One of the largest challenges that organisations face when implementing multi-factor authentication is user adoption, says Jeff Hickman at SecureAuth. Balancing user experience against security has always been a difficult task and seems to be getting harder every day. One of the largest hits to multi-factor adoption has been against SMS text message delivery of One-Time Passcodes.
In fairness, getting users to switch to a more secure method of two-factor authentication, such as mobile apps, physical tokens, or biometrics is not always practical. With the continued rise of attacks focusing on compromising two-factor authentication, SMS has received the lion share of media attention. Between SIM card fraud, Signal System (SS7) network intercepts, and the National Institute of Standards and Technology’s (NIST) recent cautions in its August 2016 Digital Authentication Guideline draft of using SMS as an authentication method, there is no question that you need to evaluate the security of using text messaging as an authenticator.
We are now living in a generation where social media “over-sharing” is at an all-time high. This presents a real threat to an organisation’s risk profile and is difficult to audit and remediate. Typically, we look at social media risk in terms of public image and operational effectiveness, but a very real risk that is frequently overlooked, is the information exposed that can be leveraged by bad actors. This is how SIM card swap fraud is usually perpetrated.
Commonly, it is not some hacker stealing the SIM card out of your phone when you aren’t looking (it is a real threat though!) or a device to read and imprint your SIM card through your pocket or bag; it is simple social engineering. When a bad actor has enough information about their target, they will contact the phone carrier and get the phone SIM card swapped to a new device/SIM. Once this is complete, all texts and phone calls will be sent to this device. Typically, the bad actor ports the number to some sort of virtual number, but there have been cases where the number is ported to a “burner” or pre-paid phone.
As a result, hackers may also be able to access personal information such as your bank details. In some cases criminals may open a second account in the victim’s name as there is often fewer security checks. Or simply transfer the money to themselves as banks can use text messages to send customers codes which are then needed to authorise large online bank transfers, acting as a one-time PIN or password. With the fraudster receiving these texts, rather than you, they can approve their own requests.
SIM swap fraud can pose a significant risk to a company’s reputation and customer base. But if the necessary prevention measures are put in place from the beginning, banks and phone providers could prevent this type of damage and the loss of crucial resources, time, and money.
Fortunately phone fraud prevention is now possible. New capabilities we’ve implemented adds yet another additional layer of risk-analysis adaptive authentication, designed to block the most common ways that phone number fraud attacks are carried out.
- Block Recently Ported Numbers: Numbers that have been transferred will be blocked from use. Users
can re-enable their number after they complete authentication using a different challenge method.
- Block By Phone Class: You can chose what type of phone number may be used. For example, physical phones may be allowed while virtual numbers are blocked.
- Block By Carrier: You can chose which of the ~180 worldwide carriers can
receive phone/SMS challenges. For example, if all of your customers are based in North America, you can limit to carriers in that region.
- Multi-Factor Abuse Throttling: Prevent attackers from brute force guessing of OTPs for access by limiting the number of MFA requests that can be sent across all channels.
All of the above helps to prevent the misuse of valid credentials, providing a multi-layered protective shield around organisational resources and keep user friction to a minimum. Modern approaches such as adaptive access control techniques bring greater security to ‘close the front door’ to attackers, while not bothering authorised users unless there is risk. The more layered the risk checks you do, the less chance an attacker gets through.
Jeff Hickman is Senior Solutions Engineer at SecureAuth.