Security controls can be quietly subverted by attackers finding ways to outflank the strength of one technology by exploiting an overlooked side channel. A perfect example of this is how criminals have been able to readily defeat two-factor authentication (2FA) – one of the most heavily promoted security measures for businesses and consumers.
Crucially, 2FA-protected services require more than a UserID and password for login. They send a separate authorization code, often to your smartphone via text message, when you attempt logins from an unfamiliar (untrusted) computer. The premise of 2FA is that while an imposter might guess or purchase your password, he or she is unlikely to have your phone in their possession.
In practice, 2FA proves to be highly vulnerable. Importantly, it’s not the codes themselves that are the problem – it’s that attackers and accidents make their delivery fragile and prone to intercept.
Take “SIM-swap” attacks letting people intercept your phone’s calls and texts: Motherboard’s Lorenzo Franceschi-Bicchierai and Ben Makuch offer an insightful, plain-English discussion of this in an episode of VICE’s CYBER podcast. In essence, fraudsters have found its unsettlingly easy to social-engineer their way into users’ smartphones – the center of most people’s digital lives – by convincing cell carriers’ call centers to transfer a victim’s phone number to a rogue SIM card. Once these criminals redirect your account to their malicious SIM/handset, they can seamlessly receive and enter 2FA codes sent to your phone number when they use your login credentials from untrusted devices. In this scenario, the latest securely-generated, one-time 2FA codes fall victim to age-old human psychological exploits.
When attackers aren’t coaxing 2FA access from carriers, they’re finding them with search engines. A recent eye-opening story by TechCrunch’s Zack Whittaker details an Internet-facing server belonging to communications company Voxox displaying “a massive database containing tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more.” The server was not password protected and discovered by a security researcher using Shodan. The Voxox incident illustrates a core limitation with two-factor / multi-factor authentication: We place great emphasis on creating these privileged codes, themselves – but pay less attention to weaknesses in their delivery mechanisms, like cell service and SMS, letting 2FA codes fall into the wrong hands as easily as e-mail addresses.
So what can we do when passwords are all over the dark web and codes used to reset them are just a search engine away?
Enter behavioral biometrics: When your bank, brokerage or retailer fortifies their web site or mobile app with BehavioSec, attackers armed with your passwords and 2FA codes are still blocked from taking over your account. BehavioSec looks deeper than whether a user has the “right” credentials – our software instantly and precisely measures whether users attempting logins and transactions match the known typing habits, cursor and mouse movements or touchscreen pressure of known, authentic users. This unique, real-time continuous authentication surpasses relaying on matching passwords, alone to authenticate users. When BehavioSec spots deviations from routine, authentic behaviors, businesses can reject logins or permit transactions to proceed with higher risk scoring and additional security measures activated.
BehavioSec’s rapid growth across industries and glowing hands-on reviews show the proven benefits from rethinking authentication. Tired of fraud costs and account takeovers shaking your users’ productivity and peace of mind? Learn more about BehavioSec and start a conversation with us on retaking control of online identity.