[BreachExchange] To Protect Your Company, Think Like A Hacker

Destry Winant destry at riskbasedsecurity.com
Fri Nov 2 09:37:07 EDT 2018


https://www.forbes.com/sites/forbestechcouncil/2018/10/30/to-protect-your-company-think-like-a-hacker/#428b0d1a7e66

We live in a digital world which requires us to have a variety of
online accounts. Our online accounts vary in use, from online bank
accounts and social media to online shopping accounts. All these
accounts are prone to hacking attacks.

What are companies and financial institutions doing to protect their
clients? Companies can introduce various identity verification
techniques as a measure of fraud prevention, but criminals are getting
smarter. Let’s examine how a criminal might breach verification
defenses.

Knowledge-Based Authentication (KBA)

KBA determines how accurately an applicant answers questions about
their financial, consumer or personal history. It typically requires
knowledge of personal information to gain access to secure material.
There are two different types of KBA: static and dynamic. Static KBA
is based on shared secret questions. This data is onboarded only once
and has standard, consistent answers to questions like “What was your
first pet's name?” Dynamic KBA is based on answering questions pulled
from a wide base of personal information. The questions are
ever-changing. For example, “What was your last deposit at Chase
Bank?” Dynamic KBA questions are spontaneously generated in real-time.

How Criminals Bypass KBA: Data breaches of personal details such as
Social Security numbers, birth dates, addresses and even credit
reports can be purchased for a small fee on the dark web. Criminals
can use this purchased information to bypass verification systems when
they are asked to input answers to these personal questions to verify
and authenticate themselves. Plus, in the age of social media,
fraudsters have even more access to information about the everyday
lives of their targeted victims. It becomes very easy for criminals to
steal information online.

Two-Factor Authentication

To make KBA more secure, two-factor authentication was developed.
After entering a username and password, the user is logged in and a
token is sent via text message to the user’s cell phone. Token input
will give users access to their accounts.

How Criminals Bypass Two-Factor Authentication: There are a couple of
ways expert criminals can bypass two-factor authentication.

The first is a phishing attack. In this case, fraudsters start by
texting an account holder that suspicious activity has been noticed on
one of their accounts. The text requests that users reply with a
6-digit verification code, which they should receive shortly. The
criminal then begins the two-factor authentication process. When the
user receives the code, they send it back to the hacker through the
original text message. With this information, the hacker suddenly has
access to the account.

There are also flaws in mobile networks that can allow criminals to
intercept data coming into and out of a smartphone. Criminals can
infect a user’s computer with malware and perform this type of attack.
While the attack takes place, they wait for the user to perform
two-factor authentication. Those codes are intercepted by the hacker
and used to gain access to an account.

Fingerprint-Scanning Authentication

Fingerprint scanning has been hailed as an effective tool for reliable
identity verification. Fingerprint scanning relies on unique
fingerprint patterns for verification. This pattern is saved as an
encrypted biometric key. From there it compares this pattern with a
pre-saved pattern in its system. If the patterns match, the
fingerprint passes the verification process.

How Criminals Bypass Fingerprint Scanning: You thought a fingerprint
scan was unbreachable? Not anymore. Criminals have overcome
fingerprint scanning security measures by using photos of a finger.
The photos are of normal quality and taken with a regular camera. They
put these photos through a publicly available software program to
create an accurate thumbprint, which is then printed. From there on,
ordinary latex or white wood glue can be smeared onto the photo and
allowed to dry. Once it is cured, the glue is carefully removed from
the sheet. With this type of fingerprint dupe, criminals can hack into
accounts that are secured by this kind of biometrics.

Voice-Recognition Authentication

Voice recognition checks customers' unique voice characteristics to
determine their identity.

Voice biometrics capture a speech sample from a customer to create a
baseline voice print. Once this baseline has been established, the
customer simply provides another speech sample for comparison. The
technology uses a significance level to determine whether a voice
matches against the baseline.

How Criminals Bypass Voice-Recognition Authentication: Criminals can
bypass voice-recognition software with some simple hacks. If they
obtain a voice sample of the user they are trying to target, it can be
used during the voice-authentication process. This will immediately
give them access to the user’s account since the system cannot detect
that the voice being authenticated is a recording. Plus, if the
baseline voice files are not secure, they can be breached and stolen
by criminals as well.

The Best Way To Increase Account Security

Clearly, our online accounts are vulnerable. Current fraud prevention
methods do not provide complete account protection as they should.
Criminals can easily overcome a lot of the typical barriers put in
place for account security.

Biometrics are not the solution either. As demonstrated above, there
are ways to overcome these verification methods. While they are more
secure than traditional KBA or two-factor authentication protocols,
they do not provide complete account security. These limitations
should be considered when designing a fraud-prevention strategy that
will include the use of biometric authentication.

Avoid single-layered security approaches. They can easily be thwarted
by criminals. To secure customer accounts, companies should deploy a
multilayered risk approach. Using a variety of security measures — for
example, static KBA and biometric fingerprint — companies ensure more
complete security against account fraud. It is less likely for
criminals to be able to bypass multiple security measures rather than
just one.

To prevent hacking attacks, we need to think like a hacker.


More information about the BreachExchange mailing list