FAQ for the End of SMS Authentication

Q: What is the end of SMS authentication?

A: SMS authentication verifies user identity by sending a one-time code via text message to a user’s mobile phone number. With the rise of potential security risks, many financial websites, applications, and phone apps are phasing out SMS-based authentication and transitioning to authenticator apps that reside on user devices and smartphones.

Q: What are some of the potential security risks associated with SMS authentication?

A: Attackers have a variety of means of intercepting SMS text messages, thus defeating this type of authentication. This increases the risk of interception and misuse of the codes in question and decreases the security of the user’s account with the financial institution.

Q: What is an authenticator app?

A: An authenticator app is an application that resides in encrypted storage on the user’s device and, when prompted, provides a one-time password (“OTP”) just like the code sent in the text message. The difference is, through a variety of cryptographic techniques, once the application is set up and the settings configured, it doesn’t need to communicate with the financial platform and thus is significantly more difficult for attackers to compromise.

Q: What are the steps for organizations to switch from SMS authentication to authenticator apps?

A: Here is a quick overview of what is needed:

1. Research and decide on an authenticator app that meets your organization’s needs. Most of the time, users can select their own apps, and the firm selects the libraries needed to support them. Open source and commercial solutions abound in this space now.

2. Update user accounts in each application and authentication point with the new authentication protocol and provide instructions for downloading and setting up the authenticator app.

3. Educate users on using the authenticator app, including generating one-time passwords (OTPs), scanning QR codes, etc.

4. Monitor user feedback and usage data over time to ensure a successful switch from SMS authentication to an authenticator app.

 

PS – Need a process for cataloging all of your authentication points? Here you go.

Password Breach Mining is a Major Threat on the Horizon

Just a quick note today to get you thinking about a very big issue that is just over the security horizon.

As machine learning capabilities grow rapidly and mass storage pricing drops to close to zero, we will see a collision that will easily benefit common criminals. That is, they will begin to apply machine learning correlation and prediction capabilities to breach data – particularly passwords, in my opinion.

Millions of passwords are often breached at a time these days. Compiling these stolen password is quite easy, and with each added set, the idea of tracking and tracing individual users and their password selection patterns becomes trivial. Learning systems could be used to turn that raw data into insights about particular user patterns. For example, if a user continually creates passwords based on a season and a number (ex: Summer16) and several breaches show that same pattern as being associated with that particular user (ex: Summer16 on one site, Autumn12 on another and so on…) then the criminals can use prediction algorithms to create a custom dictionary to target that user. The dictionary set will be concise and is likely to be highly effective.

Hopefully, we have been teaching users not to use the same password in multiple locations – but a quick review of breach data sets show that these patterns are common. I believe they may well become the next evolution of bad password choices.

Now might be the time to add this to your awareness programs. Talk to users about password randomization, password vaults and the impacts that machine learning and AI are likely to have on crime. If we can change user behavior today, we may be able to prevent the breaches of tomorrow!

Passwords, Dinosaurs, and 8-Track Tapes

What do passwords dinosaurs and 8 track tapes all have in common? Pretty soon they will all be in the same category: things of the past! It’s not just a matter of people using short, simple, “stupid” passwords any more. With advances in easily available and cheap computing power such as advanced graphics processors and solid state drives (SSDs), even long and complex passwords can be cracked in seconds! Not to mention the fact that if you get hacked and someone installs a keylogging Trojan on your machine, it doesn’t matter how long and complex a password you use; it’s game over!

There are always big concerns about the “exploit du jour” in the information security field. SQL injection, application hacks, XSS, Bots – you name it! But ever since the start the number one way computers get hacked is because of password problems. It’s still going on today! No matter what system one tests, it seems someone has a password of “password” or “admin” or something dumb like that. Or someone forgets to change a blank SA password or forgets to change the default password in some application. Then, of course, there are the system admins who use the same passwords for their user and admin accounts. Instant privilege elevation is given to domain admin and, once again, game over! This is really just a problem of human nature. We all have ambitions to follow the password policies exactly, to use strong passwords all the time, use different passwords for every account, change them on a regular basis, and never reuse the same ones twice, etc. But we all get lazy, or complacent or busy or forget or just screw up! Like I say – human nature.

What is the upshot of all this? Passwords alone as a security measure are hopelessly inadequate. And they always have been! So what is the answer? Well, obviously, we need to use something in addition to passwords. Ideally it would be preferable to use all three of the possible authentication techniques: something we know, something we have and something we are. But it’s hard enough to get people and organizations to consider even two of the three. There is TREMENDOUS resistance against insisting that everyone use tokens for example. And I can understand that. They cost money, you always have to remember to have them with you, they might break at the most awkward of moments, they can be stolen or they can be lost. Same thing with biometrics. They are expensive, they are not always reliable, they can be often be circumvented and they may leave you open to personal attack or even kidnapping! These are all real issues that need to be addressed and, what’s more, gotten used to. People are just going to eventually come to the realization that one or more of these techniques MUST be used. Until now, though, people have been willing to accept the consequences rather than bite the bullet and put up with the hassles and expense. The tipping point has yet to be reached. But, with identity theft, cyber crime and the increasing ease with which passwords can be stolen or broken that point is now very close indeed!

In the mean time, we all should REALLY do a much better job in using strong passwords. The new MINIMUM standard for passwords should be 12 characters and they should use at least three of the four possible character types. And that’s just for normal folks. For system admins and other high value access passwords alone should never be enough. These folks should surely be using multi-part authentication techniques no matter what the expense or hassle. After all, they DO hold the keys to the kingdom for all of us!