Money transfer, online shopping, electronic registration for a doctor’s appointment – these activities are a part of our everyday life. We do them mechanically which takes only a moment. However, we remember that not so long ago the procedures were much more complicated and time-consuming. We are used that to perform mentioned operations it is enough to confirm your identity and provide data. But in times when we hear about so many data leaks, is this a safe enough way of verification? According to CERT Orange Polska cybersecurity report , special attention should be paid to the phishing threat. This form of attack constitutes a significant percentage of threats, and observations indicate that this tendency will grow.
What is phishing?
Phishing is a method of cheating that involves tricking a user into providing confidential information by using fake websites. Hackers pretend to be some person or institution in order to obtain important information, persuade you to perform some action. To capture data, they rely on the weakest link of protection, the human being, and the power of habit.
A common phishing strategy is to use links leading to fake websites. The similarity can be huge and the sites may differ in small details. For example, sometimes it is only the diacritical mark which combined with the composition and colors of the page (almost identical to the original) leads to the user entering login credentials on such a fake website.
These types of attacks are also happening via email and even voice messages. How does it end? Taking over of the account, often many accounts – unaware of this practice users often use the same password in many applications. Sensitive data, private messages and bank accounts become easy targets for attacks. Cyber incidents happen to individuals as well as large organizations.
Business implications of attacks
We live in the age of big data – they are more valuable than money in the world we live in. Identity theft and loss of important data is problematic for any user, but businesses in particular should be aware of this threat. A cyber-attack is not only associated with temporary downtime, production delays or losses related to the need to mitigate the damage. Image damage is equally severe and long-lasting as financial losses. A company that falls victim to hackers loses credibility and customer trust. The company’s competence is undermined, and if it cannot protect its own data, what guarantee of security can it give its customers? An image crisis resulting from a data leak can significantly damage the image of a company. Therefore, it is better to prevent it by using dedicated preventive measures.
Authentication methods – pros and cons of popular solutions
There are notable voices in the cybersecurity discussion about preventing data theft. Industry experts claim that two-step verification is an effective solution. It can protect users from losing access to data (money in the bank or an email account with important information). The extensive authentication process requires more than just a username and password. It demands an additional element – code, confirmation from a mobile app or key pin. Let’s take a look at the most commonly used 2FA (two factor authentication) methods and trace their advantages and disadvantages.
SMS codes are the simplest, and certainly familiar to most users, two-step authentication method. During logging in to your account, after using your login and password, you are asked to enter a one-time code sent to your phone number via SMS. The main advantage of this popular solution is its accessibility. Nowadays, almost everyone has a cell phone. Entering the received code is not a demanding activity. Which will certainly be appreciated by the users of applications addressed not only to people fluent in new technologies. In addition, creating a software code that sends SMS codes is not complicated. Speed and accessibility of implementation are another advantage of this method.
Despite its universality, verification based on SMS code is not the most effective method of data security. Experts point to a number of system weaknesses. From losing or stealing the phone to those independent of the users of the application and its creators. Here it is worth mentioning the doubts about the weak security of GSM networks and the possibility of an attack using a duplicate SIM card. Attackers, using the phone owner’s personal data obtained from leaks, can order a duplicate SIM card from the mobile operator. Thus, there is quite a clear security gap that makes it possible for hackers to steal data.
The need to improve the method based on SMS codes led to the creation of one-time identity verification codes. This popular 2FA method is based on generating codes in an app on your phone. There are many applications that allow you to generate one-time passcodes – for example Google Authenticator. How does it work? When the server creates a profile for a user, it generates an 80-bit key. This key is presented to the Authenticator application as a few-digit code to be scanned. On its basis the application generates a hash based on HMAC-SHA1 algorithm. Part of this hash is then displayed to the user as a 6-digit code.
This solution has eliminated the concerns with the GSM network. The application generates one-time passcodes in the phone’s memory, without the participation of the network. An additional convenience is the lack of communication between the server and the code generator. After setting the initial configuration, it works independently. The advantage of the verification method based on one-time codes is also its availability. Today the smartphone is an object of daily use for most people. On the other hand, it seems that the smartphone is the biggest weakness of this verification method. The key is stored in the phone’s memory, which makes it vulnerable to getting leaked. Note that the ability to generate one-time codes does not protect against attempts to steal data. We are still not safe in case of classic phishing based on a “fake” website.
In the hierarchy of effectiveness, the U2F security key ranks highest. Key eliminates the drawbacks of previous proposals. FIDO U2F is a physical device that can connect to a computer using a USB port. It is also possible to connect to phone using NFC or Bluetooth. During the registration of the device, the user generates a random identification number. This number consists of the name of the and a secret key, stored permanently on the device. The device then creates a private key and a public key based on this number.
The private key stays on the device, and public one is sent to the server.
Logging in with the dongle involves the generation of a request by the site the user is using. Then, the U2F key checks whether the request comes from the page registered in the previous step. If a match is confirmed, the device signs the request with the private key and sends it back to the server. This verification process is much more efficient and secure and eliminates the disadvantages of previous solutions.
Advantages of the FIDO U2F security key
The undoubted advantage of this verification method is that the key is an accessible and easy to configure device. Communication is via USB, NFC, Bluetooth, which makes this tool easy to use. Additionally, the item is small in size and thus easy to carry. Consequently, you can always have it with you, for example, as a key ring. But what is more important, especially in the context of the initial issue, is the phishing-resistant device. The innovation of this solution lies in the fact that the key itself checks the correctness of the website on which you want to use it. What is more – the signing of the request lies only on the side of the key. It is not possible for malicious applications to intercept the private key, which is a guarantee of security of operations performed with its use.
Disadvantages of the FIDO U2F
Like any of the previously mentioned verification methods, the FIDO U2F is not without disadvantages. Users point out the tiresome need to carry this device with them and the need to get into the habit of moving around. Not only with a cell phone, but also with a security key. Like any item, a it can also get damaged. For complete security, it is recommended to have 2 devices of this type. Which will allow you to access your account in case of loss or damage of one of them. There is also the question of finances – getting such a device is associated with expenses. The cheapest FIDO U2F can be bought for about 40€, which is relatively small in the face of the advantages of this solution.
Although the ingenuity of data thieves surprises, they use standard attack methods that you can learn to recognize. It is worth implementing a few good habits into your daily Internet activities. That will reduce the risk of opening a fake message or using a phishy website. You will not fall into a phisher’s network by limiting your trust. Do not trust in suspicious links, messages with downloads received from an unknown source, or sites that force you to enter data. It is a good practice to use password managers. That are able to generate complex, unique passwords while reducing the need to remember them.
For users who care about security, we recommend using technical protection against phishing. At this moment the only solution that can effectively protect against data theft attempts is FIDO U2F. The cost of such a device is a small price to pay for the security of your confidential data. Security of your social media accounts, or bank accounts and the funds in them.
Thank you for reading our article. If you care about data security and do not want to expose your company to financial and image losses, consider working with specialists. We believe in Digital Orchestration, so we care not only about providing the cutting edge technology. But also about the complexity and security of the solution. We work on the security and quality of the code, we also deal with the software testing, which eliminates the risk of its malfunction. As a Global System Integrator we provide services in the field of technology implementation and business consulting – please contact us: firstname.lastname@example.org.