The title of this post seems to be lost on some who are responsible for security architecture. One of my reflections on this past summer is that not everyone is aware of the difference between weaker and stronger forms of multifactor authentication.
You have likely read about multifactor authentication, have used it with your social networking websites, or maybe you have used a form of multifactor authentication in a corporate environment. This is all very good news. The bell has tolled for single-factor username-and-password schemes and people are starting to realize that this old stalwart of authentication needs to be retired as soon as possible.
Keylogging, man-in-the-middle attacks and social engineering techniques leveraged by cunning identity thieves are in the news every day. The time has come for multifactor authentication.
Why? It makes the job of a malicious hacker more difficult. As with all attacks, malicious hackers are looking for ways to steal your identity. Nobody in the cybersecurity business is getting fired right now for suggesting that multifactor authentication should be used in their enterprise. It’s a good idea that has reached the executive ranks.
But without understanding the offensive side of the security equation, there are some in the defensive side of cybersecurity who have forgotten that not all multifactor authentication techniques are equal.
Simply, it’s smart to choose a multifactor authentication that matches the risks.
This summer I spoke to security architects in large enterprises in both North America and Europe and their job was to protect one of three things: money, privacy or critical infrastructure. Some of these professionals were planning to employ SMS-based multifactor authentication. This is where users log in to a website and are challenged to enter a code that is sent to their mobile devices via text message (SMS).
SMS-based multifactor authentication is better than single-factor username-and-password authentication. These professionals had every reason to be glad to be working on these projects. But I challenged some of them to explain to me why they did not choose a stronger form of multifactor authentication.
“What’s wrong with SMS?” they asked. What bothered me was not that they were employing SMS, but that they did not know the weaknesses.
Zitmo and Eurograbber are perfect examples of the weaknesses of SMS. Do a search on these terms and you’ll find that millions of dollars have been stolen because of SMS redirection malware.
In addition, I witnessed a demonstration at the Def Con 21 conference in Las Vegas this year where SMS messages were being intercepted — by a Femtocell device hacked by ethical researchers — and projected onto a screen. This was a friendly environment and nobody was hurt, but it laid bare the weakness of non-encrypted messages like SMS.
There are other forms of multifactor authentication that are much stronger than SMS, and even easier for the end-user. An example includes innovative virtual smart credentials embedded onto mobile devices. The chain of communication is encrypted, and doesn’t require the user to type a code. It’s not often that better security can also mean a better user experience.
Your money and privacy are important to you. Before you log in to a bank, conduct a transaction with your government, or turn on a pump at a critical infrastructure plant, you should consider that there are malicious individuals or groups out there who strive to obtain your identity for illegal gain. Making it more difficult for the bad guy means choosing a method of authentication that does not easily give away your identity.
SMS multifactor authentication is a step above username-and-password solutions, but if what you are protecting is important to you, there are stronger methods.