Factoring the second factor
Last week, the Twitter account of Jack Dorsey, a founder of both Twitter and the payments platform, Square, was taken over and used to post comments clearly designed to embarrass Dorsey and Twitter - and embarrassing it is.
After countless hacks perpetrated against its users, Twitter had claimed to have improved its act. Yet it appears the attack used against Dorsey was trivial. It used SIM swapping, a process using well-known weaknesses in the protection applied by telecoms firms, to divert SMS authentication messages to the attacker. Security researcher Brian Krebbs and others have been warning about these weaknesses for years - and it’s not as if they were theoretical weaknesses. SIM swapping has been used to steal things rather more valuable than the Twitter account of Jack Dorsey. Bank and cryptocurrency accounts have been pillaged by attackers using SIM swapping. So if you were building a strong authentication scheme for a bank today, you wouldn’t use SMS authentication, would you?
New safe, old keys?
Banks in the UK have long offered customers authentication with card readers using the Visa Dynamic Password Authentication (DPA) specification or an equivalent from Mastercard. A card reader acts as a second factor that must be present along with a bank card and the customer’s knowledge of the PIN code to log in or make certain kinds of transactions.
Multi factor authentication (MFA) only does its job if all factors are actually required to authenticate. My bank also offered customers (or thieves) a simple mechanism to bypass card reader security. This mechanism is the customer’s memorable data. By inputting one of three pieces of memorable information and three digits from a six digit passcode, a customer (or thief) can bypass the card reader.
Given today’s security threats and available technology, this is anachronistic and unacceptably insecure. Banks like mine are naturally conservative in their choices of process and technology, not least because many of their customers are probably conservative. Nonetheless, it has recently announced changes to this scheme that could improve the situation.
The bank is acting in response to secure customer authentication (SCA) rules in the European Union’s payment services directive 2, PSD2 regulation. SCA rules require customers to be authenticated, using strong authentication and an obvious response is to implement a form of MFA in a way that cannot be easily bypassed. The problem is that it has chosen to use SMS messages as part of its solution, potentially leaving customer bank accounts open to the same malicious attacks used to hijack Dorsey’s Twitter account.
The ubiquitous smartphone
One issue with card readers is that customers have to find the actual devices, before they can authenticate or make transactions. Although they increase transaction security, they serve no purpose other than to authenticate to a bank. UK banking customers probably have desk drawers crammed with devices from different banks (or have lost them)! This may be why banks like mine have maintained other, far less secure authentication mechanisms, undermining MFA security.
Since card reader devices were introduced, smartphones have become ubiquitous. So using a phone as a second factor is obvious. The question is how the phone should be employed: using SMS messages, authenticator apps or the bank’s own app? The last of these is a solution used by several banks and fintechs. My bank has stated that it will offer authentication through its app but that it will be offered alongside SMS authentication. The option of SMS authentication seems straightforward and customer-friendly but, as Jack Dorsey discovered, it is also a liability.
By making SMS an option for authentication, my bank is opening up a downgrade vulnerability which offers attackers the ability to force authentication to a lower-grade mechanism that they can attack more easily, bypassing the high-grade mechanism.
This is not dissimilar to the original issue with memorable data that they are trying to solve. It’s not clear precisely how my bank will implement SMS authentication, whether it will be used for specific transaction classes or be the default, and there are ways to mitigate the risk posed by SMS authentication. But why mitigate them when there are better options?
Authentication has moved on
Authentication is an industry problem which doesn’t only affect banks. All kinds of companies need authentication for corporate email, e-commerce payments and access to products or services offered online. Industry body, the FIDO alliance, which works on secure online authentication, bills itself as the answer to the world’s password problem. FIDO is part of a drive to create new standards for authentication that reduce the need for passwords and increase the certainty of authentication through effective use of MFA. FIDO has developed WebAuthn which simplifies the authentication experience of consumers while dramatically improving security. WebAuthn works with code generators like Google Authenticator but also with universal 2nd factor (U2F) keys such as those from Yuibico. These provide better security than the card-reader devices currently in use by banks with the added benefit that they can secure a customer’s identity across all the services they use rather than just one bank.
The standards developed under FIDO2 promise to make internet-based authentication more effective. But like any standard, it will only work if it is widely adopted. UK banks are big enough to invest in authentication that is genuinely secure. Doing so would benefit customers, the bank itself and the internet in general by encouraging the adoption of the new standards.
The attack on Dorsey makes Twitter look silly but the consequences for him are largely confined to embarrassment. For banks to claim they are enhancing the security of their customers’ accounts by implementing a mechanism that is known to be broken is worse than embarrassing. Legal claims for tens of millions of dollars have been made against telecommunications firms in the US as a result of SIM swap fraud. Are UK banks opening themselves up to similar cases?
Do you have security concerns? At Virtual Clarity we have a wealth of experience and offer services around security. Please email email@example.com for more details.