Popular methods of online authentication are putting both consumers and business users at risk of a serious security breach, according to security staff at Corsaire, as hackers find new ways to bypass standard identification and verification (ID&V) techniques.
Whilst the process of authentication typically relies on the submission of a single username and password, multiple authenticators (like follow-up security questions and secondary PIN codes) are typically perceived as offering greater security. However, in most cases, Corsaire found no significant improvement to a system’s resilience to attack, even with these multiple authenticators in place.
"Even though the process of authentication is of vital importance when it comes to protecting sensitive data, many of the solutions being implemented in this area are merely providing a false sense of security," says David Ryan, Associate Principal Security Consultant with Corsaire’s Security Assessment Team. "In many cases, we’ve seen the use of ‘multiple authenticators’ as nothing more than a way of satisfying an external requirement, and often as a way of side-stepping real improvements in providing authentication solutions that would actually be strong enough to protect access effectively."
Corsaire’s research suggested that many of the most popular authentication methods being used – including many varieties of multiple authentication techniques – actually offer very little improvement over the common username and password approach, as they still rely upon very basic or easy-to-guess passwords and PIN codes.
Just last month, for example, a man in California pleaded guilty to hacking into more than 3,200 e-mail accounts –
http://www.itproportal.com/2011/01/17/man-used-facebook-hack-womens-e-mail-accounts-and-steal-nude-pics/
– by scouring his victims’ Facebook accounts for answers to the security questions used by Web-based e-mail services such as Gmail and Yahoo Mail. Then, posing as his victim, he would claim to have forgotten the account’s password and try to answer the security questions that would let him back in.
While a combination of multiple authenticators may offer greater resilience to attacks like these, they will often require an unacceptable level of complexity for users. Without this level of complexity, however, an attacker will still be able to identify users of the system (by using someone’s email addresses as his "user name", which is now a common practice), and then mine public data sources to identify personal details, preferences and other pieces of data that may be useful in breaching the security of the system.
As part of a recent series of white papers on the subject, called Breaking the Bank
http://research.corsaire.com/whitepapers/technical.html
staff at Corsaire examined all of these issues in order to determine the best approach to ID&V. Based on its findings, Corsaire recommends the use of a private identity for authentication purposes (ie. one that is both unique and private to the system, and is based on a non-predictable structure), as this can make unauthorised access (including "brute-force" attacks across multiple accounts) much more difficult, since private identities will follow a format that is completely unpredictable.
Notes
David Ryan is a co-author of Corsaire’s Breaking the Bank series of security white papers. In addition to being an Associate Principal Security Consultant with Corsaire’s Security Assessment Team, he has held various positions within the Information Security field since 2000 and has spent much of that time developing and implementing security management strategies, designing technical security controls and providing consultancy.
A free copy of the Corsaire’s Breaking the Bank series of white papers can be obtained from the company’s web site –
