This is your Shared Security Weekly Blaze for March 4th 2019 with your host, Tom Eston. In this week’s episode: Multi-factor authentication to protect your credentials, and new attacks on 4G and 5G mobile networks.
Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer.
Almost every day we hear about a new data breach or leak of personal data. In a lot of these stories, compromised credentials are used in what is known as a ‘credential stuffing’ attack in which stolen credentials, from large databases of past data breaches, are used to gain access to many different types of popular applications and services. Just last week, one of those services was Intuit’s TurboTax application which right now, because of tax season in the US, is extremely popular. Victims of this particular attack had their information like social security numbers, address, date of birth, driver’s license number, previous tax returns and other personal data compromised. That’s enough data for someone’s identity to be stolen!
But even if we take the right precautions to use unique and complex passwords, many of us can still fall victim to a phishing or other social engineering attack where we may be convinced to giveaway our user credentials. In fact, in last week’s show I discussed a very realistic Facebook social login phishing campaign which looks so real that even cybersecurity professionals could fall for it.
So what can you do to help better protect your user credentials? The answer is multi-factor authentication and you should always enable it if the apps and services you are using support it. Here to discuss what multi-factor authentication is and how it’s different than other forms of authentication is Ian Paterson, CEO of identity assurance company, Plurilock.
Ian Paterson: Historically, authentication is based around what you know, which would be something like a password or a PIN number for your debit card; what you have, so that would be something like the debit card itself or maybe an RSA token; and something that you are, and that would be something like your fingerprint for touch ID or maybe your face for using facial recognition. And multi-factor authentication is when you have two or more of those factors. So you’re mixing and matching something that you know, something that you have, and something that you are.
Ian Paterson: Traditional authentication is generally something that you know, and that would be passwords. And what the world has learned over the last five to 10 years, is that passwords, something that you know, are really a terrible way of protecting stuff. I would say ironically, but not ironically, I got a note in my inbox earlier this week from Have I Been Pwned, saying, “Congratulations. You have been subject to a data breach.” And the reality is if you’ve been around online for any amount of time, probably you’ve had your credentials breached. And I usually talk about, there’s two people in the world, people who know that they’ve been part of a data breach and people who don’t know. And that’s basically it. So, coming back to your question. So MFA is designed to mitigate some of the problems around traditional authentication, I.e., passwords and we’re starting to see more of… More consumer options, certainly, around being able to use MFA or two factors, so two-factor authentication and multi-factor authentication, we’re starting to see more of those options being available to consumers.
Tom Eston: So, what are some of the issues that you’re seeing with the way that companies and applications and everyone is using multi-factor authentication right now?
Ian Paterson: I think that there are some good ways of doing multi-factor authentication and there are some not good ways of doing multi-factor authentication. So some examples of maybe good attempts, but attempts that come up short, would be using two forms of something that you know.
Ian Paterson: A lot of banks actually are still stuck with this. Where you’ll have a login and password and then if you get through the login and password, then they’ll ask you a security question. So it’s not actually multi-factor, they call it two-step verification in a lot of cases, which kinda sounds like two-factor authentication, but you’re still using two shared secrets, two something that you knows, in order to authenticate you as a person. And it’s a little bit better than just a password on its own, but not by much. And certainly it doesn’t meet a lot of the regulatory requirements around strong authentication. So we’re seeing that organizations are recognizing that this is not an ideal way of doing it and they’re moving away from it. But certainly… I still have some personal accounts just with organizations that I use and I’m still asked for a login, password, and a security question and it drives me nuts.
Tom Eston: Why should apps and services move away from offering SMS text-based multi-factor authentication?
Ian Paterson: What we’ve seen over the last couple of years is that SMS as a form of MFA, multi-factor authentication, is really insecure. So the Reddit hack a year or two ago, was they were able to get in because SMS was used as a form of multi-factor authentication and the attackers were able to usurp that and get access. And so, there are better ways of doing MFA. There are not so good ways of doing MFA. The security questions, SMS are definitely in that not great camp. Hardware is a great option as long as users are willing to go through the hassle of using it.
Tom Eston: Here’s Ian’s take on what the future of multi-factor authentication might look like.
Ian Paterson: So, Plurilock is looking at human behavior and using that as a form of biometrics. So we look at how you type, how you move a mouse, on mobile phones, how you walk or how you sit, which is gait analysis, and we use that as a form of invisible second-factor authentication, on top of your standard login and password. So if you consider that there can be a spectrum of really, really secure and really inconvenient on one end and on the other end of the spectrum would be really, really convenient but unbelievably insecure. There’s different solutions that you can plot on that spectrum.
Ian Paterson: And hardware is usually really, really secure. As a general rule, if you’re using hardware tokens or if you have a YubiKey, for instance. Like those are great solutions. The challenge is you actually want to roll out multi-factor authentication to more places than you can realistically expect users to do MFA. And so what happens is, and we’ve seen this with some of our customers and other organizations that we work with, they’ll purchase an MFA solution, they’ll integrate it in one or two points and then the rest of the interaction with users is left unprotected because they can’t get over the pushback from their end users to say, “Look, you can’t really expect to slow me down for five seconds, eight times a day, just so that I can log in securely.”
Ian Paterson: And so what we do is we come in and say, “Look in some cases, use hardware.” If you’re wiring $10 million, I would suggest that you probably want hardware in there to make sure that it’s the right person. But if it’s a… If it’s a manager who’s approving a small change or if it’s a lower risk transaction, is there a way that we can balance that convenience and security aspect? And so what we do is we look at your login and password, which you’re already, for the most part, doing today, we look at how you type in your login and password as a form of behavioral biometrics, and then we also use things like your location.
Ian Paterson: So have we seen you log in from the same location in the past. Rather than geo-fencing, we’ll actually do things like the impossible travel problem. So we’ll look at your last known good login, we’ll compute the time that it would have taken you to travel from point A to point B, where you’re currently logging in from, and say that if it’s physically impossible for you to travel from point A to point B, probably there’s something suspicious, right? So it’s all about flexibility. We don’t pre-configure very much, but we’re really looking at risk factors to know whether we need to pause the authentication and ask you for the hardware that you already have or just let you through.
Tom Eston: What about privacy and mass surveillance concerns with biometric-based multi-factor authentication?
Ian Paterson: So, personal privacy and biometrics is a hot topic. I think where we’re seeing those is that there’s more consumer demand and acceptance for forms of biometrics. And I think you only need to look at what Samsung and Apple are doing, and actually Microsoft Surface is for that matter, as well, where they’re trying to balance the use of biometrics, like your thumb print or facial recognition, with the convenience that that offers.
Ian Paterson: Now, the other angle to this, is that biometrics are not foolproof, in the same way that passwords are not foolproof. There’s no silver bullet here anywhere. But biometrics can be a useful tool when you’re talking about defense in depth. And what we’re seeing is that consumers are interacting with those technologies more and so as a result have a greater acceptance for how they can be used and how they can benefit them.
Ian Paterson: The challenge really when you come down to consumer adoption is what’s in it for them. And if you just have a ubiquitous surveillance system for your business, there’s not really a benefit for consumers, they’re just being tracked and there’s no… There’s nothing in it for them. But if you were to say, look, rather than fumbling around for your keys, trying to find that frustrating token with that six-digit rotating password that is gonna change in 30 seconds and it actually shows you the bars count down, which just produces anxiety, you have to get it right and then you get it wrong and then you have to wait for the next one. The whole thing is just a terrible user experience. And then if you give them the choice to say, “Look, you can do that or you can swipe your thumb print,” suddenly it’s a different conversation. It’s not just about ubiquitous surveillance, it’s around, “Well, there’s a trade-off here being made and well, actually, I kinda benefit from this.” And when you have that conversation, it’s just much, much more geared towards informed consent and around the value that the users get.
Tom Eston: That was Ian Paterson from Plurilock.
And now a word from our sponsor, Edgewise Networks.
Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.
Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.
Visit edgewise.net to get your free month of visibility.
A group of researchers from Purdue University and the University of Iowa have released details on new security flaws found in 4G and 5G protocols, which are used by mobile networks, to bypass new security protections which would allow IMSI catching devices known as “Stingrays” to intercept phone calls and conduct location tracking. Stingray devices are known to be used by nation states and law enforcement. Surprisingly, the soon to be implemented 5G protocol has built in protections to defend against Stingray devices but the researchers found that these protections can be defeated. The research describes several different attacks, the first called Torpedo, exploits a weakness in the paging protocol mobile carriers use to notify a device before a call or text comes through; Piercer, which allows an attacker to determine a user’s identity (or IMSI) on a 4G network, and a IMSI-Cracking attack which can brute force an IMSI number on 4G and 5G networks. This attack in particular would allow Stingray devices to be used on the new 5G networks which are just starting to be deployed. The code and exploits will not be released by the researchers but instead the flaws will be reported to the mobile carriers so that they can be fixed. However, the researchers note that these attacks could be carried out with radio equipment costing only about $200. Let’s hope the mobile carriers fix these flaws soon, especially before 5G networks are fully deployed.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.