When authenticating a person’s identity, you can ask them for something they have (for example, an access card), something they know (for instance, a PIN) or something they are, which is typically a biometric—a fingerprint, palm print or the iris of an eye. Those are known as authentication factors and the more of them you use to authenticate someone, the more secure your system will be.
With that in mind, some organizations, most notably Google’s Gmail, have combined their desire for stronger authentication with the growing use of mobile phones among workers. Each user creates a PIN or password for their account (something they know) and are also allowed to access their accounts via a verification code sent to their smartphones (something they have).
The idea is if a user loses their password or if it’s compromised, they can quickly ask that a verification code be sent to their phone, use that code to log into their account and set up a new password known only to them.
The idea is a good one, if you remove the human element from it. As is often the case with security schemes, even if you could have bulletproof hardware, software, systems and processes, you can never have bulletproof wetware. You see, hackers don’t need physical access to a phone. All they need is access to the phone’s owner.
One way to pry a verification code from a person is through social engineering. Professional Hacker Lokesh Singh describes such an attack at his Hackingloops website.
In that case, one of Singh’s “clients” complained about his Gmail account being hacked. After some questioning, Singh discovered that the client responded to a Google talk invitation from someone he didn’t know but had a provocative email address—firstname.lastname@example.org.
The Black Hat already had the client’s email address—that’s how he sent the Google talk invitation to the client—so while talking to the client, the miscreant could go to Gmail, click “Can’t access your account?”, slap in the client’s email address and have a verification code sent to the client’s mobile.
That done, the con man asked the client for the code, claiming it was needed to link the client’s account to the scammer’s AdSense account. Once he had the code, the bunko artist could enter the client’s account and use it for nefarious activities like spamming and phishing.
One-on-one attacks like the one described by Singh would have limited appeal to big time hackers who want to do volume business. But with some refinement the ripoff can be scaled upward, as Chris Mims pointed out in MIT’s Technology Review.
Through a massive spam campaign, targets would be sent to a website promising some kind of benefit—free gift cards, cash or such. To qualify for the benefit, a visitor would have to enter an email address—nothing unusual there.
At the back end of the website, though, Gmail addresses, or any other addresses tied to cell phone verification schemes, would be send to their home sites, verification codes requested and the codes sent to the owners of those email addresses.
In the final step in the qualification process, a victim would be asked to enter the verification code, which would open the door to the email accounts to the fraudster.
Creating an authentication scheme that uses multiple factors to assure a person’s identity is worthwhile, but you need to do it with your weakest link in mind: your users.