When large organizations like LinkedIn, Twitter and Facebook report password hacks, it throws some light on how vulnerable current systems are, as well as the need for multi-factor authentication. However, multi-factor authentication is shrouded in myths that may prevent organizations from adopting it.
Multi-factor authentication (MFA) is one of the most highly recommended security measures in this age of brute-force attacks, data breaches and other such cyber attacks. And while some off-the-shelf SaaS applications may already come with a built-in MFA feature, when it comes to a custom-built application or website, businesses have to make the tough decision between reinforced security and the high cost at which it comes.
As mobile phones became more sophisticated, their usage shifted from being communication oriented to application oriented. But phone numbers were never intended to be used as secure identifiers – their purpose is to simply act as subscriber identifiers during call routing. When applications use phone numbers in their login processes, it can give attackers and hackers an advantage.
Here are a few ways in which your OTP can be intercepted by hackers:
Man in the Middle attack
This is a type of eavesdropping attack in which a hacker places himself as a proxy or relay between the OTP sender and receiver. For the sender and receiver, the communication will seem like it is happening only between those two, whereas it is actually passing through an impersonator. Black hat hackers often hack into financial websites and place high-level codes which will allow them to intercept messages between banks and users, making it convenient for him/her to access an account.
Ready-to-download malware which can easily hack into a user’s mobile devices are available online. In addition to grabbing your SMS content, these can also access other areas of your phone like your gallery and directory to extract more personal information. In fact, a few of these malware are disguised as mobile applications like fitness trackers, timers, alarm clocks, etc.
SIM cloning attack
Investigative agencies use SIM cloning attacks to monitor and track suspects. However, SIM cloning modules are easy to find and purchase by anyone if they look hard enough. Using this, a user is cut off from his/her mobile network and calls and messages are redirected to the new SIM in the attacker’s phone. To carry out a SIM cloning attack, the SIM being cloned has to be of the GSM type.
SMS-C hack attack
All messages are required to pass to SMS-C servers placed in a mobile service provider’s network. Only after being processed by the SMS-C servers is the message transmitted to a mobile phone. If hackers manage to hack SMS-C servers, they can very easily gain access to all the messages entering and exiting the network. SMS-C servers are often protected by high-end security solutions which are hard to break through. However, it is not impossible.
Brute force attack
In brute force attacks, any and all combinations of numbers are tried to get the right OTP. If the number of entries is limited, brute force attacks can become ineffective in gaining access to an account, simply due to the number of combinations available. It also helps if the OTP is 6 digits instead of 4 digits as the combinations required to successfully execute a brute force attack increases by a factor of 100. Due to such a poor success rate, brute force attacks are not preferred by hackers.
For organizations, there is no reliable way of finding if your employees’ numbers have been compromised. To ensure that your network is secure, we suggest looking for a less-risky option for authenticating your users. You could go for an improved multi-factor authentication method like using the biometrics of a person to verify his/her identity. While there are more sophisticated attacks which can hack a biometric authentication system, it would be almost impossible to recreate a person’s thumbprint or retina blood pattern.
With Akku from CloudNow Technologies, you can easily create a fool-proof identity and access management system by integrating multi-factor authentication using biometric scanners in your login process. To make a significant improvement to your network security by enforcing biometric multi-factor authentication, get in touch with us now.
Ever heard of the butterfly theory? A single flap of a butterfly’s wings in Australia has the potential to cause a tsunami in Indonesia. Similarly, a minor tweak in your IT infrastructure has the potential to make every node of your network vulnerable to serious attacks, irrespective of their relationship. To ensure that network security remains as streamlined as possible through any number of changes to your IT systems, it is crucial to add a virtually unhackable component to your network security.
Is the only thing standing between your business’ critical data and a cyber attack a set of usernames and passwords? If yes, then it’s definitely time for a security upgrade for your cloud and on-premise applications.
We are increasingly using applications on our smartphones for business and personal purposes. Everyday activities have become much easier and more efficient to perform; what used to take us days to process can take us seconds today.
Whether or not you know what it is called, you have likely used 2FA at least once in your life online.
Remember the time you tried logging into your email account from a new device and your email service provider sent you an SMS with a PIN (OTP), to re-validate that it was actually you attempting to login? You would have been allowed access to your inbox only after you entered the correct OTP.
Or the time you tried to transfer money to someone through internet banking. Even though you already entered your customer ID and password, your bank’s application would want to make sure that someone else hadn’t stolen your credentials. They do this by sending you an email with a PIN or a link to click on, for additional validation.
Known by many names – two-factor authentication, two-step authentication, two-step verification or dual factor authentication, 2FA refers to a second level of authentication added on in order to enhance security inherent to a login process. This is in addition to the username and password step, which is relatively susceptible to hacking.
A two or multi-factor authentication process typically asks you for ‘something you know’ in the first step, such as your email ID/username and password.
In the second step, it may ask you to authenticate your identity with ‘something you have’ or ‘something you are’.
Something you know – the knowledge factor:
This could be your username and password, as in any ordinary login process, or it could be a PIN.
Something you have – the possession factor:
This traditionally referred to hand-held token items, such as smart cards or Yubikeys embedded with a certificate to identify the user. Nowadays, a ‘possession’ could also be your smartphone, containing an app which sends a push notification or a TOTP. This is especially beneficial since tokens like smart cards are relatively more prone to being lost, stolen or misplaced.
Something you are – the inherence factor:
Biometric authentication could involve the scanning of a biological element that is exclusively yours – such as your fingerprint, hand geometry, retina, iris and so on. Voice recognition can also be used.
Two-factor authentication for your business
If your business relies on highly sensitive data or handles personal data of clients, you need to have an information security management system in place. This is especially crucial these days as several governments are imposing stringent regulations to ensure that the privacy of their citizens is not compromised. Some business standard certifications also require security compliances to certify your business and, therefore, it is important for you to protect sensitive data with more than just single-factor authentication (SFA).
By setting up 2FA or MFA security in all your business applications, you are assured of a higher degree of protection. In this manner, even if somebody does steal, guess or hack a password or even a list of passwords, through a brute force attack, they will be stopped at the second level as they attempt to log in to a specific individual’s account.
Multi-factor authentication solutions by Akku
When your business uses multiple applications, it may be both expensive and difficult to set up and streamline multi-factor authentication in each. That is where Akku comes in, with the promise to address all these concerns once and for all.
Once you opt for Akku, it becomes a common identity provider (IdP) across all your enterprise applications and creates a single sign-on (SSO) page through which your users can access them. Having brought all of your applications to a single platform through the SSO, Akku then seamlessly implements the multi-factor authentication functionality across them all.
With Akku, users can decide to use any of the following options as their second factor for re-validating their identity, giving them the power of choice:
A push notification delivered to their smartphone through the Akku mobile app
A time-based OTP (TOTP) which expires in 30 seconds through an authentication app (such as Google authenticator)
A PIN sent through an SMS to their registered mobile number