The ease and convenience of online services has not been lost on organizations. Over the last 10 years, enterprise adoption of remote access has led to an explosion in the growth of these services. Unfortunately, there has been a corresponding rise of security threats as well. The 2014 Neustar Annual DDoS Attacks and Impact Report revealed that 71 percent more companies were hit by DDoS attacks in 2013 than the year before. These market trends demonstrate the need for major enterprises to adopt stringent, effective security methods as a means to protect against breaches. Consequently, modern mobile phone-based multifactor authentication is in high demand.
How Hacking Has Evolved
Hackers have kept right in step with developments in the remote access industry, increasing the complexity of their attacks as necessary. In the early days of online services, usernames and passwords were typically the only form of authentication. Hackers used a variety of basic attacks to either guess the username or assume the user’s identity.
Once security professionals caught on, they created systems to shut down an account after several wrong passwords were tried. This led hackers to innovate new methods.
Today, the most widely used attacks are pharming, phishing or a combination of the two. These terms describe methods by which users are led to a fake website that appears to be identical to the original. This tricks the user into entering his or her user name and password. Some of the more advanced attacks send stolen information to the hackers in real time via a small instant message program, compromising many popular two-factor authentication tokens. As an example, Zeus malware captures a user’s credentials – even advanced time-based token codes – and sends the information to the hacker.
As if that weren’t enough bad news, hackers have developed even more complex methods of intercepting user interactions with online services. Even the most secure traditional two-factor authentication token devices can no longer ensure the identity of a user against attacks such as man-in-the-browser, man-in-the-middle and session hijacking. Yet many organizations are unaware that traditional tokens can be compromised, posing a significant security risk.
The Best Protection Money Can BuyThe always-changing threat landscape forces companies to continually assess how much they will need to spend to achieve the level of protection they want. Often, the best possible protection is out of reach for many organizations, and thus a trade-off has to be made. To protect against identity theft schemes within budgetary constraints, organizations have sampled different technologies, including certificates, biometric scanning, identity cards and hard- and software tokens, with the latter being the most dominant technology. Certificates are often viewed as the ideal way to connect two devices with a secure identifiable connection. The main issue is the deployment and administration of these certificates and the risks that these are copied without the user knowing it. Furthermore, the certificate authority might be compromised as well.
One security option, formerly only the stuff of science fiction, has gained some followers: biometric scanning. However, the assumption that you always have a functioning finger or iris scanner handy has proven impractical, and the resulting scan produces a digital file that can itself be compromised. Another alternative is the identity card, which often proves impractical in a world of “Bring Your Own Device” (BYOD), where users demand access from an ever-changing variety of devices. Therefore, a new approach is needed to ensure that access remains secure, regardless of the end user’s location or method used.
Modern Security Strategies
Organizations must balance serious security concerns with ease-of-use concerns. They need to deliver hardened security that anticipates novel threats while deploying this level of security easily and at a low cost. As a result, many organizations have begun using multi-factor authentication based on mobile networks. The device used in the authentication process also needs to be connected to the network in real time and be unique to the user in question.
A potential problem still exists within the authentication process, however. If the authentication engine sends a regular token via SMS, today’s malware threats can easily steal the code. Therefore, to successfully safeguard against modern threats, organizations must seek strategies that operate efficiently in a message-based environment. These strategies may include:
Contextual information: Organizations should leverage contextual information – such as geo-location and behavior patterns – to effectively authenticate the user and maximize security.
Streamlined infrastructure: To minimize infrastructure complexity, the solution should plug into different login scenarios, such as Cisco (News - Alert), Microsoft and Web logins. Another idea for minimizing infrastructure overload is to provide these logins in an integrated, session-based architecture.
Easy management: The solution should be easily managed within the existing user management infrastructure.
Multiple defenses: To support real-time code delivery, the organization needs robust and redundant server-side architecture along with multiple delivery mechanism support, regardless of location.
Session-specific security: For the ultimate degree of security, the one-time password (OTP) must both be generated in real time and be session-specific, instead of tokens that use seed files in which the passcodes are stored.
Defending the Future
As the Neustar report revealed, hackers continue to increase their efforts to breach security. Advanced persistent threats (APTs) and an ever-evolving roster of hacking methods have compromised the more than twenty-year-old two-factor authentication token, sounding a clear call for a next-generation multi-factor authentication solution.
An approach that sends a session- and location-specific code to the user’s mobile phone in real time can provide peace of mind to organizations that constantly face the threat of attack.Claus Rosendal is a founding member of SMS PASSCODE A/S, where he oversees the product strategy and development in the role of Chief Technology Officer. Prior to founding SMS PASSCODE A/S, he was a co-founder of Conecto A/S, a leading consulting company within the area of mobile computing and IT security solutions with special emphasis on Citrix, Blackberry and other advanced handheld devices. Prior to founding Conecto A/S, he headed up his own IT consulting company, where he was responsible for several successful ERP implementations in different companies (C5 / SAP (News - Alert)). Claus holds a Master’s Degree in computer science from the University of Copenhagen.