We have repeatedly been reminded of the weakness of passwords as an authentication method. High-profile breaches with millions of lost credentials, sophisticated desktop malware, advanced mobile malware, phishing scams and other attacks have proven time and time again that a username and password combination cannot provide the adequate evidence required for authentication.
One of the most popular and trusted methods for strong authentication has been the use of one-time passwords (OTPs) in the form of tokens. While OTP tokens are used to deter attackers due to the need for real-time data from the potential victim, today’s malware is specifically designed to circumvent this security measure.
Two-factor authentication (2FA) is based on the assumption that two of the three factors of authentication are used (something you know, something you have and something you are), tokens no longer qualify as “something you have.” The moment a user looks at a token’s randomly generated number, it becomes something he knows. While this new password does have a short time to live, it is still just another password in the user’s possession. Extracting passwords from an end user with infected with malware is not a difficult task.
Targeting OTPs is nothing new. Today’s cybercriminal has a long list of tools that can be used to extract everything from passwords to secret questions, token-generated passwords and even device ID data.
Cybercriminals regularly defeat SMS passwords, emulate users’ online behavior and even outsmart combinations of smart cards, passwords and unique card readers.
Phishing attacks dating back to 2008 used OTP-stealing mechanisms by asking victims repeatedly for their token-generated password. The criminal simply monitored his command-and-control server and attempted to use these credentials as they were stolen and sent to his server in real time.
When malware became cybercriminals’ main tool, malware designers and users approached the OTP issue through social engineering and HTML injection. From login page OTP stealers to SMS OTPs, everyone — at the enterprise level in all vertical markets — was targeted.
So Where Is Authentication Heading?
New authentication solutions are taking a much wider view and approach to the problem than 2FA. We are moving away from relying on passwords and secrets that the user holds to the correlation of multiple events and elements to decisively understand whether the session, device and user are who they claim to be.
While passwords will not die anytime soon security experts today correlate multiple fraud indicators to better understand an incoming authentication event. These indicators include multiple data elements and decisions such as the following:
• Is the authenticating device or enterprise infected with malware…this is the first step?
• How do you know or not know?
A deception-based cyber security defense should enable the enterprise to meet and defeat the threats of advanced persistent threats (APTs), zero day events and other sophisticated malware. There should be the ability to automate the deployment of a network of camouflaged malware traps that are intermingled with your real information technology resources. These traps should appear identical in every way to your real IT assets. Once attackers have slipped past some of IDS (Intrusion Detection Systems), they move laterally to find high value targets. Real-time automation should isolate malware and deliver a comprehensive assessment.
Download White_Paper_TrapX_BOD_Series
• Is the user authenticating onto the device or network actually the person who is authorized?
Our convenience of the mobile world has opened up doors to more opportunities for the cybercriminals to gather what they need to do. Understand the following:
– Consumer devices are not enterprise edge devices and were designed for convenience; however we now have ability because of convenience to store your passwords and biometrics on the device.
– Remembering passwords or multiple combinations tends to be a pain, so for convenience there are now solutions to store passwords in the cloud?
What if someone stole your smart phone with your passwords and biometrics on this device and or was able to hack into your cloud based password storage solution?
We believe multi-factor biometric authentication of the user that is authorized to use the specific medical device, clinical systems, drug delivery, and or day to day physical access is the future for the Healthcare Enterprise.
www.blustor.co
