We’ve all gotten used to the rituals of computer security. User name, password, the aggravations of forgetting and resetting, and more recently, the advent of multi-factor authentication. A user interface will send you an email or a text or a phone message to help make sure that you’re really you. The slight inconvenience is worth the relief of knowing that an account — possibly a very important and sensitive account — is safe.
A New Threat
More recently, however, the FBI Cyber Task Force has begun urging computer users to add another layer of security to their accustomed security rites. In a message targeted toward the business community, the digital security experts warned that the current protocols had vulnerabilities which could lead to the exposure of very valuable data.
The news is undoubtedly startling to many computer users, who have received assurances from trusted top tech brands like Google and Microsoft that multi-factor authentication is the last word in security, leaving their systems almost 100% secure. But the FBI report disclosed some disturbing, high-level breaches since 2016 that did end runs around multifactor authentication.
As the FBI’s press release put it, “FBI reporting identified several methods cyber actors use to circumvent popular multi-factor authentication techniques in order to obtain the one-time passcode and access protected accounts. The primary methods are social engineering attacks which attack the users and technical attacks which target web code.”
Limits of multi-factor authentication
The intelligence agency report offered some examples of determined hackers who found ways around the multi-factor barriers. In one case, a hacker was able to access and rob a bank account by manipulating the URL character string. They also pointed to a growing trend called “SIM-swapping.”
In SIM-swapping, attackers call up the victim’s phone company, assuming the victim’s identity. They eventually find a customer service representative who is more willing to give out information and assume control over the victim’s phone number, which they then associate with their own SIM card. After that, they have the ability to call the victim’s bank, who recognizes the number, and have the victim’s money drained into their own account.
Another popular method is the so-called man-in-the-middle (MITM) attack. Here, the attacker intercepts transmissions passing from a victim’s computer to another associated with a secure account. This takes place without the user being aware that the transmissions have been read and potentially altered. Still another technique is session hijacking, in which the attacker steals an access token used by the victim to access a secure server.
Biometrics, to put it simply, are physical human characteristics that can be used to restrict access to computer systems. They can include fingerprints, facial patterns, or voice. Each of these characteristics is unique to one particular individual.
In addition to being unique, these traits don’t require any added cost or complexity. Companies don’t have to train people to have unique fingerprints, as they might to design and remember a secure password. Employees come to work fully prepared! In addition, biomarkers are very difficult for attackers to imitate.
Biometric authentication has the potential to greatly augment business security systems without too much added hassle. On the other hand, failure to implement biometric solutions leaves companies vulnerable to the attack methods already described. Our SecureDrive BT product line has the technology for both multi-factor and biometric authentication, keeping our clients safe with cutting edge data security. See more on these devices here.