Security is — justifiably — a significant concern for modern businesses. Technological advances have not just benefited businesses but also criminals. Computer-savvy criminals are more than capable of adapting to and exploiting new technologies and techniques — often finding new opportunities as fast as security professionals can counter their old ones.
Naturally, government, regulators, and professional bodies are keen to develop initiatives to protect companies and their customers. These can have wide-ranging effects that impact everyone.
Take GDPR, the European Union’s regulatory framework to give people choices over how companies handle their personal data. The intent was to give European citizens security and privacy by ensuring there were controls over how information about them is used and who has access to it. This has already led to massive, record-breaking fines.
GDPR led to global changes in how websites collect information — or at least required them to seek consent to do so — if they wanted to do any business within the EU. A similar piece of legislation, the California Consumer Privacy Act (CCPA) — different in scope but arguably more ambitious in what it regards as personal data — is currently passing through California’s state government in the US.
Its effects (and California’s status as the most populous state) mean that any company operating in the US would have to comply. As such, it has been talked about as setting the standard, not just federally within the US but globally.
Setting security standards
What does this have to do with security? This question brings us back to the EU, and their Payment Services Directive, or rather the revised version (PSD2) which was implemented in January 2018 and came into full effect this September.
The directive aims to improve financial services, in part through opening the industry to third party providers. As a consequence, this necessitates introducing improved security, in the form of Strong Customer Authentication.
SCA keeps users’ accounts and details safe by ensuring companies have methods in place for making sure customers are who they say they are. (Financial services firm J. P. Morgan Chase explains the implications in detail.)
In short, companies are obliged to use some form of two factor authentication, a crucial element in protecting user and customer accounts. Although the Payment Services Directive only applies to the European Economic Area, the principles of Strong Customer Authentication set a new standard, which is sure to be adopted elsewhere as more countries and industries realise the importance of protecting users with 2FA.
As soon as new security procedures are developed, criminals move to adapt. Cybersecurity professionals must continually react to new threats as attackers shift the focus of their efforts. 2FA itself is an attempt to respond to the insecurity of passwords, to counter the problem of social engineering and password cracking software.
With PSD2 and SCA increasing enterprise usage of 2FA, there will be a commensurate rise in criminals using whatever means they can to bypass it.
The problem here is that 2FA on its own is not entirely secure. To be sure, institutions like the US National Institute of Standards and Technology (NIST) still see its value, but they also argue there are problems with relying on 2FA, especially over text. This is because criminals have already adapted, and the conflict over user security has shifted to a new site — away from passwords themselves and towards the methods used to authenticate identities.
There are two main fronts in this fight: SIM swap fraud, and the security of the networks delivering 2FA one-time passwords. SIM swap fraud essentially substitutes an attacker’s SIM card for legitimate users, so they will receive OTPs intended for the account-holder’s phone. Alternatively, the attacker might choose to attack the network itself to gain access and conduct man-in-the-middle style attacks on any traffic passing through it.
These two methods of compromising the authentication process affect different stakeholders.
Increasing consumer protection
While networks will want to put a stop to SIM swap fraud — and have a certain amount of responsibility in this area — enterprises will want to be sure the 2FA solutions they use are not being co-opted or intercepted.
Silent additional verification of the phone number itself can offer reassurance here. When a phone number is ported from one SIM to another, the identity of the SIM itself (represented by an International Mobile Subscriber Identifier, or IMSI) does not change.
By registering the IMSI associated with a number, and subsequently checking it when they send a 2FA request, companies can see whether or not the number has been transferred to another SIM. This is a key indicator that a SIM swap has occurred, and the enterprise can authenticate the user’s identity some other way (and possibly alert them that such a fraud has occurred).
Securing the network
The second vulnerability — network security — primarily comes about because of how messages are transmitted. Much of today’s mobile communications are still carried over SS7 (signalling system 7) connections, or over systems connected to SS7.
The problem is that SS7 is an old protocol, and lacks the serious security protections needed to combat current threats. It is not an encrypted channel, by design.
By compromising the SS7 system, an attacker can potentially gain access to any of a network’s subscribers’ communications — including OTPs. Consequently, MNOs need to take ownership of this problem, since the increasing prevalence of 2FA will make them and their SS7 networks an even more appealing target.
It is becoming more and more necessary to secure critical network infrastructure and deploy SS7 firewalls, to protect these often-vulnerable elements from attacks that threaten the MNO’s business and reputation.
Security concerns affect everyone in the chain and everyone in adjacent markets. Even those companies ahead of the curve, who implement improved security as a business consideration (rather than out of obligation to regulations), will have something to be concerned about.
Criminal techniques developed to circumvent 2FA in the EU or US don’t and won’t stay in those jurisdictions. In fact, they’re already a global problem. Both enterprises and operators will want to take proactive steps to counter these threats.
At GMS, we monitor the markets for emerging threats and trends, to help us and our clients make proactive decisions. Our security-conscious solutions help protect customers, enterprises, and operators alike. Speak with our experts to learn more.