Addressing Credential Compromise & Account Takeovers: Bearersensitive OTPS Girish Chiruvolu, Ph.D., CISSP, CISM, MBA ISACA NTX April 19
Impact Across Every Industry
Phishing: Low Cost, Big Impact for Hackers Online industries most targeted by phishing attacks as of 2nd quarter 2018* *https://www.statista.com/statistics/266161/websites-most-affected-by-phishing/
Hey, wait a second... We have 2-factor authentication!
2-Factor Authentication + My Little Password We are secure!
Welcome Advanced 2FA Phishing Automation! Tokens (One-time Codes) SMS Approval (Out-of-Band)
Welcome Advanced 2FA Phishing Automation! Tokens (One-time Codes) SMS Approval (Out-of-Band)
Current 2nd Factor Authentication Space All are vulnerable to Credential Harvesting and Account Compromise MAN-IN-MIDDLE PHISHING OVER-THE-SHOULDER KEYLOGGER MALWARE Bearer-agnostic Credentials can be intercepted and spoofed by all the above
Regular Token Scenario How it Works: Account Takeover Account takeover after victim follows phishing link with current 2-factor authentication Victim Requests Login Page Authentication Server Proxies Login Request Login Page Served Submits Credentials (including 2FA) Man-in-Middle Proxy Server ACCOUNT TAKEOVER Login Page Served Proxy Submits Credentials Verifies & Accepts Credentials (sets Authenticated state cookies)
SCENARIO B SCENARIO A Equivalent in Credential Stealing Victim Man-in-Middle Proxy Server Authentication Server Simulate This Snoop on Victim Passcodes (Step 1) Uses the Snooped Passcodes to Login (Step 2) Authentication Server
How was Man-in-Middle aka Proxy Spoof? Time for Hacking Game! url: https://gmail.com OTP: on the screen
We Learnt that + My Little Password Current 2FA is Bearer-agnostic and insecure!
Protect From Credential Spoofing? FIDO-based Challenge-response with public-private key pair BEARER-AWARE OTP GENERATION An enhancement to OATH OTP Bearer-aware one time passcode (BOTP)
FIDO2 ASSYMETRIC PRE-ESTABLISHED PUBLIC-PVT KEYS Fast Identity Online (FIDO) Alliance with U2F Utilize pre-established public-private key pairs to do challengeresponse authentication Key chain-stored typically in USBs (h/w) Near Field Comm (NFC) or Bluetooth Lightweight Energy (BLE) devices for communication with browser
How Does FIDO Work?
How Does FIDO Work?
Key Highlights of FIDO2 User-credential verification is no longer with service/relying parties but with Authentication agent very important to ensure it is secure risk management and policy enforcement is very important SSO and Federations are broken; retrofit and customization Public keys can be replaced with attacker keys Backup keys additional, and account resets cumbersome Application changes new libraries
Simpler Way to Protect Credentials? BEAR-AWARE ONE-TIME PASSCODES An enhancement to OATH OTP Bearer aware one time passcode (BOTP) OTP generation takes additional factors into account capture device fingerprint Shrink the attack surface
BOTP Scenario How it Works: No Account Takeover BOTP Prevent Account Takeover Victim Requests Login Page BOTP Authentication Server Proxies Login Request Login Page Served Submits Bearer-Aware BOTP Man-in-Middle Proxy Server NO ACCOUNT TAKEOVER Login Page Served Proxy Submits Credentials Verifies who is the Bearer in addition to proof-of-shared secret Rejects credentials NO authenticated state cookies
Lets Hack Again? Time for Hacking Game! BOTP: on the screen
Key Highlights of BOTP No changes to SSO, Federation, Application and works with all browsers No browser lock-in Credential verification is done at authentication server end no reliance on end-user agents Shared secrets never leave the devices and massexposure is minimized (eliminated) due to nonharvestable BOTPs
BOTP vs. FIDO Works with All browsers Verification Control at Authentication Server No Changes to Existing Federated & Single Sign On (SSO) Quantum-safe? No Changes to Existing Applications s BOTP YES Yes Yes Yes Yes Fido2 No, Only FIDO compliant No, Relies on enduser s agent Needs custom retrofits Vulnerable No- Needs substantial software changes
BOTPs based on shared secret Bearer-sensitive OTP generation, make bearer-aware anti-spoofing anti-phish codes; Cost-effective, No Browser lock-in; No changes to infrastructure and applications Summary Bear-agnostic authentication schemes (OATH OTP, SMS, RSA, Password etc.) can be spoofed FIDO2 -> Public-Private Keys, Shift Risk and Verification on to end-user devices, substantial changes to browser, and infrastructure
Thank you! Q&A More information: https://uberpasscodes.com