Incidents such as the Crypto.com heist and last year’s Coinbase attack show that multi-factor authentication isn’t enough protection against a determined attacker.
January’s $34 million Crypto.com hack, like last year’s Coinbase attack, focused attention, once again, on the weaknesses of two-factor authentication. Again like Coinbase, Crypto.com responded by tightening its 2FA procedures. But the real problem isn’t the authentication tokens, or even customers’ bad security practices. The problem is that 2FA can’t close the gap that exists when actual people are involved. People will always be hackable – a fundamental fact that enterprises need to accommodate when considering how to protect their most valuable data assets.
The missing factor
Multi-factor authentication (MFA) is a richly mined field these days, with many security researchers and innovators directing their attention to how to improve it. The aim, of course, is to ensure that the person trying to log in to an account is the account owner, by obtaining confirmation beyond just a password or security question. We all know how vulnerable passwords are to brute force attacks and to user laziness – how many users really have unique passwords for every site? Come to that, since password vaults can be exploited by key logging (and strong, unique passwords need to be stored in such a manager, as they can’t be remembered), even unique passwords are vulnerable.
So a password clearly isn’t enough to establish user identity, and that’s where multiple factors come into play. On the MFA principle, an attacker would need to obtain not only a user’s login credentials, but also their second device, to gain account access; outside a Hollywood thriller, it’s not likely that a hacker would be able to steal that particular phone, nor would a mugger who stole the phone have the owner’s passwords. MFA is a broad concept, encompassing everything from SMS confirmation codes to biometrics and devices such as smart cards that must be inserted into a company laptop.
There are even companies investigating passive MFA approaches, which could improve user convenience and security in one move. If the necessary confirmation were obtained by matching background audio input from a user’s phone to that from their computer, it would surely be far harder to pretend to be the owner of that account.
All of which is fair enough, as far as it goes. Unfortunately, as the headlines show, it doesn’t go far enough.
MFA can’t stop scammers
Multifactor authentication is often touted as a solution to phishing, which is still on the rise. But it’s far from bulletproof. These days, luring marks to a fake login site is just one tactic among many, often more sophisticated social engineering strategies. For instance, SIM swap attacks target employees at telecom providers, convincing them to transfer a phone number to the attacker’s device – which of course then allows them to intercept MFA confirmation codes.
The crypto and NFT community has seen a rash of such scams. Between cryptocurrency users having their wallets drained through SIM swaps, and NFT artists being lured by the promise of a sale into downloading malware that gave the attackers access to their accounts, the lesson here is that humans will always be the weak point in your security strategy.
While strategy often focuses on better protection at the user’s end – better MFA; more education on good security practice – the unfortunate fact is that anything users can access, can be stolen. Anything. Humans are vulnerable by nature: social engineering attacks may exploit their greed, their insecurities or simple confusion under stress. The tactics may be more or less sophisticated, and may or may not be supported by technological tricks such as deepfakes, but human vulnerability doesn’t change.
So how do you lock up your greatest asset?
It may not be possible to protect people’s funds, just as it isn’t possible to protect bank customers from scammers at ATMs who distract and confuse them. But for enterprises, data is more valuable than cash. When you understand that humans are always the weak spot, you know that sensitive data needs to be kept safely out of reach of any human element.
If you really can’t afford to lose it, you can’t let anyone have access – never mind if they have the right credentials, or the best security training. That means safeguarding your data behind a wall that no human can breach, in a trusted execution environment or other secure enclave. Maintaining that secure zone then demands regular attestation, which can be provided by Integritee’s transparent blockchain platform.
Is it really practical, or even possible, to lock up your data this way? Not always; but when data is being pooled for automated processing, or to fuel machine learning, it can be very efficient and even bring further advantages (such as the elimination of human error – you can’t accidentally delete a record if you can’t even see it). Think of AI-driven customer behavior analysis, for example. Collecting detailed records of purchases, communications and social media activity can generate profound insights to improve marketing and service development, but it’s a privacy and compliance nightmare. However, if those individual records were hidden from any human, with only the automatically generated insights accessible, businesses could enjoy the benefit without the risk. It’s the same story with much Internet of Things data – automatically harvested, automatically processed, it can include very personal information (such as in-home audiovisual recordings), but there’s no need for humans to access it at all.
Multi-factor authentication is often cited as an example of “zero-trust” security, but in fact it just transfers trust to the MFA mechanism. Which, as experience shows, is far from foolproof. Forget trust; the reality is that no one is always smart enough to evade traps, or well-protected enough that their keys can’t be stolen.
For truly zero-trust security, you need to throw away the keys – and then keep checking that the lock hasn’t been picked. It sounds like a lot of work, but that’s where privacy-preserving data platforms like Integritee shine. And it’s certainly a lot less work, and far less cost, than dealing with a hack after the fact.