Security in an Increasingly Threatened World. SMS: A better way of doing Two Factor Authentication (2FA)

Transcription

1 Security in an Increasingly Threatened World SMS: A better way of doing Two Factor Authentication (2FA) January 2015

2 The Proliferation of The App World The revolution of the smart phone forever affected the direction of the business and technology worlds. It has experienced one of the fastest and broadest adoption rates of any hardware device in history. Analysts are predicting that mobile devices might overtake the computer as the main form of internet interaction by the end of It is a mobile age and people are constantly moving. And with the growth of the smart phone has been the emergence of the mobile application market and the transition of businesses from in-person, phone, or PC-based engagement with customers to anytime, anywhere mobile interactions. The phone has been transformed from a static communication tool into a media-rich environment with unlimited possibilities. Companies use the mobile platform to promote their business, connect with customers, sell products and services and gather information about their user base. They use 3rd party apps like Twitter and Facebook because it enables direct access to billions of people at the same time, instantly. The growth of smart and feature phones has also lead to the growth of SMS as a messaging platform. SMS is the leading way to send short messages between devices and is the broadest reach communication method available. More people have access to SMS than have access to clean water. Consumer app usage has given businesses a medium to revolutionize old industries like taxi services or the hospitality industry. With billions of people using smart phones, a mobile experience is now an expectation rather than a luxury. And as a result, businesses are increasingly integrating their customer services experiences into mobile applications to interact with their customers anytime, anywhere. 2

3 An Increasingly Threatened World The rise of the smartphone and the app centric world has also created a new avenue of security issues for both individuals and companies. Phones, as a result of the diversity of mobile app experiences, now store a wide variety of personal information that must remain secure: Credit Card Numbers Financial Records Social Security Numbers Health Records Online Accounts and Passwords Location History Contact Lists While smart phones provide a platform for endless possibilities, they also create an attack vector for hackers and identify thieves, creating risks for both businesses and consumers. Customer transactions are now taking place anywhere and at any time. People are using and storing their credit card information on phone apps operating on public networks. It is also common practice for people to purchase new devices and log into their accounts on multiple computers, both public and private. This makes it difficult for businesses to verify identities and user accounts as the devices they are tied to change on a regular basis. Resetting a forgotten password is a common inconvenience for the consumer, yet it creates an avenue for account theft. Businesses stand to lose customers if they cannot protect their customers accounts or financial information against theft, making account security and user verification a top priority. A unique risk to business has also arisen from using social media. It is now standard practice to use social media as a means of increasing business and brand recognition, but this practice has created a new avenue for public embarrassment. In 2013, the Associated Press Twitter account sent a report to its 1.9 million followers that there had been an explosion at the White House and that the President was injured. Within 60 seconds of the tweet, the Dow Jones Industrial Average fell 150 points and sent the crude oil industry into a frenzy. The AP was able to respond within 3 minutes of the false tweet, but the damage had already been done. In September of 2014, Apple s icloud was compromised in a very public and very embarrassing attack on celebrity photos. The vector: highly targeted attacks on celebrities using increasing common methods that compromised user names, passwords and security questions. Apple s response was to encourage strong passwords and two factor authentication. 3

4 Google s Gmail system was also attacked in September of 2014 when 5 million user ids and passwords appeared on a Russian bitcoin forum. As with the icloud attack, the vector was not through a breach of Google s system, but through compromising the user devices. In response, Google shut down the accounts and are enforcing stronger passwords and two factor authentication. New Security Measures Companies are taking aggressive measures to mitigate against application-related security risks. Most online accounts now require a complex username and utilize defenses against computer generated IDs. Strong passwords are the norm, reducing the effectiveness of brute force attacks. However, passwords can still be defeated by malicious keylogging technologies. Also, if the business doesn t store the passwords correctly, hackers can compromise a business entire customer base. The recent attacks on payment systems within the banking and retail industry are grim reminders of the ongoing threat to privacy and security. Due to the increasingly sophisticated attacks, something more is needed. Many companies are moving to out of band authentication methods, such RSA tokens. RSA tokens are effective because they create effective hardware or software delivered authentication codes to counteract common attack vectors. However, these can be difficult to implement because they require the user to download the software or to physically have the hardware token. Also, RSA is a more enterprise-focused solution with less applicability for business-to-consumer (B2C) or mobile solutions. 4

5 Mobile phone Two Factor Authentication, or 2FA, is becoming the new standard for security for B2C applications setup and login. In general 2FA can be achieved in different ways but is built on two of three constant variables Something a user knows Something a user has Something a user is User Name, Password, Security Questions, Social Security Number, Address, PIN, Mobile Phone, Security Device, ID Card, Authentication App, Soft Token, Fingerprint, Retina Scan, Biometric Mobile phone 2FA utilizes a phone (something the user has), in conjunction with a password, PIN or security question (something the user knows), to create and verify devices and transactions. 2FA is most often used in scenarios such as: Verifying new users and accounts Resetting forgotten passwords Preventing Account Takeover Password Reset Transaction Validation When a company is trying to decide on a 2FA approach, it is important to consider two things: User Experience: The experience needs to be familiar, however, the conversion rate is the important thing. If you have late or undelivered messages, your conversion rate will drop. Security: Authentication needs to be out of band. This means that or social website verification is on the same network or band the internet and SMS uses a separate network the telco system. This prevents hacks via compromising a single band. While there are many ways to implement mobile 2FA, such as accounts, security questions or tokens, the most broadly applicable, easiest method is SMS-delivered 2FA. As is mentioned above, SMS is the broadest reach mobile communication method, and applies to both smart phones and feature phones, and is available anywhere that a user can get a connection. 5

6 Telephone Numbers: Part of an Identity Telephone numbers have served as a personal identifier since the conception of the device. For the past 10 years, phones have served as a method of communication precisely because they provide a unique identifier for each user. A phone can send a personal communication from one person to another, which is exactly what is needed when 2FA is concerned. A phone number is a core element to an identity. Mobile phone numbers are typically not disseminated by users to businesses or individuals that the owner doesn t know or trust. It is, in very many respects, similar to a national identification number provided for citizens by the government to keep track of residents, and this makes it very useful in two-factor authentication. Six billion people use cell phones and have a unique number already assigned making cell phones a perfect candidate for 2FA. The Future of 2FA: SMS SMS is the perfect solution for businesses who want to protect their users and their reputation. It is not just for businesses with customers all over the world, it is for all businesses. It is a fast form of communication. Text messages are integral to main stream communications and the infrastructure is in place to make fast deliveries anywhere in the world. Six billion people already have SMS-enabled phones in their pockets, making SMS a very convenient way to verify identities on the go. SMS gives the companies a secure way of providing customers something they need to know, like a single-use access pin (variable 1), across a communication device they already have (variable 2). It doesn t require users to remember security questions or an additional password; all they have to do is respond to the prompts on their phone s display. On average, SMS messages are read within 90 seconds of delivery and have a 95% read rate. This makes SMS an ideal tool when matters of security are concerned. Businesses would be able to verify their customer s identities immediate or discover an attempted account theft very quickly. Using SMS for Two-Factor Authentication is not without risks. Businesses need to mitigate against three issues that might arise when using SMS as a method for 2FA. Deliverability: Although SMS is available globally, message delivery performance can vary widely depending on local carrier network conditions. Latency: Speed is of the essence with SMS-delivered 2FA. Message latency will differ based on message routing algorithms and carrier network status. Compliance: SMS messaging policies around the world are often complex, with specific regulations regarding message content, URL links or the use short codes. Because of these issues, it is best to implement SMS-delivered 2FA as part of an overall solution that will help ensure high deliverability, low latency and global compliance. 6

7 Conclusion In the modern technology age, account security and user identification are essential. Whether a small startup or a large corporate enterprise, companies must be connected to their customers and protect them. As the world becomes even more digital, knowing their customers and being able to verify their identity instantly will become more and more critical. Customers must trust the companies they work with and each time an account it stolen or compromised, the trust between customer and company is hurt. Businesses want to deliver personal experiences and build trust. Interacting with customers through SMS is a first step. Source: waagsociety, Flickr. Online image. May 22,

8 15 Best Practices If you are ready to implement 2FA in your business, below are 15 best practices you should consider. Best Practice Use existing factors to verify all 2FA Only allow one account per phone number Pick a primary authentication option e.g. text or call Have a dropdown menu for country code Use Best GooglePhoneLib Practice to pre-populate a user s country code based on IP address Measure fluctuations in conversion ratio Use TTS as a backup for SMS Utilize high quality SMS routes Allow each user to request no more than two SMS messages Description Prevent fraudulent account takeover by verifying account changes with existing factors. For example, if the user attempts to change their number, make sure to use any available information such as alternate addresses to reduce the likelihood of fraudulent changes. This is an easy way to prevent fraudulent account creation. By requiring a valid phone number and limiting that number to one account, it prevents someone from creating multiple fraudulent accounts. Reduce user confusion by asserting a primary authentication method and using the other one as a backup. Avoid having to make the user guess or research what country code they have Allow Description the user to select their country, then use Google PhoneLib to ensure the number is formatted properly By measuring and testing variables in your conversion process you can improve the amount of users you acquire. This means more revenue and less abandonment in the process. Sometimes SMS can t be delivered or the person doesn t know to check their messages. By using a text-to-speech call as backup when the user doesn t enter a code, you can improve conversion by as much as 15%. The world of international SMS is full of shady suppliers who will offer you extremely low prices. With SMS, you get what you pay for. Ask for direct connections where possible to improve delivery rate and decrease message delivery latency. Each SMS costs money and if they don t convert in two messages its unlikely they will after more 8

9 Force the user to wait 60s for their code to arrive before being able to request another one Force the user to wait 60s for their code to arrive before being able to request another one Force the user into TTS or alternate authentication after two attempts Send SMS in the local language Accept both codes if a user requests 2 messages or send the same code twice Send SMS in the local language Add a dash in the middle of the numbers Each SMS costs money and if they don t convert in two messages its unlikely they will after more Sometimes messages get delayed or the user makes a mistake, avoid sending unnecessary repeat messages by adding a delay between requests If your primary method of authentication doesn t work the first two times, force the user to try a different method Send instructions in the local language to avoid confusion If a user does request two codes, sometimes they will enter the older one first so it will help conversion rate if you send the same code twice or accept both Send instructions in the local language to avoid confusion By adding a dash (for example ) it makes it easier for the user to remember when they are entering it in Tell the customer they are about to receive a text or call Reduce potential confusion and put them at the ready to receive the passcode About The Spur Group About Nexmo The Spur Group delivers business results that matter. We provide the thought partnership, business insight or extra bandwidth you need to be more successful. Make better decisions, realize your objectives, tell your story, leverage your channel and strengthen your staff with The Spur Group. We can help you make your next project more successful. Our expertise includes developing partner programs for Microsoft and Dell, managing messaging and partner conferences for Cisco and Juniper Networks, and providing recruitment insight and strategies. Nexmo provides innovative communication APIs that bridge traditional voice services with cloud communications. Nexmo enables applications and enterprises to make phone calls or send and receive text messages with ease to improve user experiences, no matter where in the world customers are located. 9