In the old days -- perhaps one or two years ago -- security professionals were fond of saying that you need multiple authentication factors (MFAs) to properly secure login identities. But that advice has to be tempered with the series of man-in-the-middle and other malware exploits on MFAs that nullify the supposed protection of those additional factors. Back in 2013, LifeHacker posted this article that spoke about how your mobile phone is being used for online banking also receives SMS texts with a one-time PIN code, and how malware can exploit this. It is no longer having “something you know” as an additional authentication factor. Instead, the SMS PINs are now just “something else that you know” and that hackers can figure out.
Eventually, Wired magazine put everyone on notice about insecure SMS usage in 2016, and National Institute of Standards (NIST) has come out with a ruling of its authentication standards earlier this year that recommends against using SMS PINs without additional MFA methods. In this blog post from Paul Grassi, a senior standards and technology advisor at NIST, he says that all SMS services aren’t all the same. He writes how some services can operate like Google Voice and forward texts to other numbers, making them more risky and more interesting to hackers.
The problem is not with MFA processes and technologies per se. And certainly having two or more factors is better than having just a single authentication factor, as Violet Blue writing in Engadget points out. But because our mobile phones are easily compromised via numerous clever ways, we need to re-think MFA and understand exactly what kind of protection it really offers. One notable social activist’s phone was hacked by having someone call his provider and pretend to have “lost his” phone, asking to reset his number to a new SIM card. Good old social engineering, no computer expertise required, and it will work no matter how many additional authentication factors you stack on top of your apps. So will the numerous apps that can spoof any phone number as your caller ID: just another way to compromise trust.
The SMS weaknesses point out though that mobile malware has been around a long time, and gaining traction as more of us carry smartphones and depend on them for running larger parts of our digital lives. The mobile versions of Trojan malware such as Hummer and FakePlayer have been around for years and are still active. These tools can install remote access apps to take control over your phone, steal data such as contacts and login credentials, install unwanted games and pornographic applications, and use your phone as a launchpad to infect the rest of your corporate network.
Part of the problem is that no matter what kind of tool an IT department uses, at the core the weakest link for password management has to do with the user -- both from the standpoint of social engineering attacks such as the one cited in this Mashable article about the recent NSA/Russia leaks and from the faulty memory of our human brains. It doesn’t matter how fancy a password management system we put in place if users continue to write them down on sticky notes or keep them in a plain text file (usually named “my passwords”) on their hard drives, or readily give them out when requested.
Certainly, we need multiple authentication factors now more than ever, and while SMS PINs should be one of them, they shouldn’t be the only one. In our next installment of this series, we look at some of the new MFA products.
David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 25 years. He has had several editorial management positions for both print and online properties and currently writes for Dice, Techtarget's SearchSecurity.com, ITworld.com and Network World. Find him on Twitter @dstrom and on his website strominator.com.
Subscribe to the iboss blog on the right to ensure you receive notifications for new blogs and the rest of The New Rules for MFA series.