Hacking two-factor authentication – an old problem in need of a new solution
I recently had the opportunity to be a panelist on an Access Granted Webinar entitled, “Anatomy of a Breach,” in which Savanture’s Doug Howard and I analyzed five recent, high-profile security breaches. The breaches that we dissected were the recent breaches that impacted Anthem, JPMorgan Chase, Starbucks, DropBox and the Office of Personnel Management, looking at how the breach occurred, what was compromised and what could have been done to mitigate the damage done in each situation.
Although these five breaches all originated from separate industries – healthcare, financial services, retail, cloud services and government, respectively – Doug and I found something in common across all of them. Each of the individual breaches involved compromised credentials at some level.
In some cases, (Starbucks, DropBox), the stolen credentials belonged to customers and users, many of which were reusing passwords that may have been compromised elsewhere. In other cases, (OPM, Anthem, JPMorgan Chase), the credentials were those of employees or those needed to access servers. Regardless, credentials that didn’t belong to them were utilized by bad actors. These bad actors took advantage of the access those credentials gave them to steal money or steal important, sensitive PII.
One of the actions that Doug and I suggested that could help avoid these types of attacks was implementing multifactor authentication, which requires more than a simple log-in and password as credentials. In each of the cases above, multifactor authentication could have gone a long way to better protecting accounts and mitigating the risk.
But can just any multifactor authentication solution effectively protect these networks? Not necessarily. Security expert and frequent security blogger, Bruce Schneier, identified two security threats that can overcome simple two-factor authentication on his Schneier on Security blog:
Here are two new active attacks we’re starting to see:
Man-in-the-Middle attack – An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank’s real website. Done right, the user will never realize that he isn’t at the bank’s website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user’s banking transactions while making his own transactions at the same time.
Trojan attack – Attacker gets Trojan installed on user’s computer. When user logs into his bank’s website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants. (Read Bruce’s full post here.)
Bruce is right. And what’s more astonishing is WHEN Bruce was right. He authored this in March of 2005 – more than a decade ago. So what’s changed since then? Two-factor authentication has been required and rolled out across many financial services companies, but with little success.
According to Bruce, what have been successful are systems put in place by banks and other institutions that analyze activity and determine intent based on what individuals do once they’re logged in. Here is excerpt from what Bruce wrote in a different article:
Despite the FFIEC guidance about authentication, the emerging technologies that actually seem to hold the most promise for protecting the funds in consumer banking accounts aren’t authentication systems at all. They’re back-end systems that monitor for suspicious behavior. (Read Bruce’s full post here.)
This goes hand-in-hand with what I’ve said in previous articles on Access Granted. Ultimately, single-factor and even multifactor authentication isn’t enough to protect accounts. What’s necessary is the ability to gauge more than a user’s identity. We must also determine things like their location and intent to ensure that their access to accounts isn’t malicious. In simplest terms, we need to not only good authentication, but verify the authenticity of the action.
Also, to combat attacks – such as man-in-the-middle attacks – a simple in-band authentication process is not enough. The authentication of the individual needs to be done out-of-band, where bad actors utilizing key-loggers, malware and other attacks can’t gain access to credentials. Unfortunately, even out-of-band authentication is no longer completely secure.
In 2013, RSA’s Anti-Fraud Command Center identified a Trojan called Bugat that has been updated to hijack out-of-band authentication codes sent to bank customers via text message. This new tweak to an old piece of malware can render out-of-band authentication ineffective on its own, making all the more essential that security solutions both authenticate the individual’s credentials and gauge the authenticity of their actions.
Credential theft remains a problem – much like it was a decade ago when Bruce first discussed it. Surprisingly, we haven’t learned our lesson yet. Companies continue to utilize single-factor authentication when even two-factor authentication has proven to be insecure. And those that are utilizing two-factor or multifactor authentication aren’t looking to gauge the intent of their users. Without understanding what credentialed users are doing on their accounts, gauging their intent and bringing the authentication process out-of-band, we can’t truly ensure that person logging in is truly who they say they are.
To learn more about Authomate’s completely out-of-band authentication solutions that can gauge a user’s intent, location and authenticity, go to www.authomate.com, or listen to this recent podcast featuring Jeff Schmidt.