- Get link
- X
- Other Apps
- Get link
- X
- Other Apps
Implement two-factor authentication. ”This is the advice cybersecurity experts around the world give when a major phishing attack hits the news again.
Two-factor authentication (2FA) is indeed a
legitimate secondary security method for businesses to consider, but it's not
as foolproof as one might think. Cybercriminals are often one step
ahead of the experts and they have learned to bypass 2FA.
The Technology Behind 2FA
2FA is a
process in which a user is authenticated using two separate methods. For
example, a username/password combination and a separate method. An
example of this is withdrawing from an ATM: you need your passcode (PIN) and
the physical debit card in the machine. Many financial institution
websites use two factors, in which you must authenticate yourself with a PIN
provided to you unless a cookie is stored in your browser. This PIN can
be transmitted via email, text message, or voice call.
There are also
hardware devices, such as the Yubikey, a USB device that plugs into a computer
and transmits a one-time hash passcode (OTP) when the user presses a button on
the inserted key. The authentication service must be configured to use
this hash. However, the service is widely supported and the integration
code is open source. Microsoft offers it as a 2FA path for all Office 365
web services.
Another form
of the key is the rotating passphrase key. This is software or a hardware
device that is synchronized with a server and registered for a user. This
device outputs a rotating multi-digit code that must be appended to the user
password. The recipient of the combined code splits the passphrase into
two parts and authenticates the code against the authentication server. This
external passphrase is similar to receiving a text message with a one-time
registration code.
The advantages
of 2FA are obvious: An additional layer
of security for
a transaction or an account means that a potential hacker would need both keys
to access the account. If, as in the ATM example above, your card is
stolen or lost without the 2FA of a PIN code, a fraudster could quickly empty
your account. Likewise, a malicious user who does not have your password
but does not have your 2FA key could not access your email account, break into
it and use your details to access banking services or others.
The Limits of 2FA
The first major disadvantage of the 2FA process is that it requires some sort of transaction sets. For example, if you use a VPN service that requires
2FA, your established session is authenticated until you log off. When you
use it to access your insurance company's website, a session cookie contains
information that identifies you to the server. After you have logged out
and deleted the cookie, you will need to authenticate yourself again. This
is not a disadvantage of this setting, but if you use your mobile device to
access e-mails, for example, using the 2FA method is always quite problematic
when you want to check your e-mails or send a message.
The problem
with 2FA is that any authentication method is only as good as the trust you
have in it. When users receive a phishing message and
are asked to log into their own bank account, the phishing email contains a
link to a temporary website that looks like the actual bank's. The users
are redirected to this phishing website where they enter their username and
password plus their 2FA details. The phishing site then uses these two
parts to log into the financial institution. Because the user “trusted” the phishing website,
they disclosed their login information and so the second factor is useless.
Kevin Mitnick,
a security advisor and former hacker demonstrated how 2FA data is recorded in a session cookie. As
soon as a phishing victim enters their 2FA code on a website, the hacker can
retrieve the session cookie from a developer tool in a web browser, e.g. B.
Chrome, tap. With this session cookie, the hacker no longer needs the
victim's username and password; it is sufficient to copy the session cookie
into a browser to log into the victim's account.
Even more
dangerous, however, is the deceptive sense of security that has developed. Phishing
attacks are successful because of the psychological manipulation that works. With
the help of a well-known, well-hyped security method like 2FA, the
cybercriminal was not only able to manipulate the victims into giving out their
personal data, it also put them to sleep.
Although
two-factor authentication can be a secondary layer of security for many
applications, it is not sufficient. By implementing Protegent360 Total Security Software to detect
targeted phishing attacks, and an auto-remediate feature that
automatically reclassifies any
threats that bypassed the filter originally the end user is protected from
potentially costly threats.
2-Factor Authentication
Cyber-criminal
Phishing Attacks
Total Security Software
Two-Factor Authentication
- Get link
- X
- Other Apps
Comments
Post a Comment