With the creativity that users have when assigning their passwords, it is no wonder that the transfer of employee accounts continues to be a core problem of IT security.
The most frequently leaked password is still 123456 – followed by 12345 and 123456789. Those who believe in a bad joke just have to take a look at the password ranking of the Hasso Plattner Institute:
The term “account takeover” includes all processes that attackers use to gain access to a user’s account. In most cases, this is done via compromised login data. The multiple use of passwords for different online accounts also contributes to this. Initially, e-commerce websites and financial service providers were primarily targeted by criminal hackers, but now almost every online platform that requires registration harbors the risk of identity theft and financial fraud.
The entry of user name and password on a login page is generally the same everywhere. However, single factor authentication, i.e. logging on with a single password, poses a high risk.
Users are notoriously bad at choosing passwords, as the picture gallery above clearly shows. This makes it easy for attackers to simply guess the password.
The automated variant of this guessing game are brute force attacks. Tools such as Medusa, Hydra, ncrack or Metasploit make it possible to systematically apply long lists of passwords to login pages on the Internet or remote desktop protocols.
If a web service or a company is successfully hacked, so-called password hashes usually get onto the net. Hash functions encrypt passwords into a compact string. Tools like HashCat or John the Ripper make it possible to “convert” these hash values back into plain text passwords.
Once devices and systems are compromised, tools such as Mimikatz can be used to extract Windows passwords from the memory. Keyloggers record entries on the keyboard in order to access login data.
At this point, the use of a solution for two-factor authentication (2FA) promises more security. Another factor is included in the authentication process, which creates an additional barrier in the event of attacks and is intended to slow down attackers. For this purpose, “ownership components” are used most often – but not only. Two-factor authentication is not two-factor authentication – different technologies are also used in this area, some of which differ greatly from one another and have different advantages and disadvantages in terms of security in general, but also the risk of attack :
Two-factor authentication with SMS tokens
The best-known type of two-factor authentication runs via SMS tokens. A random code is generated each time the user logs in and sent to the user’s smartphone via SMS. According to a blog post from Google, automated bot attacks can be completely blocked in this way. With large-scale phishing campaigns, this value is 96 percent, with targeted hacker attacks still 76 percent. Nevertheless, SMS tokens are rightly considered the most insecure 2FA variant. If attackers succeed in outsmarting the mobile operator and porting the victim’s phone number to a SIM card, the tokens can be intercepted using swap attacks. A SIM token can also be reused (“replay attack”) if it is sent to a malicious server as part of a social engineering campaign.
2FA with smart cards
Smart cards or integrated circuit chip (ICC) cards are typically used for two-factor authentication in highly secure Windows environments – for example at the US Department of Defense. The smart card is the size of a normal credit card, but has an integrated chip that stores a digital X509 certificate that is used to uniquely identify the user. This certificate is encrypted and must be activated with a PIN. This means that the hardware-supported certificate has strong security properties. For larger companies, however, managing a public key infrastructure is extremely time-consuming – especially if the smart cards have to be made available at various locations on an international level.
Two-factor authentication via TOTPs
Time Based One Time Passwords (TOTPs) are created cryptographically using software. The app is synchronized once with the server (including the clocks) and can then generate a new cryptographic random number every minute, which is used as a second authentication factor. Once set up, a TOTP requires no further communication between the app and the server, so the code cannot be intercepted (as with an SMS token). The disadvantage: there is no authentication of the server component. The code can also fall into the wrong hands via social engineering.
Instead of using software, such one-time passwords can also be created using hardware tokens. However, a security risk remains here as well, because the hardware-based TOTP tokens can be lost or broken and then have to be replaced and registered, which is also not costly.
2FA per universal second factor
Those who find it too risky to intercept 2FA tokens rely on Universal Second Factor (U2F). It is a standard developed by the FIDO (Fast IDentity Online) Alliance. Universal Second Factor is usually implemented via hardware tokens and authenticates the server with which the client communicates using the service’s public key. A cryptographically protected memory area is stored as a security element on the hardware token. The exchange of credentials is not necessary. The cloning or imitation of websites to intercept login data no longer works because the stored signature does not match the requested signature.
The effectiveness of the individual 2FA technologies is an important selection criterion. For companies, there is also the question of the practicability of a company-wide implementation. Many users find it cumbersome in everyday work to have to use an additional device to access internal systems. Here it is important to weigh up between IT security and a fast and central implementation and the simplest possible management. If the 2FA solution has to be installed on smartphones, tablets and devices, this can take an enormous amount of time. Special hardware such as security tokens, in turn, can be lost or succumb to a defect. Companies that are considering the use of two-factor authentication must therefore compromise.
Against the background of the current threat situation and the fact that criminal hackers never tire of constantly developing new attack methods, it is high time for companies in particular to enforce more stringent authentication processes. This could be the only way to finally get rid of the “123456” problem and to combat account takeover attacks in a targeted manner. (fm)