SecurEnvoy’s Steve Watts tells us how hackers are gaining more and more power through unsecured knowledge access points
Every day hackers are being equipped for their next attack as more users then ever are trusting organisations with their personal information online. According to Ofcom, 70 percent of UK internet users are happy to give away their details which is drip feeding hackers with the power to make seismic security breaches.
Hackers are exploiting how major internet browsers cache login credentials and simply assume it is the same person accessing their pages over and over again. While this is a risk consumers may be willing to take in return for simplicity and convenience, it should never be contemplated by businesses as it would risk their reputation and heavy fines for not protecting their systems.
Two-factor authentication (2FA) ensures these credentials cannot work alone to access important information; however, getting this technology wrong is not worth contemplating.
Deployed and used correctly, two factor authentication is the layer needed to protect one’s digital identity. Despite 2FA adding this protection, users can be left with a false sense of security. With some systems, the user only needs to fully use 2FA once and they can come back to the system day after day with instant access.
While private users may deem their personal information to be safe using this method, it is essential for the more security conscious to ensure credentials are physically entered every time a user logs in.
In 2011, RSA Security had to replace 40 million of its SecurID tokens – nearly every one in existence at the time – after hackers attacked contractor Lockheed Martin. Users logged in via a username and password, with a random number on their token as the second factor to authenticate. This number changed every 30 to 60 seconds, controlled by an RSA algorithm. The hackers attained this algorithm, making the tokens worthless and putting the entire system in jeopardy.
What would happen if a security system had zero knowledge of the login credentials?
Automatically separating the records is a secure solution to such a breach. This is where one part is created locally on the customer’s server, while the second is generated using specific characteristics of the mobile device that make it unique, e.g. information about the SIM card, the CPU or equivalent. When the app generates a passcode, the end device decrypts the first half of the seed record and derives the second half accordingly. Since one part of the two seed record parts is never located on the employee’s mobile device, the security software excludes the possibility that attacking malware can steal this seed record. Since the seed record is derived in part from the phone’s own hardware fingerprint at time of enrolling, the security system clearly can’t have a copy of the seed.
The latest 2FA technology is built upon this ‘zero knowledge’ foundation. This means neither the user, nor the platform they are trying to access knows all of the information. Nor indeed does the information security company called in to protect that data. Splitting the seed record means no party has a 360 degree view of the credentials.
To ensure security, firms need to embrace solutions that remove this knowledge and rendering the hacker powerless. Zero knowledge is the only way to stop hackers in their tracks.
Steve Watts is co-founder, SecurEnvoy