Zero-Day Security Threats Give Rise to Next-Generation Multi-Factor Authentication
Here Claus Rosendal of SMS PASSCODE explains more
A recent survey showed that 90 percent of all companies have experienced a breach in the past twelve months. When coupled with the fact that advanced persistent threats (APTs) like Zeus and hacking have compromised the more than twenty-year-old two-factor authentication token, it becomes evident that there is a clear case for a next-gen authentication solution that delivers truly secure, real-time multifactor authentication.
The Explosion of Remote Access
The use of online services has exploded in the last decade as enterprises have adopted remote access as the default way to access systems and conduct business. With the development of the pervasive use of online access to conduct business, the threat of identity theft has increased with astonishing speed and complexity. A survey of more than 500 corporations by Ponemon Research revealed that 90 percent had been successfully hacked in the last twelve months. This research demonstrates the need for major enterprises to adopt stringent, effective security methods as a means to protect against breaches. Consequently, modern mobile phone based multifactor authentication is in high demand.
The Basics of Hacking
Just as the remote access industry has evolved, so have threats and their complexity. In the early days of online services, usernames and passwords were typically the only form of authentication. To crack them, hackers either used “brute force” attacks to either guess the username or password, or “dictionary attacks” to assume a user’s identity. In a dictionary attack, a computer or a hacker attempts various combinations of potential passwords until access is granted.
Systems eventually evolved to block these attempts by locking the account down after a few faulty attempts, leading hackers to develop new techniques like key loggers. Today, the most widely-used attacks are pharming, phishing or a combination of the two. These terms describe methods by which users are led to a fake website that appears to be identical to the original. This tricks the user into entering his or her user name and password. Some of the more advanced attacks send stolen information to the hackers in real time via a small instant message program, compromising many popular two-factor authentication tokens. As an example, Zeus malware captures a user’s credentials – even advanced time-based token codes – and sends the information to the hacker.
Adding fuel to the fire, newer and more sophisticated methods of intercepting user interactions with online services have emerged in recent years, including man-in-the-browser, man-in-the-middle and session hijacking. Even the most secure traditional two-factor authentication token devices can no longer ensure the identity of a user against these new, more insidious threats. Yet many organizations are unaware that traditional tokens can be compromised, posing a significant security risk.
The Right Level of Protection
Today’s evolving threat environment creates a never-ending battle wherein organizations must constantly evaluate the right level of investment in protection for the business. Often, the best possible protection is out of reach for many organizations, and thus a trade-off has to be made. To protect against identity theft schemes within budgetary constraints, organizations have sampled different technologies; including certificates, biometric scanning, identity cards and hard- and software tokens, with the latter being the most dominate technology. Certificates are often viewed as the ideal way to connect two devices with a secure identifiable connection. The main issue is the deployment and administration of these certificates and the risks that these are copied without the user knowing it. Furthermore, the certificate authority might be compromised as well.
Biometric scanning has also enjoyed some success, with many seeing it as a very secure alternative. However, the assumption that you always have a functioning finger, or iris, scanner handy has proven impractical and the resulting scan itself produces a digital file that can itself be compromised. Another alternative is the identity card, which often proves impractical in a world of Bring Your Own Device (“BYOD”), where users demand access from an ever-changing variety of devices. Therefore, a new approach is needed.
Different Approaches, Different Outcomes
To address today’s modern threats while meeting a user’s need for easier and more flexible solutions, many organizations have begun using multi-factor authentication based on mobile networks.
The main driver for the adoption of the new crop of multi-factor authentication is two-fold: one, the need to deliver hardened security that anticipates novel threats; and two, the need to deploy this level of security easily and at a low cost. The device utilized in the authentication process also needs to be connected to the network in real-time and be unique to the user in question.
If the authentication engine sends a regular token via SMS, however, today’s malware threats can steal the code easily. Therefore, to successfully safeguard against modern threats, organizations must seek strategies that operate efficiently in a message-based environment. Key elements can include:
• Hardened security: To get the highest possible level of security, the one-time password (OTP) must both be generated in real-time and be specific (locked) to the particular session, as opposed to tokens that use seed files where the passcodes are stored.
• Easy infrastructure: To minimize infrastructure complexity, the solution should plug into different login scenarios, such as Citrix, VMware, Cisco, Microsoft, SSL VPNs, IPsec VPNs and web logins. Other ways to minimize infrastructure overload include providing these logins in an integrated, session-based architecture.
• Layered defenses: To support real-time code delivery, the organization needs robust and redundant server-side architecture along with multiple delivery mechanism support, regardless of geographic location.
• Simple management: The solution should be able to be managed easily within the existing user management infrastructure.
• Location-aware: To maximize security, the company should leverage contextual information – such as geo-location and behavior patterns – to effectively authenticate the user.
Looking Ahead
Online identity theft has rapidly surpassed many of the most popular defenses available today, resulting in a wildly profitable industry on the black market.
Protection against this new generation of threats calls for a new generation multi-factor authentication solution. By delivering a session and location specific code to the user’s mobile phone in real-time, solutions like this can deliver the hardened, flexible authentication organizations need to protect their employees, users and data.
Claus Rosendal is a founding member of SMS PASSCODE A/S, where he oversees the product strategy and development in the role of Chief Technology Officer. Prior to founding SMS PASSCODE A/S, he was a co-founder of Conecto A/S, a leading consulting company within the area of mobile computing and IT security solutions with special emphasis on Citrix, Blackberry and other advanced handheld devices. Prior to founding Conecto A/S, he headed up his own IT consulting company, where he was responsible for several successful ERP implementations in different