5G, a network of superlatives in a world of sky-high expectations.
Securing your enterprise has never been more important. Verizon, in their annual report on data breach investigations, analyzed 157,525 security incidents in 2020 alone. Of those, 3,950 were classified as data breaches, whereby an incident resulted in the confirmed disclosure—not just potential exposure—of data to an unauthorized party. Not only are these incidents financially motivated, but they also threatened enterprise operations through Denial of Service (DoS) attacks, and diminished trust in their brand when user data and credentials were stolen.
A question many will ask: How is identity theft increasing when we have multi-factor authentication capabilities available to protect us? Unfortunately, as advancements in identity protection capabilities have been developed, they too are being used by fraudsters.
Determining which two-factor authentication approach suits your enterprise can be a bit of a balancing act of convenience, cost, and the ability to scale.
- Hardware tokens
Hard tokens are often regarded as the most secure method for 2FA because you have to physically have it with you when authenticating your identity. However, there are many cost and practical considerations, such as if they are lost it may be slow to get a replacement which leaves an employee or customer locked out of their account, that have led to hard tokens relinquishing their top spot.
- Mobile Apps
The next best option is using mobile apps for 2FA. Some of the largest software companies, such as Google and Microsoft, have developed smartphone apps to provide 2FA services. While they have the scale and security measures that extend beyond hard tokens, there are still shortcomings that enterprises should consider. While 3rd party verification adds a layer of protection, it can also create extra layers of complexity that will prevent a seamless customer experience. Mobile apps also require all users to have an appropriate handset, i.e., a smartphone, and may require a data subscription. In cases where a data subscription is not provided to employees, they may refuse to use their personal subscription. There are also the setup and support issues that come with using 3rd party apps. And with so many stakeholders involved (carrier, App provider, and enterprise), it may be difficult to quickly identify and fix the root cause of fraudulent activity, because it can occur so quickly and at so many various levels.
SMS has long been the established and preferred method of providing two-factor authentication (2FA) by enterprises across the globe. The simplicity of SMS means that it works on all devices, has no or low-cost charges, and quickly generates and sends a simple code for users to read and enter. However, the convenience of SMS for 2FA is now surpassed by the security risks stemming from mobile network signaling issues. For instance, 2G, 3G, and 4G networks rely on signaling protocols that lack built-in security features such as encryption and sender authentication and are prone to spoofing and interception. These vulnerabilities can provide fraudsters the opportunity to eavesdrop and intercept the SMS to steal money from bank accounts, create fake IDs to set up new credit card accounts, or conduct denial of service attacks.
5G networks have taken positive steps by building upon proven 4G security mechanisms, with enhancements for encryption, mutual authentication, integrity projection, and privacy. However, 5G’s built-in cybersecurity features cannot roll back the clock and plug the existing vulnerabilities found in earlier networks. This is particularly pertinent as 5G coverage is still being rolled out, and traffic will continue to traverse between 2G, 3G, and 4G/LTE networks for the foreseeable future.
What should enterprises do?
While SMS has known vulnerabilities, it still comes out on top when we consider the convenience, no or low cost, and ability to scale it to any user that has a mobile phone. Enterprises should put further safeguards in place to protect high value transactions using biometric data, such as automated voice, for verification. When using voice for authentication, voice prints are analyzed for over 140 different attributes – adding that extra layer of security when it is needed the most.
However, like all aspects of enterprise security, fraudsters are determined to identify any vulnerabilities. In the case of voice for authentication, they can be subject to illicit call diverts and end up in the wrong hands. Because of this, enterprises need to ask their communications service providers about the security protections they have in place. Some questions enterprises should ask their carrier include:
- What security mechanisms do they have to protect calls from being intercepted and diverted?
- Have they invested in a multi-protocol signaling firewall that will protect traffic across all generations of mobile networks?
- What mechanisms do they have in place that ensures that 2FA mechanisms, via SMS or voice, are verified and allowed to be sent to that user, in that context, and from that location?
Technology has given the mobile handset an increasingly pivotal role in banking, payments, identity management, and authentication. Therefore, ensuring trust in the communications between an enterprise, their employees or customers, and the network now becomes mission critical. Enterprises must ensure that their carrier can answer these questions so that a security vulnerability does not become a security crisis.
If you want to know more, please contact us.
This article was previously published on Enterprise Security Magazine.