STE WILLIAMS

As people grow concerned about the Wuhan coronavirus, now classified as a global emergency by the World Health Organization, cybercriminals are preying on their fear with phishing emails claiming to have advice on protective safety measures. Emails have been seen in the US and UK.

The attack was detected by security researchers at Mimecast. A sample email, which claims to come from a health specialist, advises the recipient to “go through the attached document on safety measures regarding the spreading of corona virus,” adding “This little measure can save you.” Below is a link entitled “Safety Measures.pdf” that purportedly redirects to health advice.

Cybercriminals often use global events or confusion to their advantage, launching phishing campaigns or other attacks supposedly sharing helpful information about public concerns. “These actors are opportunistic and inventive — identifying vulnerabilities in infrastructure and defenses, which they then use to improve their attack methodologies,” says Dr. Francis Gaffney, director of threat intelligence for Mimecast, in an email to Dark Reading.

Gaffney advises remaining vigilant when reviewing emails related to coronavirus protections. He also encourages basic cyber hygiene practices — for example, using strong passwords and not enabling attachment macros.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “AppSec Concerns Drove 61% of Businesses to Change Applications.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/coronavirus-phishing-attack-infects-us-uk-inboxes/d/d-id/1336946?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Attackers are actively trying to exploit a critical, previously disclosed command injection flaw in a door access-controller system from Nortek Security and Control LLC to use the device to launch distributed denial-of-service attacks (DDoS).

SonicWall, which reported on the threat Saturday, said its researchers have observed attackers scanning the entire IPv4 address range space for the vulnerable systems in recent days. According to the security vendor, its firewalls have been blocking literally tens of thousands of hits daily from some 100 IP addresses around the world that are doing the scanning.

The command injection vulnerability [CVE-2019-7256] exists in products from Nortek’s Linear eMerge E3 Series access-controller family running older versions of a particular firmware. The access controllers allow organizations to specify the doors that personnel and others can use to enter and exit designated areas within a building or facility, based on their access rights.

Organizations in multiple industries currently use Nortek’s access controllers, including commercial, industrial, banking, medical, and the retail sector.

The injection flaw was among several vulnerabilities in Nortek’s Linear eMerge E3 Series family that industrial cybersecurity firm Applied Risk disclosed in May 2019. The company at the time described the flaw as allowing attackers to execute commands of their choice directly on the operating system.

The flaw has a CVSS score of 10, which is the maximum possible severity rating for any vulnerability. The issue is considered especially dangerous because it allows an unauthenticated attacker to gain complete remote control of the system.

According to a description of the flaw on CVE Details, the flaw enables complete information disclosure, complete compromise of system integrity, and complete compromise of system availability. It is also considered relatively easy to exploit with no specialized access conditions or extenuating circumstances required to exploit the flaw.

Applied Risk described Nortek as being aware of the issue but not issuing a patch for it. So in November it released proof-of-concept code demonstrating how an attacker could exploit the vulnerability to take complete control of a vulnerable system. A SonicWall spokesman says a patch for the issue still does not appear to be available.

DoS Attacks More

Nortek did not immediately respond to a request for comment sent to its general customer service inquiry email address.

In a report Saturday, SonicWall said attackers have been trying to exploit the vulnerability using a specific HTTP request. Once exploited, shell commands are used to download malware for conducting various types of denial-of-service attacks, the vendor said.

In addition to launching DDoS attacks from devices exploited with the vuln, bad actors can exploit the flaw in other ways, the SonicWall spokeswoman says. OS command injection flaws give attackers a way to compromise other parts of the infrastructure, she notes. “Since the attacker is able to download and run code on the target systems, they hypothetically ‘own’ them.”

SonicWall quoted Applied Risk as estimating the number of vulnerable Internet-accessible eMerge E3 systems at around 2,375. But the vulnerabilities disclosed in the Applied Risk report potentially impacts thousands more devices, the SonicWall spokesman says. “Also, over four million personal identifiable records could be leaked revealing information such as names or email addresses of people owning cards for these door locks,” she notes.

Organizations with these door controllers for their buildings can take a couple of measures to mitigate their exposure. The first is to ensure that vulnerable controllers are not accessible over the Internet nor discoverable via search engines such as Shodan, the SonicWall spokesman says.

Organizations should also segment off access to the vulnerable controllers from internal networks. “A random person inside the company should not be on the same network as the controllers,” he notes. They should also consider using IPS systems to virtually patch against the exploits until a fix becomes available, he says.

Related Content:

• Attacking Electronic Door Access Control Systems
• Smart Building Security Awareness Grows
• 6 Security Considerations for Wrangling IoT
• 7 Considerations Before Adopting Security Standards

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “AppSec Concerns Drove 61% of Businesses to Change Applications.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/iot/attackers-actively-targeting-flaw-in-door-access-controllers/d/d-id/1336947?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security researchers have identified 24 Android applications seeking dangerous and excessive permissions, all of which come from app developers under Chinese company Shenzhen Hawk Internet Co., Ltd., and have a combined total of 382 million downloads.

One of these developers is Hi Security, the company behind Virus Cleaner 2019 (100 million installations) and Hi VPN, Free VPN (10 million). Hi Security first appeared on the radar of VPNPro researchers when they analyzed the companies behind VPN products, and again when they investigated the permissions that popular free antivirus apps were requesting from users.

This trend prompted researchers to look into Hi Security, which led them to Shenzhen Hawk and more of its developers, which also create apps built with malware and rogueware. These include Tap Sky, ViewYeah Studio, Alcatel Innovative Lab, Hawk App, and mie-alcatel.support. It’s also worth noting Shenzhen Hawk is a subsidiary of TCL Corporation, a major Chinese company that owns licensing rights to Alcatel, BlackBerry, and RCA, among other organizations. TCL Corporation began as a state-owned enterprise and still has strong government ties.

Shenzhen Hawk’s company page lists 13 apps it claims to own, including Hi Security 2019 (5 million installations), Candy Selfie Camera (10 million), Super Battery (5 million), Candy Gallery (10 million), Hi VPN Pro (500,000), Net Master (5 million), filemanager (50 million), Sound Recorder (100 million), and Weather Forecast (10 million). However, when researchers looked into the developers behind these apps, they found 24 total apps in the Shenzhen Hawk network.

Each of these 24 apps, all of which are available on Google Play, requests excessive permissions: the ability to make phone calls, take pictures, and record audio or video, among others.

Jan Youngren, security researcher with VPNPro, points to the malware-infected Weather Forecast app as a dangerous example. “They were guilty of harvesting user data and sending it to a server in China, and they were also secretly subscribing users to premium phone numbers,” an act that led to high charges on victims’ phone bills. The app would also launch hidden browser windows and click ads from different web pages, Youngren notes in a blog post.

He lists the permissions requested by these apps in order of severity. Six apps request access to the device’s camera, for example, and two request the ability to make a call directly from the app. Fifteen ask for permission to read through saved files, including system logs and other apps’ files. The same amount ask for permission to access the user’s specific GPS location.

“This presents a high risk to privacy, since most apps don’t seem to need it at all,” he writes. “This permission allows apps to use GPS, call data and/or WiFi to get a user’s precise location.”

Fourteen apps request permission to gather information about a user’s device, including the phone number, cellular network information, connected registered phone accounts, and the status of ongoing calls. Two ask to look through the phone’s contacts, and one requests permission to record audio and store it either on the device or on the app’s servers.

The aforementioned permissions are considered high-severity, Youngren says. Some apps request medium-severity permissions including the ability to gather a user’s general location, which is asked by 13 apps, as well as the permission to access a list of accounts in the Accounts Service (nine apps). Twenty-one apps ask permission to upload files to the user’s device storage, two ask to read through a personal calendar, and one asks to add calendar events.

Virus Cleaner 2019, for example, requests the ability to read contacts, read/write external storage, read phone state, access coarse and fine locations, call phone, access the camera, and get accounts. Candy Selfie Camera requests coarse and fine location, camera access, and the ability to get accounts, write external storage, and read external storage, logs, and phone state.

Most of these apps only request permissions from the user once, and then they continue to collect data in the background. “Users need to be made aware of what these apps are doing on a consistent basis,” says Youngren. He advises deleting these apps, for those still using them.

The most likely and legal reason companies are collecting this data is to sell it to third parties. Location data, both coarse and fine, is most lucrative: Apps can send location data 14,000 times per day, Youngren says, giving buyers an accurate depiction of users’ daily movements.

This isn’t the first time Shenzhen Hawk has been known to develop apps with malware and privacy issues. The company creates seven apps specifically made for Alcatel phones; some of Alcatel’s built-in software, including the Weather Forecast app, has been known to infect devices with malware and adware. Some default Alcatel apps, including Gallery, were changed to “Candy Gallery” and the old app developer name was replaced with an entirely new one.

Related Content:

• 9 Things Application Security Champions Need to Succeed
  
• Embracing a Prevention Mindset to Protect Critical Infrastructure
• Two Vulnerabilities Found in Microsoft Azure Infrastructure
• Assessing Cybersecurity Risk in Today’s Enterprise

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “AppSec Concerns Drove 61% of Businesses to Change Applications.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/researchers-find-24-dangerous-android-apps-with-382m-installs/d/d-id/1336949?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Why does an IT professional seek a certificate in IT security? For many, it’s a way for junior and mid-career pros to advance their careers and improve their “personal brand.” For others, it’s a requirement of their existing job. So when a C-level IT industry executive — one without security in his job title — decided that he needed a cybersecurity certification, Dark Reading asked why.

Tim Titus is chief technology officer at PathSolutions. With a job title that seldom requires new certifications, he nevertheless decided to pursue a CISSP. The Certified Information Systems Security Professional (CISSP), a certification granted by the International Information System Security Certification Consortium (ISC)², is one of the major certificates employers use to determine whether someone is qualified in IT security. Along with Certified Ethical Hacker (CEH), Certified Information Security Manager (CISM), CompTIA Security+, and SANS GIAC Security Essentials (GSEC), the CISSPs’ combination of experience and examination is intended to provide assurance that someone knows what they’re doing when it comes to IT security.

The “Why”

Titus acknowledges that most people who would volunteer to bury their noses in test prep guides until their vision prescription changes are doing so merely to improve their employment opportunities.

In his case, however, it was to improve his professional knowledge and to benefit his company. Staff (even C-level executives) who hold professional certifications are seen as more credible and authoritative than those who don’t.

Why the CISSP instead of another certification program? Titus says that peers and friends in the industry told him the CISSP is respected as a broadly based certificate in the field. It doesn’t focus, he says, on any one vendor or area of concern, requiring testing on eight different areas of interest for each candidate.

“The CISSP is about teaching you how to think about security,” Titus says, and to think about it within the context of the eight CISSP security domains. Security and risk management, asset security, security architecture and engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security are the eight domains in which CISSP candidates will have to demonstrate knowledge before they pass the exam.

The process

There are many different ways to prepare for the CISSP exam: self-study books and online courses, for example. Titus, however, went for a full emersion.

“I signed up for a boot camp, a $3,000 training camp, that was referred to me by one of the CISSPs I was friends with,” he explains. The Monday to Saturday camp was, he says, a very high-quality experience.

Even before the bootcamp, though, Titus began working on the exam. He says that the bootcamp sent out their study material about six weeks before the actual camp; material that included the official (ISC)² study manual. Titus praises the quality of the material found in the manual and says that, “I went out to Monterrey, got a hotel and I sat in the hotel for three days, effectively going cover to cover in that book,” he says. The ability to spend 100 percent of his time focused on the material made his time in the course much more valuable, he feels.

The knowledge

The material in the study manual was, he says, enlightening.

“The CISSP is all about helping you understand the risks, render the proper judgment, and gather the proper financial resources to rally around those risks,” Titus says. He makes the analogy that the CISSP isn’t about how to program an access control list (ACL) into a router — it’s about knowing the risks the network faces and how an ACL might figure into an overall security strategy.

The exam

Titus was able to get a timeslot for the exam five days after completing the bootcamp. He wanted to take the test soon after the course so the material was still fresh in his mind when he sat down in front of the computer. But before he took the test, he went through one more step.

The practice exam. “The reason for getting that sample test is that it allowed me to sit down and run through each of the domains in a testing environment and see, OK, how do I scorI” he explains, continuing, “if I find that I’m scoring less than 70% than I need to brush up in those areas.”

On the other hand, he says, scoring more than 90% on a domain means that you can probably need to spend any additional study time. A re-test is allowed (within a specific time period) so you have the opportunity to catch any issues and fix them before taking it again. Lay that material aside to concentrate on your weaknesses. It’s the strategy he used to go in and pass the test on his first attempt.

Being able to put “CISSP” after his name on a business card is good, Titus says, but far from the sole benefit of the process. “The thing I loved about this whole experience was that I learned it’s not just about firewalls, antivirus, and anti-malware. It’s not about technology. It’s about process and judgment on putting the process together,” he says, adding, “And if you don’t have a good process, you’re throwing money left and right at various risks that you might not even encounter.”

Related content

• 14 Hot Cybersecurity Certifications Right Now
• Find New Talent, Don’t Fight Over CISSPs: Advice from ISC(2) COO
• The Next Security Silicon Valley: Coming to a City Near You?
• 7 Tips for Infosec Pros Considering A Lateral Career Move

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/c-level-and-studying-for-the-cissp/b/d-id/1336948?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A fairly unsophisticated ransomware attack has raised a few eyebrows among security researchers for its ability to force computers to stop specific activities, or processes, related to industrial control systems, critical-infrastructure security firm Dragos stated in a report published on February 3.

In the past, ransomware has generally caused disruption in industrial control system (ICS) environments as a side effect of the malware’s destructive activity — encrypting data would cause some software to fail, causing outages. Although a relatively primitive attack, the EKANS ransomware actively targets certain products common in ICS environments, says Joe Slowik, an adversary hunter with Dragos.

However, the program does not seem to be a significant danger at this point, he says. “It is certainly nothing to dismiss; it can still be disrupted to industrial operations, but it is important to note that the ransomware does not have the ability to modify, manipulate, or otherwise change process logic, which is where we get into the really concerning events,” Slowik says.

The ransomware targets processes started as part of GE’s Proficy data historian, which records events and the status of devices on the network, GE Fanuc licensing server services, and Honeywell’s HMIWeb application, Dragos stated in the report. The targeting of ICS processes puts EKANS in the same category as the MegaCortex ransomware, which has successfully infected companies’ systems and demanded ransoms ranging from $20,000 to $5.8 million.

“[T]he specificity of processes listed in a static ‘kill list’ shows a level of intentionality previously absent from ransomware targeting the industrial space,” the Dragos report stated. “ICS asset owners and operators are therefore strongly encouraged to review their attack surface and determine mechanisms to deliver and distribute disruptive malware, such as ransomware, with ICS-specific characteristics.”

The tactic of stopping processes is common among malware. Many programs will attempt to stop antivirus as a first step in infecting a system. EKANS has a static kill list of 64 different processes that it attempts to halt, but MegaCortex has its own, much larger, list of 1,000 processes. 

Dragos argues that the two programs could be related. However, EKANS is much less of a threat then MegaCortex.

“While killing the historian processes is certainly inconvenient and not a good thing, it certainly not something that will shut a plant down,” Slowik says. “It will make operations more difficult.”

Killing the other services could lead to more disruption. This is ICS-aware malware, he says, it represents a fairly primitive form of intrusion.

The existence of an e-mail addresses that contains the string “bapco” has led some researchers to speculate that EKANS, which others call Snake, is related to the Dustman attack in December that reportedly infected Bahrain’s national oil company, also known as Bapco.

Yet, Slowik remains unconvinced.

“While the email address is provocative in light of this news, the EKANS sample appears unrelated to the Dustman event,” he stated in the report. “One possibility is that EKANS was in fact used at Bapco in an incident prior to Dustman, while another is that current public reporting is confusing the Dustman incident — which all available information indicates is focused on Saudi Arabia — with a widespread and potentially disruptive ransomware event at Bapco occurring around the same time.”

So, who wrote this program? Slowik is not so sure.

“It is an open question,” he says. “There have been reports that this is an Iranian operation, but that is a bit of a stretch.”

In the past, the level of attention that attacking a utility or industrial facility would have attracted to the perpetrator kept many attackers too concerned about consequences to target such facilities. Yet EKANS demonstrates that ICS asset owners need to have visibility into the state of their infrastructure, Slowik says.

“Organizations need to adjust their risk profile appropriately [and acknowledge] that their risk does not stop at state-sponsored entities or the random worm-able infection,” Slowik says. “It seems increasingly that threat actors, whether they be criminals or otherwise, are more willing to operate in these areas, risks be damned.”

Related Content

• Dustman Attack Underscores Iran’s Cyber Capabilities
• Attackers Increase Focus on North American Electric Utilities: Report
• Ransomware Used in Multimillion-Dollar Attacks Gets More Automated
• Widely Known Flaw in Pulse Secure VPN Being Used in Ransomware Attacks
• Saudi IT Providers Hit in Cyber Espionage Operation

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “AppSec Concerns Drove 61% of Businesses to Change Applications.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/ekans-ransomware-raises-industrial-control-worries/d/d-id/1336950?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft Teams on Office 365, a service that passed the 20 million user mark late last year, was knocked down this morning by a certificate issue. Specifically, an authentication certificate was allowed to expire, keeping millions from logging in to the service.

Microsoft acknowledged the service interruption at approximately 9:15 a.m., ET and by roughly 10:30 a.m. ET it had acknowledged that the problem was certificate based. An hour later, the company tweeted that it had begun the remediation process, with a message at nearly 5:00 p.m. ET that the fix had been applied.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “AppSec Concerns Drove 61% of Businesses to Change Applications.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/operations/bad-certificate-knocks-teams-off-line/d/d-id/1336951?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In the ever-escalating arms race between attackers and defenders, the latest defense to crumble under fire is two-factor authentication (2FA). Hackers have become increasingly successful in using social engineering techniques that defeat 2FA and let them take control of victim accounts.

Many of these attacks, however, including account takeover using SIM-jacked phone numbers, can be thwarted by restructuring part of the authentication process, using a minor modification to existing methods. It’s a shift from account-based 2FA (usually using SMS one-time passcodes, or OTPs, sent to registered phone numbers) to device-aware 2FA. Using device-aware 2FA, the bank, email service or other service provider only accepts attempts coming from a recognized device previously associated with the account.

How Attackers Defeat 2FA with Social Engineering
SMS-based two-factor authentication has been widely adopted by service providers including financial institutions, email services, social networks and online marketplaces. Among consumer websites using any form of 2FA, about 57% use SMS OTPs, according to data derived from a 2019 report by Javelin Strategy Research.

Websites using SMS-based 2FA send a code by SMS to the registered cellphone number. The user then types or pastes this code into the website. Attackers can obtain that code either by hijacking the cellphone number through SIM-jacking, or by using social engineering to trick the victim into giving the code to the attacker.

In SIM-jacking, with a bit of competent social engineering and persistence a scammer can convince an employee of a wireless carrier to transfer a victim’s telephone number to a new SIM card used by the attacker’s phone. The attacker then starts receiving all SMS OTPs sent to the victim, putting all of the victim’s accounts associated with those SMS passcodes at risk of takeover.

Awareness of SIM-jacking and other threats to multifactor authentication (MFA) is rising, though to date few technical solutions have been identified. In September, the FBI warned that cybercriminals are using social engineering and technical attacks to circumvent MFA. In a widely publicized incident in August, an attacker took over the Twitter account of Twitter CEO Jack Dorsey by SIM-jacking his phone, and then used the account to tweet Nazi propaganda.

In November, Twitter began allowing users to choose to use 2FA methods other than SMS-based 2FA. But the options offered (authenticator apps and security keys) have their own vulnerabilities, including technical or social engineering risks. Rather than solving the problem, Twitter now in effect allows the users to select which vulnerability they face.

Using Device-Aware 2FA to Thwart Account Takeover
Account providers can implement a more secure version of 2FA by switching the method of authentication. Conventional SMS-based 2FA requires the user to prove she has access to the phone number associated with the account. With device-aware 2FA, the user must prove she has access to both the phone number and the actual phone (or other device) associated with the account. (From the user’s perspective, no extra step is required.)

With conventional SMS-based 2FA, the website sends an SMS containing the passcode. With device-aware 2FA, the website instead sends an SMS with one or more clickable links, for example, the question “Have you asked to reset your password?” with two clickable answers, representing “Yes” and “No.” When the user clicks on the “Yes” link, the device profile is automatically checked by the website.

Unless the attacker has also stolen the victim’s phone and unlocked it, the attacker’s device won’t be recognized as having been previously associated with the account, and the website will deny access. (If the user clicks “No,” both the user and the site become aware of the attack and can take actions to restore security.)

Methods for Recognizing Devices
Device-aware 2FA takes advantage of device-identifying technologies that are already widely deployed, but uses them differently. These device-identifying technologies, which can be used in combination, include various types of cookies placed by a website onto a device; “read-only” browser characteristics like the “user agents” and related local data that websites normally check in order to send the correct display instructions for the particular device type; and other characteristics such as network name, carrier name, and geolocation.

Almost all websites already use cookies and other device identifiers, whether for personalization or fraud detection. In fact, 2FA is often activated if a user attempts to log in from an unusual location or a device that is not recognized. Options for identifying devices include standard HTML cookies and variants such as flash cookies or cache cookies.

When a user accesses a website, the website is also able to check the characteristics of the user’s web browser, such as browser type and version installed, touch-screen support, system fonts installed, languages installed, screen size, color depth, time zone, and browser plug-in details. While these digital fingerprints aren’t unique to each device, there are so many permutations of user hardware and software attributes that it is highly unlikely an attacker’s device will share a common fingerprint.

Special Case: New Device
New security measures often impose some friction on normal activity. For device-aware 2FA, the added friction is minimal in most situations. The device used to establish the account (or to set up 2FA for the first time) would be automatically linked to the account. If the user accesses the site from a new device, the site could send a device-aware 2FA message to the old device to obtain authorization. If the authentication succeeds, and the user states that the new device indeed belongs to her, then the new device will be automatically enrolled, and then it can be used to approve future device-aware 2FA verifications. Other options for adding new devices to a user profile include allowing a new device to be authorized by scanning a QR code displayed on the original device, or allowing access from a new device if the device shares browser settings (such as a synchronized Google Chrome account) with the original device.

But what happens if the user replaces his phone and has no other device enrolled? Nearly all institutions provide escalation methods to regain access to accounts even if a user has lost access to the cellphone number or email account used for authentication. Similar escalation procedures can be used with device-aware 2FA if the user replaces or loses his phone. For example, the user might be asked to respond to knowledge-based authentication questions, or to accurately report very small payments made to a checking account already associated with the user.

While device-aware 2FA is more secure than conventional SMS-based 2FA, it is of course no panacea. In the endless game of leapfrog that security professionals play with cybercriminals, nearly every security method can be eventually defeated by a determined and resourceful attacker. All we can do is continue making our leaps smarter and longer.

For more research details, click here.

Related Content:

• Assessing Cybersecurity Risk in Today’s Enterprise
• 7 Free Tools for Better Visibility Into Your Network
• 5 Cybersecurity CISO Priorities for the Future
• The Myths of Multifactor Authentication

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “7 Steps to IoT Security in 2020.”

Markus Jakobsson, chief scientist for ZapFraud, has worked for more than 20 years as a security researcher, scientist, and entrepreneur, studying phishing, crimeware, and mobile security at leading organizations. He leads ZapFraud’s security research with a focus on using … View Full Bio

Article source: https://www.darkreading.com/risk/how-device-aware-2fa-can-defeat-social-engineering-attacks/a/d-id/1336904?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple