-
As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked. So can facial and other biometrics. Why, then, is biometric-based authentication so fashionable? Why did one of the largest insurance companies just announce it is rolling out fingerprint and facial recognition for its customers (while it uses Symantec VIP for internal employees)? Did product management and marketing conduct a study that concluded customers feel safer with fingerprint and facial?
Apple’s Touch ID, and VISA’s integration with it are shaping the fashionable trend faster than a Milan runway. Hopefully these short hemlines will fade soon. Apple’s senior vice president, Dan Riccio, irresponsibly claims, “Fingerprints are one of the best passwords in the world.” He probably understands it is easy to reset a password. He probably does not understand how hard it is to reset his fingerprints. Truly the inmates are running the asylum.
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Technology is Irresponsible
1. Slide 0
The Inmates Are Running the
Asylum:
Why Some Multi-Factor
Authentication Technology
is Irresponsible
Clare Nelson, CISSP
clare_nelson@clearmark.biz
@Safe_SaaS
Bsides Austin, March 13, 2015
2. Slide 1
Speaker Bio
• Clare Nelson, CISSP
– clare_nelson@clearmark.biz, @Safe_SaaS
• B.S. Mathematics
• 30+ years in industry
– Encrypted TCP/IP variants for NSA
– Product Management at DEC (HP), EMC2
– Director Global Alliances at Dell, Novell
– VP Business Development, MetaIntelli (Mobile Security)
• 2001 Founder ClearMark Consulting
• 2012, 2013 Elected to Austin ISSA Board
• 2014 Co-founder C1ph3r_Qu33ns
• 2014 USA Yoga National Champion
• Favorite tortilla chip: Sesame Blues
3. Slide 2
• Based on
information in
public domain
• Sources are cited,
footnotes on
most slides
4. Slide 3
Scope
• Multi-Factor Authentication (MFA) use case:
– Focus on consumers and external customers
• No protocols (OAuth, OpenID Connect, SAML, etc.), that
is a separate talk
• United States focus
– EU regulations
o France: legal constraints for biometric, must be justified and
authorized by the National Commission for Informatics and Liberty
(CNIL)1
– India: e-commerce Snapdeal, Reserve Bank of India
o Move from two-factor to single-factor authentication for transactions
less than Rs. 3,0002
1Source: http://www.diva-portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl
2Source: http://economictimes.indiatimes.com/industry/services/retail/snapdeal-for-single-factor-authentication-for-low-value-deals/articleshow/46251251.cms
6. Slide 5
NIST Definition
Multi-Factor Authentication (MFA)
• National Institute of Standards and Technology (NIST)
• SP 800-63-2 (August 2013), Electronic Authentication
Guideline
1. Something you know (password)
2. Something you have (ID badge, cryptographic key)
3. Something you are (fingerprint, other biometric data)1
• What is the origin of this definition?
• NIST authors: might be Gene Spafford, or just
“ancient lore”2
– @TheRealSpaf: “Nope — that's even older than me!”3
– 1970s? NSA? Academia?
1Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
2Source: February 26, 2015 email response from a NIST SP 800-63-2 author
3Source: February 27, 2015 response from @TheRealSpaf (Gene Spafford)
7. Slide 6
How can you write a guide
based on a definition of
unknown, ancient origin?
How can you implement
MFA without a current,
coherent definition?
8. Slide 7
Updated Definitions (More Risk)
Multi-Factor Authentication (MFA) Factors:
• Knowledge
• Possession
– Mobile device identification
• Inherence
– Biometrics: Physical or Behavioral
• Location
– Geolocation
– Geofencing
– Geovelocity
• Time1
1Source: http://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA
2Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
NIST:
Device identification, time, and geo-
location could be used to challenge
an identity; but “they are not
considered authentication factors”2
9. Slide 8
FFIEC MFA Definition
• Federal Financial Institutions Examination Council (FFIEC)
• 2011 update to 2005 document, Authentication in an
Internet Banking Environment:
– “…virtually every authentication technique can be
compromised”
– Financial institutions should no longer consider simple device
identification (such as cookies, IP addresses, or geo-location
information)
– Complex device identification, “digital fingerprinting,”
incorporates a number of characteristics such as PC
configuration, IP address, geo-location, and other factors
– Implement time of day restrictions for funds transfers
– Consider keystroke dynamics, biometric-based responses1
1Source: https://www.fdic.gov/news/news/press/2011/pr11111a.pdf
10. Slide 9
Authentication silos predominate
• 200+ MFA vendors offering fragmented,
custom, often proprietary solutions
“…time to alter how authentication is
done …it doesn't meet today’s demands
….the range of technologies, such as soft
tokens, hard tokens, Trusted Platform
Module (TPM), biometrics, simple
passwords and more have led to a ‘Tower
of Babel’ for authentication.”1
– Phil Dunkelberger,
CEO Nok Nok Labs
1Source: http://www.networkworld.com/article/2161675/security/pgp-corp--co-founder-s-startup-targets-cloud-authentication.html
State of the Market
11. Slide 10
Why 200+ MFA Vendors?
Authentication has been the
Holy Grail since the early days
of the Web.1
The iPhone of Authentication has
yet to be invented.2
1Source: http://sciencewriters.ca/2014/03/26/will-your-brain-waves-become-your-new-password/
2Source: Clare Nelson, February 2015.
12. Slide 11
Suboptimal Choices
Authentication Factors/Technology
1. Biometrics, 2D fingerprint
2. Short Message Service (SMS)
– One-Time Password (OTP)
3. Quick Response (QR) codes
4. JavaScript
5. Weak, arcane, account recovery
6. Assumption mobile devices are secure
7. Encryption (without disclaimers)
– Quantum computing may break RSA or ECC by 20301
• Update on NSA’s $80M Penetrating Hard Targets project2
– Encryption backdoors, is it NSA-free and NIST-free cryptography?
– No mysterious constants or “magic numbers” of unknown provenance”3
1Source: January 18, 2015: Ralph Spencer Poore, cryptologist, Austin ISSA guest lecturer
2Source: http://www.washingtonpost.com/world/national-security/nsa-seeks-to-build-quantum-computer-that-could-crack-most-types-of-
encryption/2014/01/02/8fff297e-7195-11e3-8def-a33011492df2_story.html
3Source: https://www.grc.com/sqrl/sqrl.htm
13. Slide 12
Juniper Research:
• By 2019, 770 million apps that use biometric authentication will be
downloaded annually
- Up from 6 million in 2015
• Fingerprint authentication will account for an overwhelming
majority
- Driven by increase of fingerprint scanners in smartphones1
Irrational Exuberance of Biometric Authentication Adoption
1Source: http://www.nfcworld.com/2015/01/22/333665/juniper-forecasts-biometric-authentication-market/
Samsung Pay
15. Slide 14
• Cannot be revoked or re-issued
- Easy to reset your password, not easy to reset your fingerprints
• 2D Fingerprints
- Proven especially vulnerable to targeted attacks
• Your biometrics are in public domain, and elsewhere, easily accessed
• Biometric identification systems may undermine privacy by making
identity theft more likely1
• Biometrics will likely persist in government and private databases,
accreting information whether we like it or not2
• False positives, false negatives
• High cost
• Need to account for disabilities, injuries, other issues
• User acceptance, preference for biometric factors varies by demographic
Issues with Biometrics
1Source: http://www.diva-portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl
2Source: http://www.pbs.org/wgbh/nova/next/tech/biometrics-and-the-future-of-identification/
“Fingerprints scare me”
- Anonymous (2015)
17. Slide 16
2D Fingerprint Hacks
• Starbug, aka Jan Krissler
• 2014: Cloned fingerprint of German Defense
Minister, Ursula Von der Leyen
– From photographs1,2
• 2013: Hacked Apple’s Touch ID on iPhone 5S
~24 hours after release in Germany
– Won IsTouchIDHackedYet.com competition3
• 2006: Published research on hacking
fingerprint recognition systems4
1Source: https://www.youtube.com/watch?v=vVivA0eoNGM
2Source: http://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-clones-fingerprint-from-photograph/
3Source: http://istouchidhackedyet.com
4Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf
20. Slide 19
Riccio versus Krissler
“Fingerprints are one of the best passwords in
the world.”1
– Dan Riccio
Senior vice president, Apple
“Don't use fingerprint recognition systems for
security relevant applications!”2
– Jan Krissler (Starbug)
1Source: http://www.imore.com/how-touch-id-works
2Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf
21. Slide 20
Biometrics Systems: Types of Attacks1
1Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf
Starbug’s Threat Model
22. Slide 21
3D Fingerprint1
1Source: http://sonavation.com/technology/
No matter how advanced the biometric is, the basic threat model persists.
23. Slide 22
Behavioral Biometrics: BehavioSec
1Source: http://www.behaviosec.com
Laptop: requires JavaScript, won’t work with
Aviator browser, or if you disable JavaScript
24. Slide 23
Behavioral Biometrics: BioCatch
• Detect threats based on user
interaction with online, and
mobile applications
• Analyzes 400+ bio-behavioral,
cognitive and physiological
parameters
– How you find missing cursor1
1Source: http://www.biocatch.com
25. Slide 24
Fingerprinting Web Users Through Font Metrics1
• Browser variations
– Version
– What fonts are installed
– Other settings
• Font metric–based
fingerprinting
– Measure onscreen size of font
glyphs
• Effective against Tor Browser
2Source: http://fc15.ifca.ai/preproceedings/paper_83.pdf
26. Slide 25
Biometrics: In Use, Proposed
• Fingerprints 2D, 3D via ultrasonic waves
• Palms, its prints and/or the whole hand (feet?)
• Signature
• Keystroke, art of typing, mouse, touch pad
• Voice
• Iris, retina, features of eye movements
• Face, head – its shape, specific movements
• Other elements of head, such as ears, lip prints
• Gait
• Odor
• DNA
• ECG (Beta: Bionym’s Nymi wristband, smartphone, laptop, car, home security)
• EEG1
• Smartphone/behavioral: AirSig authenticates based on g-sensor and gyroscope, how
you write your signature in the air2
1Source: http://www.optel.pl/article/future%20of%20biometrics.pdf
2Source: http://www.airsig.com
27. Slide 26
“Thought Auth”1
EEG Biosensor
• MindWave™
headset2
• Measures
brainwave signals
• EEG monitor
• International
Conference on
Financial
Cryptography and
Data Security
1Source: Clare Nelson, March 2015
2Source: http://neurosky.com/biosensors/eeg-sensor/biosensors/
28. Slide 27
SXSW Preview
“… biometrics cannot, and absolutely
must not, be used to authenticate an
identity”1
– Dustin Kirkland, Ubuntu Cloud Solutions Product
Manager and Strategist at Canonical
1Source: http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html
SXSW: March 15: “Fingerprints are Usernames, Not Passwords”
29. Slide 28
• Many MFA vendors use SMS OTP
- Send text with One-Time-Password
• 2014 Paper from Northeastern University and
Technische Universität Berlin
- “SMS OTP systems cannot be considered secure
anymore”
• SMS OTP threat model
- Physical access to phone
- SIM swap attack
- Wireless interception
- Mobile phone trojans1
1Source: https://www.eecs.tu-berlin.de/fileadmin/f4/TechReports/2014/tr_2014-02.pdf
SMS OTP Attacks
30. Slide 29
• Operation Emmental
• Defeated two-factor authentication (2FA)
- 2014, discovered by Trend Micro1
- Targeted Swiss, Austrian, German, Swedish other European;
plus Japanese banks
- Typical scenario: customer goes to online bank
1. Customer enters username and password
2. Session token sent to mobile device (SMS OTP)
3. Customer enters session token (OTP)
- Attackers scraped SMS one-time passwords off customers’
Android phones2
1Source: http://blog.trendmicro.com/finding-holes-operation-emmental/
2Source: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf
SMS OTP Attack: Banking Example
31. Slide 30
QR Code Risks1
• VASCO two-factor authentication
– User captures QR code with mobile device
– User enters PIN code to log on, or validate
transaction2
• QR codes used by many MFA vendors
• QR code redirects user to URL, even if URL is
displayed, not everyone reads
– Could link to a malicious website
1Source: http://www.csoonline.com/article/2133890/mobile-security/the-dangers-of-qr-codes-for-security.html
2Source: https://www.vasco.com/products/client_products/software_digipass/digipass_for_mobile.aspx
33. Slide 32
Account Recovery
• Recovering your account if you lost your 2FA
credentials
– If you've lost access to your account after enabling two-factor
authentication, <Vendor Name> can't help you
• Google Authenticator provides recovery codes
– 10 codes, print hard copy, put in your wallet (purse)
• Apple Two-Step Authentication
– What if I lose my Recovery Key?
– Go to My Apple ID, create a new Recovery Key using your
Apple ID password and one of your trusted devices1
1Source: https://support.apple.com/en-us/HT204152
35. Slide 34
What’s Wrong with the Mobile Device Becoming the Authentication Device?
Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks
Source: http://metaintelli.com/blog/2015/01/06/industry-first-metaintelli-research-discovers-large-number-of-mobile-apps-affected-by-owasp-mobile-top-10-risks/
MetaIntelli research: sample of 38,000 mobile apps, 67% had M32
36. Slide 35
MFA Double Standard
Big Company (2015)
• Consumers may
use facial and
voice recognition
for mobile login2
• Employees use
Symantec
Validation and ID
Protection (VIP)3
1Source: http://cdn.themetapicture.com/media/funny-puppy-poop-double-standards.jpg
2Source: http://www.americanbanker.com/news/bank-technology/biometric-tipping-point-usaa-deploys-face-voice-recognition-1072509-1.html
3Source: http://www.slideshare.net/ExperianBIS/70-006identityauthenticationandcredentialinginpractice
1
37. Slide 36
Perfect Storm
• Fractured, crowded
market, 200+ MFA
vendors chasing ~$1.8B
market1
• Apple, VISA, Samsung,
others: fingerprint-based
authentication is cool,
secure
• FIDO Alliance
• 2014, year of the breach
• Increased legislation
1Source: http://www.slideshare.net/FrostandSullivan/analysis-of-the-strong-authentication-and-one-time-password-otp-market
38. Slide 37
FIDO Alliance
• Fast ID Online (FIDO) Alliance
• Proponent of interoperability
– Universal 2nd Factor (U2F)
– Universal Authentication
Framework (UAF)
• Triumph of marketing over
technology
• Network-resident versus
device-resident biometrics
– FIDO advocates device-resident
• Problems, especially with voice
– Phone-resident malware
– Back-door vulnerability
– Prohibits cross-channel usage, black
list processing1
1Source: January 2015, “Networks vs Device Resident Biometrics,” ValidSoft
Perhaps interoperability is a
good thing. Bad guys have
many different systems to
hack.
39. Slide 38
“Legacy thinking subverts the
security of a well-constructed
system”1
– David Birch, Digital Money and Identity Consultant,
Author of Identity is the New Money2
1Source: https://www.ted.com/talks/david_birch_identity_without_a_name?language=en#t-112382
2Source: http://www.amazon.com/Identity-Is-New-Money-Perspectives/dp/1907994122
40. Slide 39
Consider Context-Based Authentication
(aka Risk-Based Authentication, Adaptive Authentication)
• Device registration and fingerprinting
• Source IP reputation data
• Identity store lookup
• Geo-location
• Geo-fencing
• Geo-velocity
• Behavioral analysis
1Source: http://www.darkreading.com/endpoint/authentication/moving-beyond-2-factor-authentication-with-context/a/d-id/1317911
Layer multiple contextual factors. Build a risk profile.
41. Slide 40
What You Can Do
1. Request threat models from MFA vendors
2. Beware 2D fingerprints, already-hacked
biometrics, QR codes, SMS OTP, JavaScript
requirements, weak account recovery, lack of
mobile device risk analysis, and encryption
with backdoors
3. Do not be swayed by latest InfoSec fashion
trends
– Apple TouchID, integration with VISA; Samsung Pay
– FIDO Alliance
4. Rethink the definition of MFA, beware of new
interpretations
44. Slide 43
Additional References
1. 2014 December, Starbug (Jan Krissler) video, Iche sehe, also bin ich … Du,
https://www.youtube.com/watch?v=vVivA0eoNGM&feature=youtu.be
2. OWASP Mobile Top 10 Risks, Insufficient Transport Layer Protection,
https://www.owasp.org/index.php/Mobile_Top_10_2014-M3
3. OWASP Guide to Authentication,
https://www.owasp.org/index.php/Guide_to_Authentication#What_is_two
_factor_authentication.2C_really.3F
4. SANS, Two-Factor Authentication: Can You Choose the Right One?
http://www.sans.org/reading-room/whitepapers/authentication/two-
factor-authentication-choose-one-33093
5. Gluu blog, (January 15, 2014), Achilles Heel of Two-Factor Authentication,
http://www.gluu.org/blog/2fa_achilles_heel/
6. Gartner, December 1, 2014, Magic Quadrant for User Authentication.
7. Forrester, December 30, 2013; Market Overview: Employee and Customer
Authentication Solutions in 2013: Part 1 of 2
8. M2SYS Technology (July 24, 2014), The Impact of Biometrics in Banking,
http://blog.m2sys.com/financial-services/impact-biometrics-banking/
9. Google Unveils 5-Year Roadmap for Strong Authentication,
http://www.zdnet.com/article/google-unveils-5-year-roadmap-for-strong-
authentication/
45. Slide 44
• Biometrics, when employed as a single factor of
authentication, do not constitute acceptable secrets for e-
authentication
• Biometrics may be used in the registration process for
higher levels of assurance to
• Later help prevent a subscriber who is registered from
repudiating the registration
• Help identify those who commit registration fraud
• Unlock tokens1
1Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
NIST on Biometrics
46. Slide 45
NIST: Threat Resistance by Threat Level1
1Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
29 Long term authentication secrets shall be protected at this level. Short term secrets may or may not be protected.
30 Although there are techniques used to resist flood attacks, no protocol has comprehensive resistance to stop flooding.
49. Slide 48
Hacker Mentality
1Source: http://www.darkreading.com/identity-and-access-management/the-problem-with-two-factor-authentication/d/d-id/1113697
“The hackers are breaching
the architecture, not the
authentication mechanism.”1
– Garret Grajek, CSO at dinCloud
50. Slide 49
Biometrics: Imaginable
• Body shape recognition
• Internal structure of body
parts
• Analysis of other electrical and
magnetic fields created by
body
• Analysis of face and head
vibrations during speaking1
1Source: http://www.optel.pl/article/future%20of%20biometrics.pdf
Editor's Notes
Welcome to: The Inmates Are Running the Asylum …
My name is Clare Nelson.
I am second-generation geek. I knew what a syntax error was before I had my first Barbie.
I spent the first 8 years of my career as a software engineer, in the pits with the bits.
I am a strategy and business person with a technical background.
I recently completed a multi-factor authentication project for a client. Analyzed different technologies, analyzed over 200 vendors, I was not impressed.
Internal employees are a different use case. Consumers require authentication that is much easier to use.
In a competitive environment, businesses can’t afford to lose customers if their online and mobile user experiences are ‘painful’.
In France, biometric authentication must be authorized by CNIL.
Definitions.
What does it mean when the inmates run the asylum?
This movie describes it perfectly. It is based on the short story by Edgar Allan Poe.
It means things have gone terribly awry.
I will pick on the vendors and others; but we all share blame here: we are all consumers, purchasers, users of MFA. We have all helped create the mess we are in. I offer some suggestions on what you can do.
Is there anyone unfamiliar with the classical definition of multi-factor authentication?
Multi-factor authentication refers to the use of two or more factors.
No fair using multiple factors from a single category, that does not count.
Apple refers to two-step authentication, I will cover that below. In Texas we call that a dance.
Just something to ponder….
There is a growing chasm between NIST and new definitions
Geofencing, restrict authorizations to one or more specific geographical zone
How many of you are in the banking industry?
Banking industry: simple device identification is out, complex device identification is in
Use more than just two-factor authentication
One could argue interoperability is a good thing, bad guys have many different systems to hack.
I will revisit this hypothesis later. Bookmark it in your head.
Well over 200, and growing. Many may not survive the next 12-18 months.
Low barrier to entry, winners win big: VASCO Data Systems, stock appreciated over 250% in 2014.
With all of this activity, including millions of dollar of VC capital, multi-factor authentication is improving, right?
This is my short list of the suboptimal choices MFA vendors have made, and keep making.
Who refuses to use QR codes?
QR code: book: Mastering Splunk
Why are 2D fingerprints a suboptimal choice?
If you are locked out of your account due to an attack, or lose your MFA credentials, you are in a world of hurt. What special place did you hide those recovery keys??
Mobile World Congress 2015 took place in Barcelona last week.
A significant number of biometric-based authentication announcements were made, including Samsung Pay, yet another finger swipe payment method, depicted here.
Yes, I went back to double-check, it is 770, no 77.
I wonder if Juniper’s statistics account for the feline population…
This is taken from a video, the link is provided at the bottom of this slide.
Your biometrics are readily available: Your fingerprints are everywhere, wine glass at restaurant, your dandruff contains DNA, your voice has been recorded many times (Schwab: this call will be recorded), Facebook, LinkedIn, Google+, pictures of your face abound; pictures of your iris.
Who is this? What is she doing?
The real question is, what is being done to her?
Chaos computer club
The source of the videos in German is listed at the bottom of this slide.
This is just one example of biometric hacks, there is an abundance. For targeted attacks, little defense. Most of these attacks do not scale, yet.
This is a screen shot from the video: iPhone, MacBook, Scanner. Print fingerprint to tracing paper, expose print to PCB, develop and etch the PCB, apply graphite coating, make dummy print from wood glue.
Who won the 2014 open mouth, insert foot award?
I will let you decide who is right.
S: Another issue with biometrics, especially behavioral biometrics is a requirement for JavaScript
Prize goes to the first person to raise his or her hand and identify what this is.
Sonavation uses ultrasound to capture 3D fingerprints
Driven from government requirement
More than skin deep
What are behavioral biometrics?
BehavioSec is a company that detects threats based on user interaction with online, and mobile applications. BehavioSec is now working with DARPA.
They track how you type and swipe.
How many of you use Aviator? How many of you disable JavaScript in your browser?
JavaScript has more security holes than Swiss cheese
Javascript inserted into your browser when you download the app – sounds almost like a piece of malware, eh?
Assume your mobile device has malware, they check for it, and take appropriate actions. They are also moving toward making MFA invisible to the user.
When you cursor disappears, what do you do to find it? Move your mouse? How? BioCatch tracks this.
They create a test scenario where they make the cursor invisible. Then they record your reaction. Invisible challenge, make sure it is you.
You were not asked to name your first pet, you were not called, you were not asked to enter a secret passcode they just texted you. The challenge happened invisibly, without your knowledge, without interrupting you.
Here is another factor BioCatch might be using.
How does your browser render fonts?
What is a font glyph, this a font glyph for the letter G.
This example is from academia, I suspect some vendors are using it
January 2015 paper from UC Berkeley’s International Computer Science Institute
Web browser fingerprinting technique based on measuring the onscreen dimensions of font glyphs.
In use and in the lab,
EEG = electroencephalogram
Hand motion
What about odor as a biometric factor? I grew up with two brothers, am not touching that one.
Go to the AirSig website to see the demo.
How many of you are ready to simply think to your computer?
This is not science fiction.
Test labs: using thought waves as an authentication factor.
This headset is from NeuroSky
International Conference on Financial Cryptography and Data Security
Dustin are you here? I invited him, I also invited Starbug… He will be speaking at SXSW on Sunday.
Ubuntu Cloud Solutions Product Manager and Strategist at Canonical
Let’s move on to SMS OTP, text messages with secret codes
SMS = short message service
SIM swap attack = based on social engineering, not common in US.
SIM swap is not a reference to Gemalto hacking by NSA and Britain’s GCHQ
In February, it was revealed that the NSA and Britain's GCHQ had hacked the company to harvest the encryption keys, according to documents leaked by former NSA sysadmin, whistleblower Edward Snowden.
SIM-swap fraud, one example
Fraudster obtains your mobile phone number and bank account details through a phishing email
Fraudster asks your mobile phone service provider for a replacement SIM card under some pretext, like change to a new handset or loss of SIM/handset
The service provider deactivates your SIM card and gives the fraudster a replacement SIM
The fraudster introduces a payee into your bank account using the phished data, transfers funds from your account into his account, and withdraws the money through an ATM
All this while, your service provider’s alerts don’t reach you because your SIM card was deactivated
What is Emmental? A cough drop? No, Emmental is a type of Swiss cheese.
This is just one example of why SMS OTP is a suboptimal choice.
How many of you refuse to click on QR codes?
The best way to avoid QR code risk is not to use QR codes.
Entire article on QR code risks referenced
This is from Eric Sachs of Google.
Bad guys evolve: more sophisticated attacks, more $$$ per attack which increases incentives
Achilles
In Greek mythology, when Achilles was a baby, it was foretold that he would die young. To prevent his death, his mother Thetis took Achilles to the River Styx, which was supposed to offer powers of invulnerability, and dipped his body into the water. But as Thetis held Achilles by the heel, his heel was not washed over by the water of the magical river. Achilles grew up to be a man of war who survived many great battles. But one day, a poisonous arrow shot at him was lodged in his heel, killing him shortly after.
Google and Apple represent the state of the art in account recovery. Please prepare to be disappointed.
"One of the biggest problems that's not adequately solved is recovery," CTO of Duo Security, Jon Oberheide
Note that Apple calls it Two-Step, not Two-Factor
Make sure you enroll a trusted device, and don’t lose it!
Speaking of trusted devices, all mobile devices are secure, right?
As I mentioned earlier, BioCatch is one of the small number of MFA vendors that checks for malware on mobile devices. They assume mobile devices are not secure.
You are probably familiar with the OWASP top 10, here is the OWASP Mobile top 10.
M3: Insufficient Transport Layer Protection
When designing a mobile application, data is commonly exchanged in a client-server fashion. When the solution transmits its data, it must traverse the mobile device's carrier network and the internet. Threat agents might exploit vulnerabilities to intercept sensitive data while it's traveling across the wire. The following threat agents exist:
An adversary that shares your local network (compromised or monitored Wi-Fi);
Carrier or network devices (routers, cell towers, proxy's, etc); or
Malware on your mobile device.
Go to OWASP.org for more information, I provide the URL in the backup slides
What is a double standard?
February 2015 USAA rolled out, blink of the eyes to prove they are alive.
Internally, it’s Fort Knox.
Why is this double standard spreading? Perhaps an InfoSec person selected the MFA solution for employees, and a marketing person selected the MFA solution for consumers. There is a real struggle to extend MFA to consumers without making the experience painful.
What we have is a perfect storm.
Market leaders such as Apple, VISA and Samsung are shaping the market.
MFA vendors are not spending sufficient time trying to solve the hard problems: account recovery, ease of use.
FIDO, cover that next slide. Fast ID Online.
FIDO created two protocols: U2F and UAF.
U2F does nothing for the consumer market, they don’t want hard tokens.
Voice – ValidSoft no FIDO member, wrote a paper about FIDO mistakes
None of the tough MFA problems have been solved. As I mentioned earlier, interoperability may just make it easier for the bad guys, they will have fewer systems to hack.
Has anyone read David Birch’s book, Identity is the New Money?
Why is your name on your credit card? The only person it benefits is the criminal.
That is what many of the suboptimal choices are, simply legacy thinking, or the product manager forgot to be innovative that day.
What can you do?
According to Keith Graham, SecureAuth CTO
Two factors are insufficient, here is his recommendation.
In the face of suboptimal choices, here is what you can do.
Just say NO to 2D fingerprints,
FIDO seems to be a big proponent of biometrics.
Repudiation: deny the validity of something; but this context: An authentication that can be asserted to be genuine with high assurance.
Bank advertisement about SIM swap fraud.
Here is a corollary to the threat model issue
This is an excerpt from Grajek’s artice, “The Problem With Two-Factor Authentication,” footnoted below.
I agree hackers are breaching the architecture; but as I just explained, they are also breaking the authentication mechanism.