The message here is that you cannot trust any network to deliver authentication for you. I like the idea that trust comes when an identified, authorised individual or process connects over a secure communications path to an identified application. Note that you don’t trust any component, just the combination…:
Communication infrastructure is a vital infrastructure component of every country and is, therefore, a lucrative target for any cyberattack. Mobile networks carry a host of sensitive data at civilian, corporate and government levels. Earlier mobile networks like 2G, GSM and 3G were inherently not secure, with poor encryption and flawed authentication protocols. As a result, these younger networks were prone to eavesdropping, man-in-the-middle attacks and various methods of impersonation.
The emergence of 4G was touted to deliver unprecedented mobile speed to consumers but has arguably failed in its promise to provide greater security. The highly publicized recent breach involving a popular social news site, along with research coming out of Purdue University, demonstrates the ease with which 4G flaws can be exploited.
These flaws not only impact mobile network security but pose serious ramifications for two-factor authentication (2FA) security models, which are dependent on the security of the underlying carrier network. The exploitable flaws mean that attackers can target individuals to compromise mobile devices during two-factor verification to intercept, send messages and spoof locations, and they can even disconnect mobile devices entirely from the mobile network.
This raises questions as to whether 2FA should depend on aging out-of-band methods that rely on the mobile carrier networks – without adequate risk analysis in place.
Message Received: 2FA Is Not Enough
The attack on Reddit, which ranks No. 3 in the U.S. in terms of number of visitors, exposed email addresses, obfuscated passwords and affected some internal data. A publicly distributed Reddit statement admitted that 2FA is not enough to protect networks:
“Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”
At Purdue, researchers say that the vast majority of the world’s 4G LTE networks are likely to be exposed to a recent flaw they discovered. Alarmingly, researchers were able to exploit eight of 10 vulnerabilities. They said they built a testbed using low-cost, software-defined radios and an open-source LTE software stack that cost approximately $3,900, “which we would argue is within the reach of a motivated adversary.”
Upgrading To A Stronger Authentication Model
This research adds yet another vulnerability to those who depend on 2FA for their mobile networks. It follows last year’s news that an inherent weakness in SS7 could be used by attackers as a means of intercepting SMS messages and voice calls. This has been a proven approach of attackers in Europe to obtain access to victims’ bank accounts by stealing their credentials and one-time passcodes.
The reality is that we’re really not that much more secure as a result of deploying a basic second factor to provide a supposedly stronger authentication solution. New findings highlight that while two-factor on its own will protect you some of the time, it certainly cannot be relied on all the time. Businesses and organizations cannot afford that, especially when cybersecurity is one of the biggest threats businesses and governments face right now.
What Organizations Can Do To Protect Themselves
As cybersecurity becomes more important to organizations and consumers, we are seeing greater 2FA adoption. According to Forrester, 85% (paywall) of organizations are looking to adopt 2FA in the next 12 months for their customer identity and access management approach. While 2FA is a step in the right direction, the reality this research points to is that two-factor alone doesn’t provide an adequate level of trust – it is just not enough. I believe that businesses must look to adopt modern risk-based authentication techniques that truly secure the enterprise, while also enabling and improving the user experience.
Here are some best practices to ensure you’re not open to attack due to unreliable or antiquated methods:
• When possible, try to avoid all basic authentication methods, including one-time passcodes delivered by SMS, email and voice.
• Even if you use an insecure method, layering 2FA with another form of risk-based authentication, such as multifactor authentication or adaptive access control, can provide better levels of protection than basic 2FA on its own. (Full disclosure: We are one of several vendors that provide these other forms of authentication.)
• Strengthen the security of the login process with a layered security approach.This can help you detect and protect against geo-velocity violations (in which an authentication request emanates from an improbable location), attempts to log in from locations where you’re not conducting or operating business, phone number fraud, and login attempts from unrecognized devices, anonymous networks and known malicious servers.
Mobile phones and other devices connected to 4G are ubiquitous. People carry them everywhere. While using a second factor on these devices is one more level of security, in light of its flaws, I believe it is no longer enough. Attackers are continually evolving, and so should security methods.