or in a hybrid cloud. Modern solutions handle
onboarding and offboarding users, access certifications, and separation of
duties to help organizations maintain compliance with regulations such as GDPR
and PSD2.
Companies that take a hard look at their risk factors typically land on the
strongest possible solution: multifactor authentication. Most larger financial
institutions have adopted this layered approach to authenticate identities at
various points throughout the user experience. For instance, the user will
provide a PIN, password, or fingerprint to log in to a mobile banking app, and
if the system detects any additional risk factors, other forms of
authentication may be required. If the user s mobile device reports that it is
at a location outside of the user s normal travel patterns, for example, the
system might flag the session for potential fraud and push the next challenge
to the user, to ensure they are who they claim to be.
The other security layer now being deployed to authenticate identities is
behavioral analytics, which is used to complement multifactor authentication.
This allows security teams to dial the required security up or down, depending
not only on the value of the data or transaction but also on the security risks
presented throughout the entire session. In situations where risk is determined
to be low and user experience is paramount, additional authentication factors
can be suppressed if no abnormal activity is detected, lowering the barrier of
completing a transaction.
All of these mobile security improvements point to using the device itself for
authentication, and not an easily transferrable phone number or a message that
can be intercepted by mobile malware. Every layer of defense counts but as
shown by these phone hijacking cases, authentication measures only work if they
re not the weak link. The big picture here is that no single method of
authentication will always be suited for every situation. Sooner rather than
later, companies should adopt a risk-based approach that uses multifactor
authentication, taking into account location, behavior analytics, and numerous
other indicators of identity.
Sridhar Muppidi is an IBM Distinguished Engineer and Chief Technology Officer
for Identity & Access Management Solutions in IBM Security Systems. In this
role, Sridhar drives IAM technical strategy, architecture, and solutions,
including mobile security and cloud security. He is a technical leader with
about 20 years experience in security, software product development, and
security solutions architecture for a number of industry verticals.