Story image

Diving into the magic of two-factor authentication

02 Oct 17

With data breaches increasing in frequency and severity globally, many enterprises and government institutions failed to escape the fate of becoming the headline. In January 2017, a desktop computer containing voter data was stolen from the Commission on Elections (COMELEC) of the Philippines.

Earlier this year, the Ministry of Defense (Mindef) and two of the biggest universities in Singapore fell prey to separate episodes of cyber espionage. While no classified government data was reported stolen, cyber security took the national spotlight as fear of further attacks rippled across the city-state.

Cyber security incidents that lead to downtime or data thefts are announced almost daily, and there's no knowing who could be next. What is likely is that businesses in the Asia Pacific region will be hit hard – Telstra has found that nearly six in 10 organisations in Asia (59 percent) detected a security breach that interrupted business at least once a month. Businesses have accepted they will likely be the next victim. Conversations are transitioning from “how can I avoid a breach?” to “how can I protect myself and minimise the damage?”

The 2017 Verizon Data Breach survey revealed that 81 percent of data breaches involved either stolen passwords (including passwords that are easy to guess). A hacker who manages to gain usernames and passwords, as in the Mindef instance, could use this information to ultimately obtain more privileged access that leads directly to materials that can be used for cyber espionage.

What compounds the impact of security breaches is the fact that users consistently use similar or even the same passwords for multiple online accounts such as iTunes, Facebook, and even online banking.

In the Cyber Security Agency of Singapore’s Cybersecurity Public Awareness Survey, 31 percent of respondents said they used the same passwords for work and personal accounts. This is human nature – there is less risk of losing access to favourite services if the password used is just one of a handful, but it also means that a single stolen password can be used to compromise more than one account.

Accepting some inconvenience in exchange for better security should be easy enough for individuals. For example, they can use a different password for each online account they own. They can prevent websites from saving passwords, typing them in each time access is needed. Users should also opt to use two-factor authentication where it is offered. 

Two-factor authentication is the practice of requiring additional assurance that you really are who you claim to be when logging on. A password (the first factor – something the user knows) is initially required, followed by a second factor that comes from something that the user possesses.

This practice makes it difficult to hack into an account if the user name and the password are both known. An ATM card used with a PIN to withdraw money is an example of two-factor authentication. A one-time password (OTP) is another easy way to implement two-factor authentication. The OTP, typically a random eight to 10-digit number generated with a hardware token, through a mobile app, or sent by text message to a mobile phone, is considered the second factor as it usually requires a separate device to be present.

Businesses need to make drastic changes to avoid the repercussions of security breaches, which can include damaged corporate reputations and even lost revenue. The Cybersecurity Bill released by The Cyber Security Agency in Singapore imposes hefty fines for failing to conduct regular risk assessments and secure personal information, for example. Yahoo’s breach disclosures, the last as recently as December 2016, have led to a US $350 million decrease in the valuation and delays in the closure of the acquisition by Verizon.

In addition to enhancing the security of users’ credentials with two-factor authentication, more effective privileged account management can also greatly mitigate risk and reduce the exposure surface for businesses. Hackers can use compromised passwords to gain access to a corporate account and then through social engineering tactics, work on obtaining a more privileged account.

Most privileged accounts, such as those of system administrators and senior management, offer access to parts of the corporate network where sensitive information is likely to reside. Eliminating questionable practices such as the sharing of privileged accounts, monitoring what administrators do with those credentials, and implementing a “least privilege” model where everyone is issued only the permissions necessary to do their job and no more –are key. After all, even if a user account is compromised, without the privileged access that is the real target, the potential for damage is dramatically minimized.

When a breach occurs, hackers may have used a wide range of methods to gain access. And while we may not know whether the organisations named here lacked two-factor authentication or practised weak privileged account management, what is certain is that strengthening authentication and locking down privileged accounts are both key actions that can reduce vulnerability for businesses. Such technologies and practices should certainly be implemented as known ways to mitigate cyber attacks.

Article by Lennie Tan, vice president & general manager, One Identity, Asia Pacific & Japan.

Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.
Carbon Black: What does cybersecurity have in store for 2019?
Tom Kellerman has shared five insights for the year ahead, including a particularly bold one.
Hands-on review: The Ekster Wallet protects your cards against RFID attacks
For some time now, I’ve been protecting my credit cards with tinfoil. The tinfoil hat does attract a lot of comments, but thanks to Ekster, those days are now happily behind me.