Cyber Attack

Phishing attacks and what to do about them.

In my previous article I described a general information about what is phishing attack and basic tips how to protect ourselves from them.

This article I would review what options we have to use today’s technology to help us secure our data and protect ourselves from phishing attackers.

What are most popular ways to use a multi-factor authentication to help us to increase the strength of our systems security (computer, phone, etc.)?

To be able to answer this question first we need to define authentication: “…Authentication is, in an information security sense, the set of methods we use to establish a claim of identity as being true…”1(Andress, Jason)

Most preferred multifactor authentication selections are based on my long professional experience and include:

1. Two factor authentications, or (2FA) is a verification of the user’s identities by combining the two factors from the following:

- Something the user knows

- Something the user poses

- Something the user are

Examples:

a) Using ATM, the user must have an ATM card and PIN, so here we have a combination of something the user has (the bank ATM card) and something the user knows (user PIN) to achieve the Two factor authentication. 2(Ojekudo N., & Macarthy, O. 2018)

PROS:

- To some level, secure method because utilizes the ATM card something the user poses and the PIN; something the user knows plus the use physically is present at the ATM location, where the security CCTV can video record the transaction.

- Not too expensive the cost of the ATM card is very low

CONS:

- ATM card could be stolen or replicated(duplicated), the user PIN can be stolen or hacked (guessed)

b) 2FA login authentications for email accounts for example the Google email accounts login process. Here we have combination of something the user knows (their email login info ID and password) and send by SMS text message to the user cell phone with generated numerical code the user needs to enter into the browser login page to confirm that it is the actual user, so that is “something the user are”, factor. 3(Lemos, R. 2018)

PROS:

- Increase significantly the security of login ID and password method and ensure that the designated user is the one who made the login.

- Not expensive, does not require additional equipment or software to be purchased or installed, as long the user possesses mobile phone cable to accept SMS

CONS:

- Some users are not comfortable providing their phone numbers to create some level of privacy problem, because there is not regulatory base how the site would store or use that phone number, and in some instances those user data (phone numbers) are used also for marketing and other purposes.

- The mobile phone requires to be always ON and in network connection, otherwise the verification code would not go through

- The mobile phone itself is not a very secure device, in cases when the site allows password reset using this method is dangerous because hackers could easily use phone takeover and access the user account without even need to have the password. 3(Lemos, R. 2018)

- Recently, according to CERTFA, as of October 2018 an Iranian based hackers MD0ugh managed to bypass this verification method and make it questionable the future use of this two-factor authentication for account protection. Read more here: “The Return of The Charming Kitten”

c) Other version of Two factor authentication is similar to the previous and utilizes both factors, something user know and user are, but instead to send SMS with a code to the user cell phone it utilize those cell phone technologies that have fingerprint login setup in the user phone, so after the user enter their login credentials on the phone app the message prompt the user to use his fingerprint for final verification to be able to access the app. 4(Pokhriyal, Avinash. 2010)

PROS:

- Similar to the previous method with texted code to the user mobile phone, however, this time the code is replaced by the user biometrics — fingerprint.

- Increase significantly the security of login ID and password method and ensure that the designated user is the one who made the login.

- Not expensive, does not require additional equipment or software to be purchased or installed, as long the user possesses mobile phone cable to process biometrics.

- Increase the security further, by receiving confirmation for the user identity.

CONS:

- Some users are not comfortable providing their phone numbers to create some level of privacy problem, because there is not regulatory base how the site would store or use that phone number, and in some instances those user data (phone numbers) are used also for marketing and other purposes.

- The mobile phone requires to be always ON and in network connection, otherwise the verification code would not go through.

- More complicated privacy issue, and to extend some legal issues considering the present state of the Law.

- Plausibility for an attacker to make a copy of your fingerprint and that way access your account.

d) One more example of using the user mobile phone for multi factor authentication is with locally (on the user phone) installed Authentication app, or using scan QR code.

  • In the case with installed Authentication app, it will prompts upon login to generate code from that app and submit it to the server for clearance and access.
  • In the case with scanning the QR code, after scanning the code the Authentication app on your phone will generate a new code at predetermine period of seconds, like every 15 or 30 seconds, and the user provides that code to the site for final authentication.

The actual processes with this example are used Time-Based One Time Password (TOTP), the generate token by the app have an expiration time, so the user is required to use immediately, that is part of the Open Authentication or 5(OATH)*

*(OATH is not the same as OAuth! OAuth is again an open standard for token-based authentication on the internet used for login when using API like Social Networks or elsewhere, without exposing the user password.) 6(OAuth Community Site)

PROS:

- Increase significantly the security of login ID and password method and ensure that the designated user is the one who made the login.

- The user can use that method even there is not connection of the phone with the mobile service provider, because the key and generating code app are locally installed on the use mobile phone.

- Better than an SMS version of Multifactor authentication, because if an attacker redirects your phone number would be unable to access the key or generate the requested by the site code.

Improve the security significantly compared to the previous methods.

CONS:

- Again, the same as before the privacy issue are at stake here

- If the phone battery dies, or get lost or stolen, if the user do not have stored in a different place backup access code, then he will lose access to the account.

- For some may create inconvenience if used on different login platforms that would require repletion of the confirmation process.

e) Push based methods for multifactor authentication, like logging into Apple device, for example, then after you login, as a user, you receive on in advance setup location (email, mobile phone in the form of text message or call) notification that someone was logging in to your device and you need to confirm that or send alerts to block the logged user. 7(Sanin, A., Ricketson, M., Newlman, R., LeBlanc, A., & STERN, E. 2012)

PROS:

- More convenient than returning code authentication method, less work for the user J.

- Increased security compares with code-based authentication, reduces the phishing attacks. When the attacker uses phishing methods can just ask for your code after requesting your login ID and password, and then pass the code when impersonating your login into your legitimate account.

Due the utilization of IP address, physical location with this method, it is plausible to catch a phishing attack in progress in the cases when the attacker is not located in the same geographical area.

CONS:

- One of the negatives of this method is not available standardization, there is no option to select from a pool of applications

- Requires the user mobile phone to have available and working data connection

- Unable to unify all push-notification in one single application.

f) Digital certificate authentication where, the user and the server have installed digital certificate keys (public and private) and mutually identify themselves upon connection. 8(IBM. n.d.)

PROS:

- Using digital certificates, public and private keys, reduces the method of authentication maintains, no longer is required managing and maintain a large database of user account credentials, thus reduces the risk of data loss.

- Efficient for single user login, very beneficial for server administration.

CONS:

- Not efficient when comes to work with a large pool of users, complicated to provide the certificate to the user, in case the user is located in non-secured Internet connection area, like Internet café, or public WIFI zones.

- The user must physically have the certificate installed on their device, thus if user device is hacked and/or stolen the certificate could be stolen and the attacker could easily impersonate the user.

g) One new form of multifactor authentication recently implemented is FIDO U2F security keys method. U2F or universal second factor method requires an additional device like USB, NFC or Bluetooth low energy devices, that plays the role of the security key, when login to a web site the site will request that the user connect that device to the computer and tap it tap allow login. 9(U2F — FIDO | Yubico. n.d.)

PROS:

- Improved security compared to code type methods of authentication, in this case the user identity is confirmed by the U2F device recognizing the site the user is on and respond with signal challenge — code, specifically assigned to this site. That eliminate in full all phishing methods of attack.

- More convenient than returning code authentication method, less work for the user J.

- Using unique identity, signal challenge for every different site.

CONS:

- Rather new technology, without large area of application, currently supported only from Google Chrome, the other major browsers are working for implementation but is not available yet.

- Mobile support presents challenges, because the U2F devices are mostly USB based, with some exclusions for Bluetooth and NFC devices.

- NFC devices are supported only by Android, on iOS is not allowed at this moment interaction between apps and NFC hardware.

- Bluetooth hardware is more expensive and higher maintains, require batteries and often recharging.

- In contrast with most of the previous methods this one is paid and require additional cost for using it, in average of between $10 — $20 USD.

Why a multi-factor authentication solution may not be successfully adopted in an organization?

The most predominant reasons why a multi-factor authentication solution is not adopted by organization and individuals alike, according to survey from SANS Institute are:

“…

a) Being too busy or forgetting — 63% and 16%

b) Don’t believe they are too important to be ever attacked — 16%

c) Not sure how to set up the MFA — 18%

d) Lack of technology knowledge in general — 8%

e) Don’t trust such technology serious privacy concerns — 5%

…” 10(Ackerman, P. (2017)

References:

1 Andress, Jason. The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice (p. 26). Elsevier Science. Kindle Edition.

2 Ojekudo, N., & Macarthy, O. (2018). A Comparative Study of PIN Based and Three-factor Based Authentication Technique for Improved ATM Security. International Research Journal of Engineering and Technology (IRJET),05(05), 3749–3754. Retrieved from

3 Lemos, R. (2018). Two-factor authentication (2FA) by text: What security pros need to know. Retrieved from

4 Pokhriyal, Avinash. (2010). A new method of fingerprint authentication using 2D wavelets. Journal of Theoretical and Applied Information Technology. 13. 131–138.

5 About Oath. (n.d.). Retrieved from

6 OAuth Community Site. (n.d.). Retrieved from

7 Sanin, A., Ricketson, M., Newlman, R., LeBlanc, A., & STERN, E. (2012). US20140007213A1 — Systems and methods for push notification based application authentication and authorization. Retrieved from

8 IBM. (n.d.). IBM Knowledge Center. Retrieved from

9 U2F — FIDO Universal 2nd Factor Authentication | Yubico. (n.d.). Retrieved from

10 Ackerman, P. (2017). Impediments to Adoption of Two-factor Authentication by Home End-Users. In SANS Institute. Retrieved from