Two-Factor Authentication is Not What it Used to Be

By | December 11, 2012

Posted in: Network Security Trends

Banking customers in Europe were recently ripped off for millions of Euros by a very sophisticated series of malicious compromises targeting users' computers and cell phones. In effect, two-factor authentication was defeated for about 30,000 customers at more than 30 different banks. This proves that with persistence, organization, and economic incentives, people can be duped and two-factor authentication precautions can be easily overcome.

One important thing to take away from the Eurograbber incident: Internet-equipped smart phones and SMS used for a secondary validation can no longer be considered an out-of-band (OOB) form of authentication. We can no longer consider SMS an OOB form of authentication simply because it is no longer out of band.

OOB SMS was a pretty reliable form of authentication back when cell phones were just cell phones. But with cell phone evolution into smart phones, everything has changed. Simply put, SMS authentication has been compromised with the advent of smart phones, so user be ware.

Some folks might say that perhaps these banking customers deserved to be ripped off. After all, they were duped more than once into clicking tainted links and were lured like flies to visit malicious websites. One wonders how such informed people could fall for phishing emails - there is no excuse for falling prey.

However, it should be noted that somewhere along the line, SMS authentication for cell phone use morphed after starting out as OOB, turning into just another form of in-band authentication.  As security weakened, the risks increased significantly, and no one seems to have realized what had happened.

Whatever the case, it is users who need to take responsibility for their actions in these matters above all. It is their money, and they made this scheme way too easy for the attackers. Users need to understand that SMS is completely compromised with the advent of smart phones, and that more secure forms of authentication should be used when available. They also need to educate themselves further about phishing tactics and how to defend against them and malware in general.

Banks and other entities who are no doubt trying to reliably authenticate its users need to understand that OOB SMS should no longer be considered two-factor authentication. Cell phones used to represent a second-factor as "something you have" for authentication purposes.  But with the advent of smartphones and 4G, they are now simply a second computer with phone capabilities and are considered in-band with regards to usernames and passwords, amounting to nothing more than another form of one-factor authentication.

About the Author: Marc Quibell (CISSP, CRISC) has written articles featured by InfosecIsland.com and Tip4Tech, and has been active in the IT sector for over twenty years doing everything from soldering 8086 motherboards to Tier 2 BGP routing. Marc has been in IT Security exclusively for the past ten years and currently works as a penetration tester and Security Engineer at Redspin. He describes his previous position as an Information Assurance Security Officer in Jalalabad, Afghanistan as "hands-down the strangest year of my IT career..."

Editor’s Note: The views expressed in this article are the opinions of the author. Security Bistro is not responsible for the article’s content or messaging.

You May Also Be Interested In: