Two-factor authentication could have stopped so many breachessecurenvoy 21/12/2016, Archive
Two-factor authentication could have stopped the LinkedIn breach. Fact. Back in 2012, the social networking site LinkedIn was hacked and 6.5 million encrypted passwords were reported stolen. It was a big story at the time, and users were advised to reset their passwords just to be on the safe side.
But in May 2016, it emerged that the theft had been much larger. A Russian hacker going by the name of “Peace” was found to be selling 117 million email and password combinations on the so-called Dark Web, all of them apparently lifted from LinkedIn. Anyone interested could pick up a copy of the whole lot for $2,300.
So why would anyone want to shell out money for a load of passwords that had probably been changed?
Well, one clue might come from an alert issued in June by the software company Citrix, which was forced to reset all the customer passwords for its GoToMyPC product, following what it described as an “incident”.
The company’s statement read as follows: "Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users,"
In other words, the hackers had taken passwords stolen from another source (possibly LinkedIn) and had used them to try to get into people’s GoToMyPC accounts, and thereby directly into their PCs. And it seems that the Citrix incident was just one of a number of similar attacks to occur around the same time, aimed at commonly used web-based applications.
So back to the earlier question: why would anyone buy a load of old passwords? Well, hackers may be evil, but they are not stupid. They know that users do not devise a new and complex password for every new application they use; that would be far too hard. Instead, users have one or two favourite passwords that they can remember, and which they re-use endlessly on all the applications they use.
Which makes it easy for the hacker: crack the password on one site, and the odds are you’ll be able to access a lot of the other sites used by that same user.
So what is the answer?
Well, it’s simple to stop the problem in its tracks by ceasing our sole reliance on passwords for user authentication. The way to do it is to harness the power of the mobile phone.
Here’s how it works. The user signs on with username and password as before, which identifies them to the server. The server then sends an SMS message to the user’s mobile phone, containing maybe a six- or four-digit one-time passcode, and asks them to key in the code to authenticate themselves.
It is a simple solution, it requires no special configuration of the phone, and it is safe. SMS messages are encrypted and travel via a separate communications channel from the Internet. So any hacker trying to intercept the code will be out of luck; he or she may have the username and password, but without that one-time passcode, they are powerless to proceed.
SecurEnvoy can install and deploy such a system within a matter of hours. By tapping into the information contained in an organisation’s user directory, SecurEnvoy’s TokenLess approach to user authentication can be up and running with no special system configuration or administrative overhead.
The users decide how they want to use the system. And if they change phones or switch to a tablet, they manage that themselves too.
The authentication can be further streamlined to make it even easier to use. Instead of sending a passcode, the system can send a message to the user with two buttons on it – Reject or Accept. The legitimate user taps Accept and is given access. If, on the other hand, a hacker is using a stolen password to access the user’s account, they will not receive the phone message. Meanwhile, the legitimate user just needs to tap Reject to block the hacker.
It’s the way to go. Username and password was conceived as a security model at the end of the 20th century, long before mobile phones. Now that mobile phones are carried by virtually everyone in the world, it makes sense to update the way we do authentication. And it will kill the trade in stolen passwords.