The Issue of Phishing Attacks
90% of security attacks start with a phishing attempt. This is because attackers want to get hold of your password. Once they have obtained this, they can become you, and access wherever you can access.
Passwords work as a “share secret” solution. If you can demonstrate to the computer or website that you know the secret (password), it will let you in. The problem is that anyone else that finds or guesses the password can get access as well.
Passwords have become one of the biggest security challenges we face. Where passwords must be used, good password choices must be made.
Two Factor Authentication vs. Two Step Verification
Two common solutions are two factor authentication and two step verification – these are different from one another. Although they are remarkably similar in concept, the difference is the trust model. In any security system, trust is a crucial element to understand.
Two factor authentication and two step verification are both authentication systems designed to increase the level of trust in a username/password exchange. Rather than simply rely on the user indicating their knowledge of a password (which an attacker can steal or guess), the concept is to rely on two independent items of information. For example, this might be a password and an additional code sent via SMS message. It is the independence of this additional item of information that makes the difference, and crucially how much you can trust it.
With two-factor authentication, there should be complete independence. One factor cannot be influenced or gained by knowledge of the other. This is where hardware devices such as smart cards or authentication tokens are used.
But what about SMS tokens sent to a phone? The question here relates to independence. Certainly there are two steps – hence two step verification. But are they independently providing two factors?
Let’s explore a use case… I try to log onto a secure site from my smartphone. I provide my username, followed by password. The service provider sends a code via SMS to the same smartphone. I provide the code from the SMS to the login screen (two steps). What happens when a hacker breaks my phone? They can intercept my username & password and SMS – it’s all in one convenient place. Same if they steal my phone. Hence, these mechanisms are not “two factor” – they fail the independence rule.
Two-step verification is vastly better than just passwords alone. But be wary, it is not fool-proof – if your phone is hacked or stolen, the attacker can still become you, just as they could in the password-only world.
For added security, try to use genuine two factor authentication where possible.
Is 2FA Really Broken?
There has been a rise in articles stating that 2FA is broken. Of course, it’s not infallible, and better solutions would be good. Yes, SMS messages can be intercepted. Yes, man in the middle attacks can still work. But, if we all implemented 2FA, the headlines stating that “90% of security attacks start with phishing” would significantly drop, and make the attackers job much harder.
This was originally posted in the Tech UK Insights segment – Original Post
How Can Nexor Help?
Nexor Cyber Security Assessment
Our expert team can conduct a cyber security assessment, to help you understand the gaps in your systems and provide you with actionable steps to improve your cyber security.
If you’re interested, please get in touch with us for more information.
Author Bio – Colin Robbins
Colin Robbins is Nexor’s Managing Security Consultant. He is a Fellow of the IISP, and a NCSC certified Security and Information Risk Adviser (Lead CCP) and Security Auditor (Senior CCP). He has specific technical experience in Secure Information Exchange & Identity Systems and is credited as the co-inventor of LDAP. He also has a strong interest in security governance, being a qualified ISO 27001 auditor.
Be the first to know about developments in secure information exchange