If Two-Factor Authentication (2FA) Is Not Bulletproof, How Will We Authenticate?

In the past couple of years, we have repeatedly been reminded of the weakness of passwords as an authentication method. High-profile breaches with millions of lost credentials, sophisticated desktop malware, advanced mobile malware, phishing scams and other attacks have proven time and time again that a username and password combination cannot provide the adequate evidence required for authentication.

One of the most popular and trusted methods for strong authentication has been the use of one-time passwords (OTPs) in the form of tokens. While OTP tokens are used to deter attackers due to the need for real-time data from the potential victim, today’s malware is specifically designed to circumvent this security measure.

As two-factor authentication (2FA) is based on the assumption that two of the three factors of authentication are used (something you know, something you have and something you are), tokens no longer qualify as “something you have.” The moment a user looks at a token’s randomly generated number, it becomes something he knows. While this new password does have a short time to live, it is still just another password in the user’s possession. As we have witnessed repeatedly, extracting passwords from an end user with malware is not a difficult task.

Targeting OTPs is nothing new. Today’s cybercriminal has a long list of tools that can be used to extract everything from passwords to secret questions, token-generated passwords and even device ID data.

Cybercriminals regularly defeat SMS passwords, emulate users’ online behavior and even outsmart combinations of smart cards, passwords and unique card readers. Phishing attacks dating back to 2008 used OTP-stealing mechanisms by asking victims repeatedly for their token-generated password. The criminal simply monitored his command-and-control server and attempted to use these credentials as they were stolen and sent to his server in real time.

When malware became cybercriminals’ main tool, malware designers and users approached the OTP issue through social engineering and HTML injection. From login page OTP stealers to SMS OTPs, everyone — not just financial institutions — was targeted. Some techniques were so good that gangs started copying ideas from one another. Even in a recent court case, multifactor authentication alone as a method of authentication was not deemed secure enough.

All in all, a cybercriminal can now choose between simple credential-stealing tools that will report the OTP in real time to sophisticated remote-session hijacking if there is an OTP challenge.

Top Challenges With Biometrics

One rising but infrequently used authentication measure these days is biometrics (“something you are”). Using biometrics in its various forms (voice, fingerprint, retina scan, behavioral biometrics, etc.) poses the following challenges:

  • Registration: To register a biometric, one must make sure the registration process is done in a clean and safe environment. While this is true for any form of password, it is much more important for biometrics. A password can be re-credentialed, while a fingerprint cannot.
  • Accuracy: This is the question of how accurate you want your biometric to be. If you require very high accuracy, be prepared to deal with many angry users. A fingerprint that requires the same exact position of your finger every time (ask iPhone 5s users) or a voice biometric ruined due to a slight change in voice (phone reception, the flu, background noises) can be very frustrating for an end user.
  • Database Security: Biometrics cannot be re-credentialed. If you plan on collecting such strong authentication measures from your users, you have to make sure this data is properly secured. If it were ever compromised, the backlash would be unprecedented.
  • Forgery: Last but not least, if you can’t make it, fake it. Using high-resolution scans and pictures, voice sampling and mouse movement capturing, attackers can forge a biometric.

It remains to be seen how financial institutions will implement various forms of biometrics and how the cybercrime gangs will react when biometric adoption rates grow. For every evolution in authentication, the cybercriminals have determined a countermeasure to continue their fraud operations.

So Where Is Authentication Heading?

New authentication solutions are taking a much wider view and approach to the problem than 2FA. We are moving away from relying on passwords and secrets that the user holds to the correlation of multiple events and elements to decisively understand whether the session, device and user are who they claim to be.

While passwords will not die anytime soon (they aren’t completely worthless, after all), security experts today correlate multiple fraud indicators to better understand an incoming authentication event. These indicators include multiple data elements and decisions such as the following:

  • Is the authenticating device infected with malware?
  • Has the authenticating user been identified as a phishing victim?
  • Is the session actually controlled by a remote computer?
  • Have any of the user’s devices been compromised?
  • Is there evidence of typing anomalies during the authentication process?

By moving away from adding another form of “something you know/have/are” and checking hundreds of other indicators, both the user and the security officer experience less friction and have less of a need for manual authentication and case investigation. In my next article, I will analyze two different approaches for such invisible authentication.

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…