Making 2FA/MFA robust against smishing and related attacks

Member Announcements
Written By Katrina Angelika

Traditionally, authentication of users of web and mobile applications has been done with username/password logins. However, attackers soon found vulnerabilities that could be exploited. Users might use weak passwords, use the same password for multiple accounts, share passwords, etc.; even with strong passwords, attackers might use social engineering to persuade the human user to bypass the protection, e.g., by revealing the password to the attacker, presenting the credentials to a malicious site where they could be captured, and so on.

2FA/MFA was introduced to make it harder for attackers, by requiring two or more proofs of identity – also known as authentication factors. These can take many forms, but can be boiled down to: something you know (e.g., a password), something you have (e.g., a cryptographic key), or something you are (e.g., a biometric ID that is unique to you) [1].

However, 2FA/MFA is not a universal panacea that can be picked off a shelf and thrown in to solve any and all challenges presented by attackers.

  • Just because something CAN be used as an authentication factor does not make it a good authentication factor. Using SMS to deliver a short-lived One-Time-Password (OTP) to a user’s mobile phone (“something you have”), is an example of an authentication factor notorious for its weaknesses. SMS relies on decades-old legacy technology with known vulnerabilities.

  • Implementation: the way an authentication factor is implemented can make a big difference in the viability of attacks/hacks against it. A little known fact is that most mobile authenticator apps can be hacked surprisingly easily, e.g., attackers can get the seed to generate the same OTP in another authenticator by exploiting a Trust Gap [2]. Hence, the implementation should be well crafted to avoid various pitfalls.

  • Resets/re-onboarding. Authentication factors need to be set-up. Sometimes, they need to be reset, e.g., when a user forgets their password, or when a software token is bound to a specific mobile device and the user gets a new phone. This introduces vulnerabilities that can be exploited. For example, if a helpdesk is involved, social engineering could be used to induce a reset in the attacker’s favor.

These days, cybercrime groups like UNC3944 [3] have reportedly been actively carrying out active attacks by exploiting vulnerabilities in implementation and resets/re-onboarding of 2FA/MFA. Even some well-known organisations have been hacked.

It is no longer enough to use just any 2FA/MFA. Besides choosing reasonably reliable authentication factors, it should come with well crafted implementations and minimizing or even eliminating the need for resets/re-onboarding. A passwordless solution would eliminate the use of passwords that can be easily phished. Appropriate use of biometrics can also effectively eliminate the need for 2FA/MFA bypass or re-onboarding. Finally, a solution that can eliminate Trust Gap issues would have to be able to defend software against attacks and provide a strong identity to the app in addition to the user. A good solution that can meet the above requirements for strong mobile-based 2FA/MFA is provided by V-Key ID [4]. It builds on the foundations of V-Key’s V-OS Smart Token, a well-crafted implementation that solves Trust Gap issues, and adds innovations such as cross-platform privacy-enabled biometrics to minimize/eliminate resets/re-onboarding. It can be used to provide strong 2FA/MFA for both your employees (using V-Key Smart Authenticator) as well as your customers (incorporating V-Key ID within your app).

References

[1] NIST Special Publication 800-63 Part 3 “Digital Identity Guidelines”, https://pages.nist.gov/800-63-3/sp800-63-3.html

[2] “Most mobile authenticator apps have a design flaw that can be hacked”, https://www.businesswire.com/news/home/20211008005015/en/Most-Mobile-Authenticator-Apps-Have-a-Design-Flaw-That-Can-Be-Hacked

[3] “Why are you Texting Me? UNC3944 leverages SMS ..”, https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware?s=01

[4] “Revolutionising Universal Digital Identities with V-Key ID”, https://www.v-key.com/resource/revolutionising-universal-digital-identities-with-v-key-id/

This article is provided by V-Key

Katrina Angelika
Previous

From the Trenches: One-Year Retrospective on CDR Open Banking in Australia
Next

FinTech Voice, October 5, 2023