Companies Need More Than Two-Factor Authentication to Keep Users Safe

2017-11-28 13:21:36

Sridhar Muppidi

November 27, 2017

We all know the basics of cybercrime, such as phishing emails with malicious

links or attachments, or phone calls from fake help desks seeking to take over

your computer.

But schemes in the cyber world continue to get more sophisticated. One of the

latest scams has hackers stealing phone numbers to drain cryptocurrency

accounts such as Bitcoin. How? Hackers have identified a weakness in the way we

use our phones to authenticate our identities to mobile service providers, as

well as to online accounts. They re exploiting this weakness to steal whatever

they can get their hands on. And it all goes back to two-factor authentication,

or 2FA.

If you ve enabled 2FA on Twitter, Facebook, or Google, you ve probably received

a one-time password, through SMS text message, for logging in or making changes

to the account. Many online cryptocurrency wallets and services also use SMS

text messages as a second form of authentication, in addition to the password

you use to access your account. With the recent mobile phone hijackings, what s

being attacked is your phone number as a method of communication.

The end goal here is to get an individual s phone number ported over to a

burner phone or SIM card that isn t traceable back to the attacker. Once the

attacker can receive SMS texts intended for their target, they can use the

handy Forgot Password? link on different login pages and verify their

identity by impersonating the victim.

One-time passwords, whether delivered through SMS or email, are often the first

form of 2FA that companies adopt to improve their security measures. Although

mobile attacks have been a growing threat to it, this method has still been

considered beneficial. In the recent cryptocurrency thefts, it could be argued

that SMS authentication became more of an attack vector than a security

measure.

So, how do we defend our information against this latest method and broader

authentication fraud? Wouldn t it make more sense if we could make the

authentication process more intelligent and aware of risk? One way forward is

to use push notifications to tie your identity to a device rather than to your

phone number. Authentication applications are a good place to start for this

type of functionality (Disclosure: IBM Verify, offered by my company, is one of

these).

While push notifications are a fix for this specific issue, the bigger solution

for businesses is to better understand every authentication point in their

security environment. Enterprises and SMBs should consider using identity

access and management solutions to enable access to resources and applications,

whether in the cloud, on premise, or in a hybrid cloud. Modern solutions handle

onboarding and offboarding users, access certifications, and separation of

duties to help organizations maintain compliance with regulations such as GDPR

and PSD2.

Companies that take a hard look at their risk factors typically land on the

strongest possible solution: multifactor authentication. Most larger financial

institutions have adopted this layered approach to authenticate identities at

various points throughout the user experience. For instance, the user will

provide a PIN, password, or fingerprint to log in to a mobile banking app, and

if the system detects any additional risk factors, other forms of

authentication may be required. If the user s mobile device reports that it is

at a location outside of the user s normal travel patterns, for example, the

system might flag the session for potential fraud and push the next challenge

to the user, to ensure they are who they claim to be.

The other security layer now being deployed to authenticate identities is

behavioral analytics, which is used to complement multifactor authentication.

This allows security teams to dial the required security up or down, depending

not only on the value of the data or transaction but also on the security risks

presented throughout the entire session. In situations where risk is determined

to be low and user experience is paramount, additional authentication factors

can be suppressed if no abnormal activity is detected, lowering the barrier of

completing a transaction.

All of these mobile security improvements point to using the device itself for

authentication, and not an easily transferrable phone number or a message that

can be intercepted by mobile malware. Every layer of defense counts but as

shown by these phone hijacking cases, authentication measures only work if they

re not the weak link. The big picture here is that no single method of

authentication will always be suited for every situation. Sooner rather than

later, companies should adopt a risk-based approach that uses multifactor

authentication, taking into account location, behavior analytics, and numerous

other indicators of identity.

Sridhar Muppidi is an IBM Distinguished Engineer and Chief Technology Officer

for Identity & Access Management Solutions in IBM Security Systems. In this

role, Sridhar drives IAM technical strategy, architecture, and solutions,

including mobile security and cloud security. He is a technical leader with

about 20 years experience in security, software product development, and

security solutions architecture for a number of industry verticals.