- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
Implement two-factor authentication. ”This is the advice cybersecurity experts around the world offer when a major phishing attack hits the news again.
It's true that two-factor
authentication (2FA) is a legitimate secondary security method for businesses
to consider, but it's not as foolproof as one might think. Cyber
criminals are often one step ahead of the experts and they have learned to
circumvent the 2FA.
The Technology Behind 2FA
2FA is a process in which a user is authenticated using two
separate methods. For example, a username/password combination and a
separate method. An example of this is withdrawing from an ATM: you need
your passcode (PIN) and the physical debit card in the machine. Many
financial institution websites use two factors, in which you must authenticate
yourself using a PIN provided to you unless a cookie is stored in your
browser. This PIN can be transmitted via email, text message, or voice
call.
There are also hardware devices such as Yubikey, a USB device
that plugs into a computer and transmits a one-time hash passcode (OTP) when
the user presses a button on the inserted key. The authentication service
must be configured so that this hash can be used. However, the service is
widely supported and the integration code is open source. Microsoft offers
it as a 2FA path for all Office 365 web services.
Another form of the key is the rotating passphrase key. This
is a piece of software or hardware device that is synchronized with a server
and registered for a user. This device outputs a rotating multi-digit code
that must be appended to the user password. The recipient of the combined
code splits the passphrase into two parts and authenticates the code against
the authentication server. This external passphrase is similar to
receiving a text message with a one-time registration code.
The advantages of 2FA are obvious: An additional layer
of security for
a transaction or an account means that a potential hacker would need both keys
to access the account. If your card is stolen or lost without the 2FA of a
PIN code, as in the ATM example above, a fraudster could quickly empty your
account. Likewise, a malicious user who does not have your password but
does not have your 2FA key could not access your email account, break into it
and use your details to access banking services or others.
The Limits of 2FA
The first major disadvantage of the 2FA process is that it
requires some sort of transaction sets. For example, if you use a VPN
service that requires 2FA, your established session is authenticated until you
log off. When you use it to access your insurance company's website, a
session cookie contains information that identifies you to the server. After
you have logged out and deleted the cookie, you will need to authenticate
yourself again. This is not a disadvantage of this setting, but if you use
your mobile device to access e-mails, for example, using the 2FA method is
always quite problematic when you want to check your e-mails or send a message.
The problem with 2FA is that any authentication method is only
as good as the trust you have in it. When users receive a phishing
message and are asked to log into their own bank account, the
phishing email contains a link to a temporary website that looks like the
actual bank's website. The users are redirected to this phishing website
where they enter their username and password plus their 2FA details. The
phishing site then uses these two parts to log into the financial institution. Because
the user “trusted” the phishing
website, they disclosed their login information and so the
second factor is useless.
Kevin Mitnick, a security advisor, and former
hacker demonstrated how 2FA data is recorded in session
cookies. As soon as a phishing victim enters their 2FA
code on a website, the hacker can retrieve the session cookie from a developer
tool in a web browser, e.g. B. Chrome, tap. With this session cookie,
the hacker no longer needs the victim's username and password; it is sufficient
to copy the session cookie into a browser to log into the victim's account.
Even more dangerous, however, is the deceptive sense of security that
has developed. Phishing attacks are successful because of the
psychological manipulation that works. With the help of a well-known,
well-hyped security method like 2FA, the cybercriminal was not only able to
manipulate the victims into giving out their personal data, it also put them to
sleep.
Although two-factor authentication can be a secondary layer of
security for many applications, it is not sufficient. By implementing Protegent360's antivirus software for Office 365, which uses AI, including machine
learning, to detect targeted phishing attacks, and an auto-remediate the feature that automatically reclassifies any
threats that bypassed the filter originally the end-user protected from
potentially costly threats.
- Get link
- X
- Other Apps
Comments
Post a Comment