Saltar al contenido

Against the background of the pandemic, the shortcomings of the MFA are clearer than ever

Against the background of the pandemic, the shortcomings of the MFA are clearer than ever

The pandemic means that there is no time for security issues, such as the proper processing of RFPs for applications that have been carefully checked. This brings us to the MFA and why it needs to be radically redesigned.

Because of you know what (if I have to write «corona» or «COVID» again, I’ll scream), companies have had to send a large number of employees to makeshift home offices in just a few days. This means that there was no time for security issues, such as proper RFP processing for applications that were carefully checked. Given the emergency, employees and IT teams worked as hard as they could, thinking they would improve on-road security as soon as circumstances allowed.

That brings us to the MFA. Multi-factor authentication should be just that, but it’s generally implemented in the least secure way: by sending direct numeric text to a mobile device, a tactic well known for being susceptible to human-to-middle attacks. . So, are there better ways to implement MFA, something that can be easily executed in the much less ideal conditions of today? Let’s go deeper.

First of all, however, it is worth mentioning that numerical texts can be undermined by quite a few things besides man-in-the-middle attacks.

[Manténgase al día con los últimos avances en liderazgo intelectual, conocimientos, procedimientos y análisis sobre TI a través de los boletines informativos de Computerworld . ]

«There is a documented fact that SMS as a 2FA delivery channel was deliberately targeted and successfully compromised by [los ciberdelincuentes] precisely because I know that they are used for 2FA delivery and for higher value targeted applications / services, such as banking and PayPal, «said John Herrema, senior vice president of product management at BlackBerry, which currently works on systems and security software. » includes a combination of intercept-based technical commitments and social engineering commitments, such as bribing someone to transfer the mobile number of a specific target to a target; [ladrón cibernético] malicious receipt codes. Or use a phishing attack to trick a user into entering credentials and [contraseñas de un solo uso] on a fake site, which is then used to access the actual site. It is true that any form of 2FA is better than nothing, so the question is not whether any form of 2FA is better than nothing, but rather whether there is a better, state-of-the-art option, especially for the higher lens. -Cases of use of value. The way to protect access to a bank account doesn’t have to be, and probably shouldn’t be the same as protecting access to a YouTube account. «

It is interesting that Herrema mentioned PayPal, because PayPal silently implements two very different MFA approaches, but they seem almost identical to the end user. I discovered this last month when I analyzed the report published by some European security researchers that PayPal MFA was susceptible to human-to-middle attacks. The researchers shared their exact methodology (completed with screenshots), but a pen tester I worked with failed to successfully replicate the attack. After several discussions of sharing the screen in real time, it became clear that the attack only worked if the MFA option was disabled.

Hey? Yes, then we realized that PayPal had a fairly robust text MFA implementation for any user who enabled the MFA option, which, for what it’s worth, should be for everyone. But for users who refused MFA, PayPal offered them one anyway, but it was a lower security offer. Thanks to PayPal for trying to protect all its users, including the stupid ones who reject MFA.

However, even the entire PayPal MFA seems to be just a direct text message. There are much better ways.

Beyond the insecurity of SMS MFA, Duncan Greatwood, CEO of security provider Xage Security, is concerned about the easier removal of the SIM card. He encourages companies to have employees who receive MFA alerts through an end-to-end encrypted mobile application such as Signal, Apple’s iMessage or Facebook WhatsApp. He also suggests that companies encourage employees to sign up for services that reduce the risk of SIM theft, such as AT&T’s extra-security or Verizon’s administrative lock.

«If the application service provider can integrate with it, end-to-end encrypted messaging is much better protected than text messages to distribute the verification code,» Greatwood said. «But even then, texting is still vulnerable to corrupt telecommunications personnel helping with SIM theft. Bribes for such assistance cost only $ 200.»

However, Greatwood’s warning – «whether the application’s service provider can integrate with it» – is crucial. There are two categories of risks involved here: Risk 1, malware infiltrating a corporate device (or a consumer device that is temporarily used as a corporate device, with virus-related concerns about how temporary it will be) from anywhere or downloading the application. with which the employee / end user interacts; and Risk 2, unauthorized direct access to the company’s assets.

This determines the security requirements of a mobile strategy, especially as it redirects much of the internal network access to remote access. IT and security have almost no control over risk 1, so the only option is to implore employees to use better security for themselves when accessing bank accounts, retail sites or streaming video. Some might try to make this a job requirement for any device that also contains or accesses commercial data, but there is a significant limit to the amount of it that can be applied.

Risk 2, on the other hand, is much more under the control of IT and security. Greatwood recommends an approach that can sometimes be placed over a VPN system. If this can be done, it would be useful to address the risk 2.

«The next step is the applications on the phone that automatically provide the second factor, usually based on a TOTP (unique time-based password) system with a seed derived from the user’s identity. This approach will be known to everyone. use the Google MFA system with apps like Gmail or Google Drive. It is available with third-party applications such as Authy or OTP Auth and is sometimes built into VPN clients. Another way to think about TOTP MFA is that it uses access to the phone – assuming the TOTP application runs on the phone, as the second factor in proving identity along with a password, «said Greatwood.» Hardware keys, such as YubiKey, can provide a second hardware-supported factor, similar but more powerful than a TOTP application on a phone. ”

Hardware keys are more secure, but if stolen, they can aggravate the problem of security authentication. Many people, and I am guilty of this, leave their hardware keys on a literal key, along with car and house keys. In my case, this makes it difficult to get it when needed, because I usually won’t have it while I’m working. But a much bigger concern is when I work outside my office. In the days before you knew it, I could be in a cafe typing my laptop with my keychain in my coat pocket. If an observant thief had watched closely enough, the thief might have waited for me to leave the table briefly for another coffee and steal my keys and laptop. In this case, I am in a worse position than I would have been otherwise. That being said, it’s still a good idea.

Greatwood also mentioned corporate ID credentials as another potential MFA factor if the credentialing system is integrated with the IT connection system. “However, one problem here is that the symbol on a badge can be relatively uncertain, devoid of entropy and / or complexity, depending on when the identification system was designed. Badges are relatively easy to lose or steal, and integration between badges and digital IT connection may be lacking. Badge readers may also not be available where users need to sign up. Badges tend to be used only for specialized applications related to site access, «he said.

Although it will take more time and cooperation to implement, Greatwood intends to take advantage of biometric authentication that is already integrated with many current mobile devices. Facial recognition is more common today, but I see a return to fingerprint options to get around the many pitfalls of facial recognition. Many companies already use mobile biometrics for authentication clients, so using it to authenticate employees, contractors, and partners is not an important step.