Digital identity has never been more important. Individuals are using an increasing number of Internet services, from health to banking. Enterprises try to sustain high productivity by giving employees remote access to company networks and cloud services. The volume of electronic requests for data is growing rapidly, and a large portion of these data requests, purportedly coming from privileged users such as customers or employees, must be authenticated.
In this article we discuss two identity-related security concerns, social engineering (SE) and man-in-the-middle attacks (MiM). We will look at traditional authentication factors, including something you know (e.g., a password), something you have (e.g., a device) and something you are (e.g., a biometric). Finally, we will introduce CloudMode’s new authentication technology, Reverse Authentication or RevAuth, where an authentication transaction is defined as an irreversible sequence of blocks.
Social Engineering is the act of manipulating someone to take action for the manipulator’s benefit. In the context of information technology, that means: (a) trying to extract confidential information and/or (b) attempting to gain unauthorized access to a system or network. A convincing “pretext” is often used to get the target to give up information such as passwords. Once a password is obtained, it compromises at least a user account, but often hands over control of an entire organization’s network.
Let’s look at an example of social engineering. In Social Engineering: The Art of Human Hacking, Chris Hadnagy lays out a common scenario in which a social engineer, disguised as an IT repairman man, walks into your company’s building. He sets his toolbox down in front of the secretary and, and says that he has been called in because there is a problem in workstation and/or the company’s server room. Convinced, the secretary leads him to the workstation. Once there, an employee will almost always give up passwords so that his or her workstation can be “fixed.” The social engineer access confidential information on the spot or may even insert malicious code that opens up the network from the outside.
While in-person social engineering provides a great example of how people can be manipulated, most social engineering occurs electronically. For example, in a “phishing” attack, email or web pages that purport to be from an official source (e.g., a bank) are used to get targets to divulge usernames and passwords Similarly, a social engineer may employ a phone to get personal information and login credentials. For example, a “customer” may call a telecommunications carrier and convince an employee that he or she needs a password reset.
Social engineering is a huge problem. Each attack may be part of a larger scheme to defraud an individual or damage an enterprise. Hadnagy indicates that 70% of recent corporate data breaches involved social engineering. The harm to individuals and enterprise can be immense. In February 2015, the BBC reported an unprecedented bank theft of up to a billion dollars when alleged Russian hackers used spoof emails to trick staff into giving them network access. In 2013, 1.8 Million people became victims of medical identity theft through websites impersonating medical providers. In December 2014, a sophisticated social engineering attack allowed hackers to gain access to the control systems of a German steel factory and the attack prevented a blast furnace from shutting down. In all of these cases, the social engineer was purporting to be someone they were not.
“Man in the middle attacks” (also referred to as MiM) occur where an attacker secretly relays, and possibly alters, the communication between two parties who believe they are directly communicating.
For example, if Alice and Bob are attempting to communicate securely they may exchange cryptographic keys at the initiation of their conversation. A third party, Malcolm, may intercept the initial communication and send Malcolm’s cryptographic key to both Alice and Bob’s. When Alice sends a message, Malcolm decrypts it, reads it, possibly alters it. Malcolm then re-encrypt the message before sending it on to Bob as if nothing happened and wait’s for Bob’s response.
MiM attacks are becoming increasingly common. In some cases, hackers launch these attacks from innocuously named wireless networks that they set up in busy areas, for example coffee shops and airports. MiM attacks can also occur on a much larger scale. For example, last October the Chinese government carried out a series of MiM attacks on iCloud againt users within China. In addition to stealing data transmitted during the communication such as payment information, MiM attacks are also used to steal login credentials.
To prevent identity-based attacks a user must be securely authenticated. Some system must determine whether a user who is requesting access to data or control over a network is who they say they are.
Three “factors” can be used for this authentication process. The first factor is something that you know. For example, this could be password, passphrase, or a security question such as the name of your first pet. A second factor is something you have. For example, both a fob and a smartphone can act as a second authentication factor, as can a digital certificate issued to a device. The third factor is something you are, like biometric data including voice (e.g., through pattern recognition) or retinal patterns (e.g., authenticated via an eye scan).
Using what you know is a huge security vulnerability. Because memory is fallible, people often choose short passwords that are easy to remember. That means, however, that they are also east to guess (or “crack” by having computers rapidly cycling through commonly used “password libraries”). Similarly, answers to security questions are often easy for social engineers to find, such as a mother’s maiden name. Passphrases, short sentences with additional numbers and symbols, are more difficult to guess. But the fundamental problem with what you know is that it is just information. You cannot “loan” a password. Rather, you always give it away (and often the same password is often used for several accounts). In perhaps the most notorious recent example, Edward Snowden utilized this strategy to retrieve information using a colleague’s login credentials.
What you have can be much more secure. When what you have is a physical object such as a smartphone, it cannot be captured by phishing attacks or shared over the phone with a convincing social engineer. Sharing use of the factor, while still discouraged, actually acts as temporarily sharing access. You also generally know if you lose the object, allowing a faster response to a potential security breach. If a user does lose control of the object, the central authority issuing device or using the device as the authentication factor can be contacted and its access capability shut off. Similarly, when an employee of an organization leaves, it may be easier to remember to collect his or her device or remove that device’s access capability.
Today, almost all of us carry smartphones that have the potential to be used as a sophisticated authentication factor. In the future, wearable tech may also be similarly useful. Configured correctly, these devices can act as a frictionless authentication tool that imposes almost no cost in convenience to the user while yielding large increases in security to both users and organizations.
CloudMode uses a new authentication process called Reverse Authentication, or RevAuth. RevAuth defines authentication as a transaction that occurs between the user requesting the data and the service to which the request is addressed. The transaction becomes a block in an irreversible chain of blocks, or blockchain. The request originates from a device such as a mobile device or item of wearable tech like a smartwatch.
The result is that the device can be used as a password free login to quickly and securely authenticate users for access to online services, user profiles or corporate networks. Password free login significantly reduces risk associated with social engineering.
RevAuth is designed on the principle that authentication and authorization should be independent operations. Indeed, CloudMode defines each as a separate transaction to be validated and verified. Unlike other authentication methods, RevAuth is able to rapidly authenticate a user each time data is requested, independent of the particular data requested. If a malicious actor clones a device or attempts to capture data of the user with a MiM attack, the Reverse Authentication process is able to immediately identify and warn the user and/or the service to which the user’s data request is directed. Similarly, a malicious actor is prevented from using captured credentials once the authenticated user engages in even a single additional authentication transaction.