Snippet: Last month, Apple’s iCloud fell victim to a major security breach that left many people, especially celebrities, exposed. Our lives are increasingly conducted through our smartphones and our data is then backed up to the cloud, so it’s not surprising that criminals are showing interest in hacking the system.

Last month, Apple’s iCloud fell victim to a major security breach that left many people, especially celebrities, exposed. Our lives are increasingly conducted through our smartphones and our data is then backed up to the cloud, so it’s not surprising that criminals are showing interest in hacking the system. The opportunities for fraud and identity theft are growing fast, as it seems are the chances of making a profit from the tabloids’ hunger for Hollywood scandal.

It appears that hackers gained access to iCloud accounts by guessing users’ username and password combinations via the “Find My iPhone” app. Apple had not set a limit on the number of guesses you could make before being locked out, so it was inevitable that some guesses would prove correct. In a perfect world, all reputable digital services would be secure, but as news stories make plain almost every day, even the most trusted companies sometimes slip up in the war against cybercrime and espionage.

The victims of the iCloud breach would probably have remained protected had they enabled multi-factor authentication on their accounts. A stolen or guessed password would be useless without the attacker possessing that additional factor. Organizations everywhere are implementing multi-factor solutions to secure their networks. It’s a good first step to ensuring that a user is who they claim to be, but most implementations are not what anyone would describe as air tight.

Multi-factor authentication has been a near requirement for financial institutions for years. Most such systems use one-time passwords (OTPs), often delivered by SMS. Unfortunately, SMS was never intended to serve as a secure communications channel; its use in securing online accounts leaves enterprises and their customers vulnerable. The privacy of text messages rests on the security of cellular networks and, with attacks against GSM and 3G networks, their confidentiality cannot be guaranteed. All mobile devices are also susceptible to Zeus, Zitmo, Citadel and Perkal trojans, which leverage open access to SMS on mobile phones to intercept OTPs. Mobile SIM swaps or SIM clones, number porting attacks, fake caller ID and call forwarding scams operated by dishonest customer service representatives at mobile carriers – all exploit insecure SMS networks.

To strengthen digital security, we have to go beyond compromised OTP-based systems and implement solutions based on full out-of-band multi-factor authentication. In this paradigm, the authentication tool remains the mobile phone, but a public-key infrastructure is used to build a secure, out-of-band communication channel, based on mutual authentication, between it and the solution providers’ servers. All communication is encrypted end-to-end and cannot be intercepted by outside parties. 

It’s an approach that counters all phishing, man-in-the-middle/browser, keystroke logging, and number porting attacks. It will also help secure sensitive information on the cloud, whether you’re a corporate treasurer, small business owner, or even a Hollywood star.

Subscribe to our blog.


Entersekt editor

Entersekt editor

An avid scowler and violent sharpener of pencils, Editor’s bark is worse than her bite. Every scrap of writing that crosses her desk she treats with the same care she would her own privately published comic verse. Any orphans and misfits, she takes under her wing. After hours, she practices amateur type design and represents her local library in extreme kerning competitions.

Tags

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.