Since the famous Mat Honan hack, there’s been a great push for consumers to use and for consumer sites to deploy two-factor authentication. This move has been great, but for me it had ring of blaming the victims. “Hey why are you not using two-factor authentication? Don’t you know that our poor security choices and slack operating procedures have exposed all your credentials?”
Often users were mocked for the terrible passwords they chose. “Password1, really people!” But this was really a rational choice. Why should users choose tough passwords when organizations were going to lose them anyway? Why the focus on users and not the organizations that lost the passwords? We should have seen improved security by organizations in response to all the breaches.
We did not get that. Instead, we continued to see the same attacks work the same way against companies everywhere. According to the latest Verizon DBIR report, 63% of attacks against organizations used lost, stolen, weak or default credentials.
Well, things about to change. As of April 28th, the PCI Council, the group responsible for security requirements for merchants and credit card processors, is now requiring two-factor authentication for administrators of systems that touch credit card data. The change must be implemented within six months.
There are a few reasons why this is interesting. First is that PCI seems to be targeting the pass-the-hash and similar attacks that are key attacker tools used to escalate privilege. PCI-DSS has been around for a while, but it has failed to make a dent in breaches. Now the council is trying to eliminate a key hacker tool. Think of it like this: attackers must get in, get the data and then get the data out. Getting the data almost always requires getting administrative credentials. Due to the native single sign-on capabilities of the Windows operating systems, it was easy to get a copy of the hashed credentials from a compromised computer. They didn’t have to even decrypt them. The attackers could simple use the hashed values, thus ‘passing-the-hash’. However, if the hashed passwords are no longer valid, then the attack fails.
Secondly, the FTC is requesting information from PCI auditors on how they conduct assessments. The FTC is interested in a number of areas, such as conflicts of interest, that I won’t go into here. Just note that pressure is on to improve the entire process and outcomes.
Moreover, information security professionals often mock the PCI-DSS requirements as ‘floor that people see as a ceiling’. It is true that many breached companies were audited companies. However, how many companies have implemented two-factor authentication for administrators? As a provider of two-factor authentication solutions, I will tell you: not many. So, if this particular PCI requirement is as effective as I suspect it will be, you will see more admins using two-factor authentication. It will become ‘the floor’, one hopes.
It makes sense too. Two-factor authentication is a ‘known to work’ technology. It makes hacker infiltration using stolen credentials extremely difficult and greatly reduces the attack surface for an organization. But, they can still get in other ways (typically malware deployed via email). Deploying two-factor authentication to admins — a smaller group of users who should appreciate the need for security — makes attack escalation much, much more difficult and detection even more likely. Hopefully, when the next Verizon DBIR comes out, the impact will be seen.
