financial services 20150503
TRANSCRIPT
Slide 1
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication
Technology is Irresponsible
Clare Nelson, [email protected]
@Safe_SaaS
Presentation for a Fortune 500 Financial Services Company May 7, 2015
Slide 2
Clare Nelson, CISSPIndependent InfoSec Consultant specializing in Multi-Factor Authentication
• 30+ years in industry– Encrypted TCP/IP variants for NSA– Product Management at DEC (HP), EMC2
– Director Global Alliances at Dell, Novell (IAM)– VP Business Development, MetaIntelli (Mobile
Security)
• 2001 Founder, CEO ClearMark Consulting
• 2012, 2013 Austin ISSA Board• 2014 Co-founder C1ph3r_Qu33ns• B.S. Mathematics
Slide 3
Scope• Focus on consumers, external customers• United States focus– EU regulations
o France: legal constraints for biometric Must be authorized by National Commission for Informatics and
Liberty (CNIL)1
– India: e-commerce Snapdeal, Reserve Bank of IndiaoMove from two-factor to single-factor authentication for
transactions less than Rs. 3,0002
1Source: http://www.diva-portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl 2Source: http://economictimes.indiatimes.com/industry/services/retail/snapdeal-for-single-factor-authentication-for-low-value-deals/articleshow/46251251.cms
Slide 4
NIST Definition
Origin of definition?• NIST: might be Gene Spafford, or “ancient lore”2
– @TheRealSpaf, “Nope — that's even older than me!”3
– 1970s? NSA? Academia?
1Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf 2Source: February 26, 2015 email response from a NIST SP 800-63-2 author3Source: February 27, 2015 response from @TheRealSpaf (Gene Spafford)
Slide 5
How can you write a guide based on a definition of unknown, ancient origin?
How can you implement MFA without a current, coherent definition?
Slide 6
Updated Definitions (More Risk)
Multi-Factor Authentication (MFA) Factors:• Knowledge • Possession
– Mobile device identification• Inherence
– Biometrics: Physical or Behavioral• Location
– Geolocation– Geofencing– Geovelocity
• Time1
1Source: http://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA2Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
NIST:Device identification, time, and geo-location could be used to challenge an identity; but “they are not considered authentication factors”2
Slide 7
Authentication in an Internet Banking Environment• No longer consider simple device identification
(cookies, IP addresses, or geo-location information) • Complex device identification, “digital fingerprinting”
use PC configuration, IP address, geo-location, other factors– Implement time of day restrictions for funds transfers– Consider keystroke dynamics, biometric-based responses1
1Source: https://www.fdic.gov/news/news/press/2011/pr11111a.pdf
Slide 8
“…time to alter how authentication is done …it doesn't meet today’s demands
….the range of technologies, such as soft tokens, hard tokens, Trusted Platform Module (TPM), biometrics, simple passwords and more have led to a ‘Tower of Babel’ for authentication.”1
– Phil Dunkelberger,CEO Nok Nok Labs
1Source: http://www.networkworld.com/article/2161675/security/pgp-corp--co-founder-s-startup-targets-cloud-authentication.html
State of the Market
Slide 9
Why 200+ MFA Vendors?
Authentication has been the Holy Grail since the early days of the Web.1
The iPhone of Authentication has yet to be invented.2
1Source: http://sciencewriters.ca/2014/03/26/will-your-brain-waves-become-your-new-password/ 2Source: Clare Nelson, February 2015.
Slide 10
Suboptimal Choices
Authentication Factors/Technology1. Biometrics, 2D fingerprint2. Short Message Service (SMS)
– One-Time Password (OTP)
3. Quick Response (QR) codes4. JavaScript5. Weak, arcane, account recovery6. Assumption mobile devices are secure7. Encryption (without disclaimers)
– Quantum computing may break RSA or ECC by 20301
• Update on NSA’s $80M Penetrating Hard Targets project2
– Encryption backdoors, is it NSA-free and NIST-free cryptography?– No mysterious constants or “magic numbers” of unknown provenance”3
1Source: January 18, 2015: Ralph Spencer Poore, cryptologist, Austin ISSA guest lecturer2Source: http://www.washingtonpost.com/world/national-security/nsa-seeks-to-build-quantum-computer-that-could-crack-most-types-of-encryption/2014/01/02/8fff297e-7195-11e3-8def-a33011492df2_story.html3Source: https://www.grc.com/sqrl/sqrl.htm
Slide 11
Juniper Research:• By 2019, 770 million apps that use biometric authentication will be
downloaded annually- Up from 6 million in 2015
• Fingerprint authentication will account for an overwhelming majority- Driven by increase of fingerprint scanners in smartphones1
Irrational Exuberance of Biometric Authentication Adoption
1Source: http://www.nfcworld.com/2015/01/22/333665/juniper-forecasts-biometric-authentication-market/
Samsung Pay
Slide 121Source: https://www.youtube.com/watch?v=q3ymzRYXezI
Apple Touch ID: Cat Demo
Slide 13
• Cannot be revoked or re-issued- Easy to reset your password, not easy to reset your fingerprints
• 2D Fingerprints- Proven especially vulnerable to targeted attacks
• Your biometrics are in public domain, and elsewhere, easily accessed• Biometric identification systems may undermine privacy by making
identity theft more likely1
• Biometrics will likely persist in government and private databases, accreting information whether we like it or not2
• False positives, false negatives• High cost • Need to account for disabilities, injuries, other issues• User acceptance, preference for biometric factors varies by demographic
Issues with Biometrics
1Source: http://www.diva-portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl 2Source: http://www.pbs.org/wgbh/nova/next/tech/biometrics-and-the-future-of-identification/
“Fingerprints scare me” - Anonymous (2015)
Slide 14
1Source: http://www.dw.de/image/0,,18154223_303,00.jpg
Slide 15
2D Fingerprint Hacks
• Starbug, aka Jan Krissler• 2014: Cloned fingerprint of German Defense
Minister, Ursula Von der Leyen– From photographs1,2
• 2013: Hacked Apple’s Touch ID on iPhone 5S ~24 hours after release in Germany– Won IsTouchIDHackedYet.com competition3
• 2006: Published research on hacking fingerprint recognition systems4
1Source: https://www.youtube.com/watch?v=vVivA0eoNGM 2Source: http://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-clones-fingerprint-from-photograph/ 3Source: http://istouchidhackedyet.com4Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf
Slide 16
2013: Starbug Faking Touch ID
1Source: http://istouchidhackedyet.com
Slide 17
Riccio versus Krissler
“Fingerprints are one of the best passwords in the world.”1
– Dan RiccioSenior vice president, Apple
“Don't use fingerprint recognition systems for security relevant applications!”2
– Jan Krissler (Starbug)
1Source: http://www.imore.com/how-touch-id-works2Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf
Slide 18
Biometrics Systems: Types of Attacks1
1Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf
Starbug’s Threat Model
Slide 19
3D Fingerprint1
1Source: http://sonavation.com/technology/
No matter how advanced the biometric is, the basic threat model persists.
Slide 20
Behavioral Biometrics: BehavioSec
1Source: http://www.behaviosec.com
Laptop: requires JavaScript, won’t work with Aviator browser, or if you disable JavaScript
Slide 21
Behavioral Biometrics: BioCatch
• Detect threats based on user interaction with online, and mobile applications
• Analyzes 400+ bio-behavioral, cognitive and physiological parameters– How you find missing cursor1
1Source: http://www.biocatch.com
Slide 22
Fingerprinting Web Users Through Font Metrics1
• Browser variations– Version– What fonts are installed– Other settings
• Font metric–based fingerprinting– Measure onscreen size of font
glyphs
• Effective against Tor Browser
2Source: http://fc15.ifca.ai/preproceedings/paper_83.pdf
Slide 23
Biometrics: In Use, Proposed• Fingerprints 2D, 3D via ultrasonic waves• Palms, its prints and/or the whole hand (feet?)• Signature• Keystroke, art of typing, mouse, touch pad• Voice• Iris, retina, features of eye movements• Face, head – its shape, specific movements• Other elements of head, such as ears, lip prints• Gait• Odor• DNA• ECG (Beta: Bionym’s Nymi wristband, smartphone, laptop, car, home security)• EEG1
• Smartphone/behavioral: AirSig authenticates based on g-sensor and gyroscope, how you write your signature in the air2
1Source: http://www.optel.pl/article/future%20of%20biometrics.pdf 2Source: http://www.airsig.com
Slide 24
“Thought Auth”1
EEG Biosensor• MindWave™
headset2
• Measures brainwave signals
• EEG monitor• International
Conference on Financial Cryptography and Data Security
1Source: Clare Nelson, March 20152Source: http://neurosky.com/biosensors/eeg-sensor/biosensors/
Slide 25
“… biometrics cannot, and absolutely must not, be used to authenticate an identity”1
– Dustin Kirkland, Ubuntu Cloud Solutions Product Manager and Strategist at Canonical
1Source: http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html
“Fingerprints are Usernames, Not Passwords”
Slide 26
• 2014 Paper from Northeastern University and Technische Universität Berlin - “SMS OTP systems cannot be considered secure
anymore”• SMS OTP threat model
- Physical access to phone- SIM swap attack- Wireless interception- Mobile phone trojans1
1Source: https://www.eecs.tu-berlin.de/fileadmin/f4/TechReports/2014/tr_2014-02.pdf
SMS OTP Attacks
Slide 27
• Operation Emmental• Defeated two-factor authentication (2FA)
- 2014, discovered by Trend Micro1
- Targeted Swiss, Austrian, German, Swedish other European; plus Japanese banks
- Typical scenario: customer goes to online bank1. Customer enters username and password2. Session token sent to mobile device (SMS OTP)3. Customer enters session token (OTP)
- Attackers scraped SMS one-time passwords off customers’ Android phones2, 3
1Source: http://blog.trendmicro.com/finding-holes-operation-emmental/ 2Source: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf 3Source: https://www.youtube.com/watch?v=gchKFumYHWc
SMS OTP Attack: Banking Example
Slide 28
QR Code Risks1
• Example: VASCO two-factor authentication– User captures QR code with mobile device– User enters PIN code to log on, or validate
transaction2
• QR code redirects user to URL, even if the URL is displayed, not everyone reads– Could link to a malicious website
1Source: http://www.csoonline.com/article/2133890/mobile-security/the-dangers-of-qr-codes-for-security.html2Source: https://www.vasco.com/products/client_products/software_digipass/digipass_for_mobile.aspx
Slide 29
1Source: http://www.zdnet.com/article/google-unveils-5-year-roadmap-for-strong-authentication/
Account recovery is the Achilles heel of 2FA
– Eric SachsProduct Management Director, Identityat Google
Slide 30
Account Recovery1
1Source: https://support.google.com/accounts/answer/1187538?hl=en
Slide 31
Account Recovery1
Apple Two-Step Authentication• What if I lose my Recovery Key?• Go to My Apple ID, create a new Recovery Key using
your Apple ID password and one of your trusted devices.1
1Source: https://support.apple.com/en-us/HT204152
Slide 32
1Source: http://guardtime.com/blog/biggest-enterprise-risk-mobile-devices
“Mobile is the New Adversarial Ingress Point.”1
– Lee Cocking, VP Product Strategy at GuardTime
Slide 33
What’s Wrong with the Mobile Device Becoming the Authentication Device?
Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Source: http://metaintelli.com/blog/2015/01/06/industry-first-metaintelli-research-discovers-large-number-of-mobile-apps-affected-by-owasp-mobile-top-10-risks/
MetaIntelli research: sample of 38,000 mobile apps, 67% had M32
Slide 34
MFA Double Standard
Big Company (2015)• Consumers may
use facial and voice recognition for mobile login2
• Employees use Symantec Validation and ID Protection (VIP)3
1Source: http://cdn.themetapicture.com/media/funny-puppy-poop-double-standards.jpg 2Source: http://www.americanbanker.com/news/bank-technology/biometric-tipping-point-usaa-deploys-face-voice-recognition-1072509-1.html 3Source: http://www.slideshare.net/ExperianBIS/70-006identityauthenticationandcredentialinginpractice
1
Slide 35
Perfect Storm
• Fractured, crowded market, 200+ MFA vendors chasing ~$1.8B market1
• Apple, VISA, Samsung, others: fingerprint-based authentication is cool, secure
• FIDO Alliance • 2014, year of the breach• Increased legislation
1Source: http://www.slideshare.net/FrostandSullivan/analysis-of-the-strong-authentication-and-one-time-password-otp-market
Slide 36
FIDO Alliance
• Fast ID Online (FIDO) Alliance• Proponent of interoperability– Universal 2nd Factor (U2F)– Universal Authentication Framework (UAF)
• Triumph of marketing over technology• Network-resident versus device-resident
biometrics– FIDO advocates device-resident
• Problems, especially with voice1
1Source: January 2015, “Networks vs Device Resident Biometrics,” ValidSoft
Slide 37
“Legacy thinking subverts the security of a well-constructed system”1
– David Birch, Digital Money and Identity Consultant,
Author of Identity is the New Money2
1Source: https://www.ted.com/talks/david_birch_identity_without_a_name?language=en#t-1123822Source: http://www.amazon.com/Identity-Is-New-Money-Perspectives/dp/1907994122
Slide 38
Consider Context-Based Authentication(aka Risk-Based Authentication, Adaptive Authentication)
• Device registration and fingerprinting • Source IP reputation data • Identity store lookup • Geo-location • Geo-fencing • Geo-velocity • Behavioral analysis
1Source: http://www.darkreading.com/endpoint/authentication/moving-beyond-2-factor-authentication-with-context/a/d-id/1317911
Layer multiple contextual factors. Build a risk profile.
Slide 39
What You Can Do (1 of 2)
• Request threat models from MFA vendors • Beware– 2D fingerprints– Already-hacked biometrics– QR codes– SMS OTP– JavaScript requirements– Weak account recovery– Lack of mobile device risk analysis– Encryption with backdoors
Slide 40
What You Can Do (2 of 2)
• Do not be swayed by latest InfoSec fashion trends– Apple TouchID• Integration with VISA• Samsung Pay
– FIDO Alliance• Rethink the definition of MFA– Beware of new interpretations
Slide 41
Questions?Clare Nelson, CISSP
[email protected]@Safe_SaaS
Feature article for April 2015, Information Systems Security Association (ISSA) Journal,
Multi-Factor Authentication: What to Look Forhttp://www.bluetoad.com/publication/?i=252353
Slide 43
Additional References
1. 2014 December, Starbug (Jan Krissler) video, Iche sehe, also bin ich … Du, https://www.youtube.com/watch?v=vVivA0eoNGM&feature=youtu.be
2. OWASP Mobile Top 10 Risks, Insufficient Transport Layer Protection, https://www.owasp.org/index.php/Mobile_Top_10_2014-M3
3. OWASP Guide to Authentication, https://www.owasp.org/index.php/Guide_to_Authentication#What_is_two_factor_authentication.2C_really.3F
4. SANS, Two-Factor Authentication: Can You Choose the Right One? http://www.sans.org/reading-room/whitepapers/authentication/two-factor-authentication-choose-one-33093
5. Gluu blog, (January 15, 2014), Achilles Heel of Two-Factor Authentication, http://www.gluu.org/blog/2fa_achilles_heel/
6. Gartner, December 1, 2014, Magic Quadrant for User Authentication.7. Forrester, December 30, 2013; Market Overview: Employee and Customer
Authentication Solutions in 2013: Part 1 of 28. M2SYS Technology (July 24, 2014), The Impact of Biometrics in Banking,
http://blog.m2sys.com/financial-services/impact-biometrics-banking/ 9. Google Unveils 5-Year Roadmap for Strong Authentication,
http://www.zdnet.com/article/google-unveils-5-year-roadmap-for-strong-authentication/
Slide 44
• Biometrics, when employed as a single factor of authentication, do not constitute acceptable secrets for e-authentication
• Biometrics may be used in the registration process for higher levels of assurance to• Later help prevent a subscriber who is registered from
repudiating the registration• Help identify those who commit registration fraud• Unlock tokens1
1Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
NIST on Biometrics
Slide 45
NIST: Threat Resistance by Threat Level1
1Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
29 Long term authentication secrets shall be protected at this level. Short term secrets may or may not be protected.30 Although there are techniques used to resist flood attacks, no protocol has comprehensive resistance to stop flooding.