We hear about a new data breach or personal data leak almost every day now, and people seem barely surprised when it happens. In these cases, what happens is that compromised credentials are used from previous data breaches to get access to different applications and services in a process known as ‘credential stuffing’ attacks. For example, during tax season in the US, a tax application is attacked and victims see their personal information like social security numbers, address, date of birth, tax returns, and other personal data gets compromised.
The unfortunate reality is that this can happen to people even by using unique and complex passwords because of the prevalence of phishing and other social engineering attacks that socially convince people to give out their user credentials. For example, there is a realistic Facebook social login phishing campaign which was so real that cybersecurity experts fell for it.
How can people better protect their user information? Through multi-factor authentication, which should be enabled on all apps and services that support it. Here we’ll explore multi-factor authentication and how it can better help us protect our data.
What is multi-factor authentication?
Multi-factor authentication (MFA) is when you have many factors to authenticate like an RSA token or password combined with a fingerprint or facial recognition. This mixes something that you know with something that you have or are. George Sanders, a website admin at Brit Student and Write My X, explains that “ unfortunately, we’ve learned by now that passwords are quite a terrible tool for protecting information and if people have been online for any number of years, it’s quite likely they’ve been the victim of a credential breach at one time or another and they don’t even know about it.”
How to use MFA?
MFA is designed to circumvent some of the problems with traditional authentication and more and more consumer options now allow for MFA or two-factor authentication. There are some good and bad ways that companies can use MFA, or have good intentions but fall short. For example, using MFA but they are still only two examples of something that you know, like a login and password followed by a security question. This isn’t actually multi-factor but two-step verification and it’s still just something that you know and isn’t much better than just a password on its own.
Organizations are slowly realizing that this isn’t ideal and doesn’t meet strong authentication standard so they’re moving away from it, but many organizations still use it. Also, SMS is currently being used as a form of MFA and it’s actually not that secure. Thomas Stacks, a tech blogger at Australia 2 Write and Next Course Work, explains to his readers that “cyber attackers are actually able to usurp SMS authentication and get access. Hardware is a good alternative but it requires users to actually use it, which isn’t as convenient.”
One good advancement is using human behavior as biometrics. This includes looking at how people type, move their mouse around, gait analysis on mobile phones, and more which is an invisible second-factor authentication above the usual login and password. This is an incredibly secure authentication but it’s only in the early stages, so there are other options somewhere between these two ends of the spectrum.
4G and 5G Protocols
Some researchers at Purdue University and University of Iowa have announced details around security flaws discovered in both 4G and 5G protocols. These are used by mobile networks to go around security protections and allow IMSI catching devices (‘Stingrays’) to intercept phone calls and track location. These devices are already used by countries and law enforcement. 5G protocols that will be implemented soon actually do have protection against Stingray devices, but they can be defeated.
The research goes into detail about different types of attacks on both 4G and 5G networks, although they did not release code and exploits but shared the flaws with the mobile carriers so they can be addressed. Another worrying piece of information is that these attacks can be accomplished with very inexpensive radio equipment, so we should all hope that mobile carriers fix these vulnerabilities soon, before the 5G network protocol is fully deployed.
Michael Dehoyos, a business expert at PhD Kingdom and Academic Brits, helps companies develop their marketing strategies and business plans. He writes for many technological and business publications. You can also find his work at the Essay Help blog.