The phishing threat is indeed real and is of concern to those in the financial services industry, e-business, and ISPs where their businesses are directly affected. Phishing has evolved rapidly. Initially, users were lured to a phishing site where passwords were harvested or captured by blending phishing with spyware. Now, because more companies are deploying one-time password tokens, phishers are using different techniques to attack the organizations.
According to the White Paper published by Tricipher, Becky Bace, President of Infidel, Inc. stated, “The key to foiling these attacks is to take advantage of the existing SSL infrastructure to authenticate the client. SSL was designed to prevent man in the middle attacks and doesn’t require the user to reveal the credential.” She further stated that you should make it impossible to steal the entire credential from a user.
One of the best ways to protect sensitive and confidential data from phishers is by using a Multi-Factor authentication system.
|Phishing occurs because…||To prevent phishing…|
|Only the server authenticates to create the SSL channel||SSL client authentication should be turned on|
|Phishers can intercept the user’s “secret” login information||Choose a system that does not require the user to share their secret|
|With activity, sessions can be kept open for hours||Keep the session from being hijacked|
|Users are not sophisticated about looking for the SSL lock or they are fooled by fake URLs||Educate users to check for the SSL lock and not accept unrecognized certificates|
Multi-Factor Authentication (MFA) solutions leverage several types of authentication to reduce the probability of compromise. Most organizations use ‘user and password’ as the primary authentication factor and add a second factor such as a “one-time password” (OTP) generated by a token (hardware or software), sent through an SMS message.
In the past, MFA systems typically relied upon two-factor authentication. Increasingly, vendors are using the label “Multi-Factor” to describe any authentication scheme that requires more than one identity credential.
Authentication is a function of some combination of:
- Something You Have – I have an ID
- Something You Know – I know my password
- Something You Are – I am my biometric identification markers (specifically: fingerprints)
Most systems are equipped to support MFA. These systems require users to enter not only their username and password combination, but some separate form of authentication, such as a PIN, a token code, a fingerprint or retinal scan. For many years, Google has offered MFA in the form of its Two-Step Verification. Google has long provided Google Authenticator, which many other organizations now use as part of their MFA setup. For example, Amazon Web Services can use the Google Authenticator with Its MFA in the Identity and Access Management console.
Typical MFA scenarios include:
- Swiping a card and entering a PIN.
- Logging into a website and being requested to enter an additional one-time password (OTP) that the website’s authentication server sends to the requester’s phone or email address.
- Downloading a VPN client with a valid digital certificate and logging into the VPN before being granted access to a network.
- Swiping a card, scanning a fingerprint and answering a security question.
- Attaching a USB hardware token to a desktop that generates a one-time passcode and using the one-time passcode to log into a VPN client.
So, remember always take advantage of the Multi-Factor verification process to protect your accounts. An account that allows only a single factor authentication is more susceptible to hacking than one that supports MFA.