Upload
independent
View
0
Download
0
Embed Size (px)
Citation preview
Running head: THE NEED FOR MUTUAL AUTHENTICATION 1
The need for Mutual Authentication
T Brett
Senior Lecturer and Technical Advisor
Institute of Public Administration / Sensei Cyber Security
Author Note
Information Systems Consultancy and training services
THE NEED FOR MUTUAL AUTHENTICATION 2
Table of Contents Abstract ............................................................................................................................... 4
The need for Mutual Authentication ................................................................................... 5
Current Technology Trends ................................................................................................. 5
Access Control and the three A’s ........................................................................................ 7
CIA Triad ........................................................................................................................ 8
Confidentiality ............................................................................................................ 8
Integrity ....................................................................................................................... 8
Availability .................................................................................................................. 8
The Triple A System of Authentication, Authorization and Accountability ................... 8
Authentication ............................................................................................................. 9
Authorization .............................................................................................................. 9
Accountability ............................................................................................................. 9
Factors of Authentication ................................................................................................ 9
Type 1. Knowledge Based - Something you know ..................................................... 9
Type 2. Token Based - Something you have ............................................................. 10
Type 3. Characteristic Based - Something you are ................................................... 10
Multifactor Authentication ........................................................................................ 10
Common Risks and Attack Methods effecting Authentication Systems .......................... 11
The User ........................................................................................................................ 11
THE NEED FOR MUTUAL AUTHENTICATION 3
Type 1 Authentication ................................................................................................... 11
Dictionary and brute force attacks: ........................................................................... 12
Key loggers: .............................................................................................................. 12
Social engineering: .................................................................................................... 12
Phishing attacks: ....................................................................................................... 12
Type 2 Authentication ................................................................................................... 13
Type 3 Authentication ................................................................................................... 14
Multi factor Authentication ........................................................................................... 15
Phishing......................................................................................................................... 15
Types of Phishing attacks .......................................................................................... 19
Avoiding phishing scams .......................................................................................... 19
What to do if you think that you have been phished ................................................. 21
Does multifactor authentication help reduce Phishing attacks ................................. 22
Mutual Authentication .................................................................................................. 24
Google’s new Password Free Account Sign-In ........................................................ 25
References ......................................................................................................................... 30
THE NEED FOR MUTUAL AUTHENTICATION 4
Abstract
With the increased use of online services together with more common cyber breaches, the need
for better security has never been more important. When IT systems and websites are analysed, it
is commonly known that the user is the weakest link, often fooled into disclosing part or all of
their login credentials to others masquerading as a system, process or colleague. These login
credentials are used to identify and authenticate users to systems whoever they may be. This
along with the fact that users still reuse passwords for multiple sites and applications and the
number of Phishing sites setup, the protection of login credentials is paramount to the security of
any and possible all systems. In order to protect systems and users against these types of attacks
it is imperative that organisation’s develop and implement systems incorporating mutual
authentication prior to passwords being submitted for authentication purposes.
Keywords: Authentication, Authorisation, Identification, CIA, Phishing, two way
authentication, mutual authentication
THE NEED FOR MUTUAL AUTHENTICATION 5
The need for Mutual Authentication
Current Technology Trends
The world that we live is has vastly changed over the last decade, although some have
been doing it for up to 25 years (Helman, 2015), we are now living in a ‘connected world’ where
we are constantly engaging and communicating online, the separation between our physical and
online presence is becoming increasingly blurry.
The following tagline provided by Huawei on their website, illustrates the companies prediction
for the near future: “Soon connectivity will be everywhere, improving life
even in the far reaches of the world” (Huwaei.com, 2015)
The amount and type of devices being connected is increasing all the time, this explosion
has given rise to the term ‘Internet of Things’ (IoT) where people are now interfacing with
devices such as door bells, kettles and watches from their internet connected networks in a reach
to be able to access and control literally everything from any device. A report from Gartner states
that there will be 6.4 Billion connected devices in 2016 which is an increase by 30% to that of
2015 (Gartner, 2015).
THE NEED FOR MUTUAL AUTHENTICATION 6
A huge problem with this explosion is that companies want access to data, this data is
considered the new Oil, the first reference I could find to this reference was back in 2006 by
Michael Palmer where in his blog, he states that “Data is just like crude. It’s valuable, but if
unrefined it cannot really be used. It has to be changed into gas, plastic, chemicals, etc to create a
valuable entity that drives profitable activity” (Palmer, 2006)
As has been seen in the past, when there is a rush for connectivity, security is often
neglected, an afterthought as such leaving vulnerabilities which can be used to compromise
systems and gain access to this valuable data. With the increasing amount of vulnerabilities being
identified in devices, some are starting to brand the ‘Internet of Things’ the “Internet of
(Insecure) Things” (Fruehe, 2015). A recent study and report from HP (Hewlett Packard
Entreprise, 2015) highlighted a number of concerns which include the following
80 percent of the devices studied raised privacy concerns
70 percent of devices used unencrypted network services
Figure 1 Data is the new Oil Retrieved from http://www.futuristgerd.com/2013/08/14/great-piece-on-why-data-is-indeed-the-new-oil-linkedin-connects-big-data-human-resources-via-wapo/
THE NEED FOR MUTUAL AUTHENTICATION 7
6 out of 10 devices studied used user interfaces which were vulnerable to a range
of known attacks like persistent XSS and weak credentials
80 percent failed to require long or complex passwords
As these devices become interconnected a simple vulnerability in a single device may be
used to compromise all of the other interconnected devices, an example of this could be the
disclosure of authentication credentials or encryption keys in plain text from one device to
another.
Several such vulnerabilities have been compromised, some devices have even been found to
have malware included within the devices firmware (Kirk, 2014) other devices have been found
to store wireless keys and passwords in plaintext (Kumar, 2016). This coupled with less secure
systems popping up to hold and manage the data creates a concern, during the time I have been
writing this article a new headline reports that 191 million U.S. voters Personal Identifiable
Information (PII) has been compromised in one single incident because of a misconfigured
database (Ragan, 2015).
With the increase of these devices sharing information, our online profiles are growing,
this along with the increased value of data and PII, there is an increasing need to secure and
control access to this information as cybercriminals will invest more time and resources to gain
access. There is also the new European Data Protection Regulations coming into effect as there
will be strict fines imposed for breaches leading to data leaks, organisations now have a legal as
well as moral obligation to implement adequate levels of security.
Access Control and the three A’s
Access is the flow of information between a subject and an object, the subject is the
active entity which requests access and the object is the passive entity to which access is
THE NEED FOR MUTUAL AUTHENTICATION 8
requested. Access is not only required by users to access systems and data, it is also required by
systems and applications as well, therefore a subject can be a user, program or a process and an
object can be a computer, a file, a database etc.
CIA Triad
Security as a word is a broad term, when we are dealing with Security in Information
systems we want to be more specific, therefore we break the overall security term into 3 distinct
categories: confidentiality, integrity and availability. The three categories of Security are
commonly known as the CIA Triad.
Confidentiality: ensuring that only the authorized entities have access
Integrity: ensuring the accuracy of the information held
Availability: ensuring that resources are available as and when needed.
The Triple A System of Authentication, Authorization and Accountability
When working with security, it is not enough to simply control access to objects, we also
need to identify and record what objects have been accessed by which subjects and what tasks
were performed on them (read, write etc.).
In order to maximize our effectiveness in securing resources we implement the triple A
system, which according to TechTarget.com “is a term for a framework for intelligently
controlling access to computer resources, enforcing policies, auditing usage, and providing the
information necessary to bill for services. These combined processes are considered important
for effective network management and security.” (Rouse)
This ‘Triple A’ system consists of Authentication, authorization, and accounting which is
briefly explained in the following below:
THE NEED FOR MUTUAL AUTHENTICATION 9
Authentication
Identification is used to provide an identity to a system. Identification alone is just a
claim, when identifying itself, the entity claims to be that person or process. Identification is
considered weak, we cannot just accept a subjects expressed identity so the subject proves its
identity by providing some proof such as a password or other form for example the use of a
smart token or biometric scan. Providing the proof that a subject is in fact whom they claim to be
is known as authentication.
Authorization
Authorization is what the subject can perform (example: read, write etc.) on the object,
there are numerous methods of controlling what can be performed, these are known as access
control models. Examples include Discretionary Access Control, Mandatory Access Models and
Role Based Access Control.
Accountability
Accountability is the measuring and or recording of what was accessed by the entity. It is
extremely important to record what is performed in order to be able to audit and provide reports
on the effectiveness of any system and to be able to identify what subjects did to objects and
potentially hold subjects accountable or be able to remediate and reduce risks.
Factors of Authentication
There are three factors of authentication
Type 1. Knowledge Based - Something you know
Type 1 or what you know involves proving your identity by use of a secret phrase or
password that you have already disclosed with the system. What you know is the most
THE NEED FOR MUTUAL AUTHENTICATION 10
common form of authentication, but it is also one of the most open to attack if not used
correctly. This will be addressed later in the section entitled ‘Risks’
Type 2. Token Based - Something you have
Type 2 or what you have involves the use of something in your possession, this could be
a smart card or some other device (A smart card is a credit-card sized card that has an
embedded certificate used to identify the holder).
Type 3. Characteristic Based - Something you are
Biometric methods provide the something you are (type 3) factor of authentication. Some
of the biometric methods that can be used are fingerprints, hand geometry, retinal or iris
scans, handwriting, and voice analysis.
Type 1 is the least secure with type 3 generally considered the most secure, The editors of the
Official ISC2 SSCP CBK state that “knowledge-based devices can be more easily defeated than
characteristic-based devices” (Contesti, Andre, Waxvik, Henry, & Goins, 2007)
Multifactor Authentication
Where an increased level of security is required, multifactor authentication can be used.
In multifactor authentication the subject must present more than one method to prove their
identity. A common example of this is where a visa card is presented along with a pin code, this
combines type 1 and type 2 factors which creates a stronger and more secure authentication
method because an attacker will now need to possess the card along with the knowledge of the
pin code to gain access or in this case to purchase goods. For this reason Multifactor
Figure 2: RSA SecureID Token Retrieved from http://www.emc.com/security/rsa-securid/rsa-securid-hardware-tokens.htm
THE NEED FOR MUTUAL AUTHENTICATION 11
authentication is commonly referred to as strong authentication.
Multifactor authentication is still susceptible to attack, but it reduces the risk, other examples
include token based systems see Figure 2 (EMC.com) whereby a device will provide a code
which needs to be entered along with the user’s password to gain entry to a system.
Common Risks and Attack Methods effecting Authentication Systems
The User
As Thomas Reid (Reid, 1786) wrote in his essay "In every chain of reasoning, the
evidence of the last conclusion can be no greater than that of the weakest link of the chain,
whatever may be the strength of the rest." Which has been changed and widely adapted as a
figurative phrase to the fact that that a chain is only as strong as its weakest link and when it
comes to Information systems and user authentication, the weakest link is most commonly the
user. Without trying to seem completely against the user, the user’s habits and bad practices can
easily compromise a system, but even knowledgeable trained staff have been known to fall
victim of spear phishing and social engineering attacks.
Type 1 Authentication
Type 1 authentication is generally considered the easiest to beat, the level of difficulty
depends on a number of practices to include the following
Complexity: the creation of the phrase involving alpha, numeric and non-
alphanumeric characters
Length: the longer the phrase the more difficult (longer to crack time wise) to
attack
History: Not allowing a previous password or phrase to be repeated before a set
amount of time or changes has occurred.
THE NEED FOR MUTUAL AUTHENTICATION 12
One also has to consider though that the more complex a password is, the more likely it
is that a user will record it somewhere and also use it on multiple systems. This is especially true
when it comes to long passwords or phrases.
Some common methods of compromising Type 1 authentication
Dictionary and brute force attacks: both dictionary and brute force attacks are methods
where the attacker uses a program to automate the entry of the users credentials, the difference
between the two is that with a dictionary attack the attacker uses a prebuilt file of common
passes and phrases where as in a brute force attack the attacker uses every combination of
characters to break the password. Both are extremely powerful with dictionary attacks being
considerably quicker which identifies the reason why users should not use common phrases/
Key loggers: key loggers are devices and or software used to record the keystrokes
entered into systems, they can either write the data to files or ROM’S (in the case of devices) or
alternatively transmit the captured keystrokes to a remote application or database.
Social engineering: Social engineering attacks are considered the least technical and are
the first choice for many attackers, Social-Engineer.org define Social Engineering as “a blend of
science, psychology and art. While it is amazing and complex, it is also very simple.” They
continue to state that “Any act that influences a person to take an action that may or may not be
in their best interest.”(http://www.social-engineer.org/)
Phishing attacks: Phishing attacks can be seen as a type of attack whereby the attacker
masquerades as a legitimate subject or organization contacting the user by e-mail, SMS or other
form in order to gain access to user’s personal information and or credentials. Phishing attacks
are covered in their own heading later on in this paper.
THE NEED FOR MUTUAL AUTHENTICATION 13
Education can be used to reduce the risks associated with type 1 authentication,
staysafeonline.org have published a list of tips for the securing of accounts and passwords as
follows (Alliance, n.d.):
Not to share your password with others.
Make your password unique to your life and not something that is easily guessed.
Have a different password for each online account.
Write down your password and store it in a safe place away from your computer.
Change your password several times a year.
Even with all of the advice commonly delivered from many websites and articles it is still
very common for users to reuse their password on more than one website a frightening statistic
was released in an online article on SecurityWeek.com which said that BitDefender conducted a
study of over 250,000 user accounts for social networking sites and the study revealed that 75
percent of the username and password combination were identical to their email accounts
(SecurityWeek.com, 2010). In a more recent study commissioned by TeleSign in 2015 concluded
that 73 percent of online attacks use duplicated passwords and that more than half of consumers
(54%) use five or fewer passwords in their whole life and 22% just using three or less (Telesign,
2015).
Type 2 Authentication
The benefit of a Type 2 Authentication is that the attacker must gain access to something
that the subject is in possession of in order to gain access to a system. A disadvantage to these
systems is that users can become over confident with regards to the security because of this and
may be careless with the devices possessed. Some devices can be cloned easily (for example
THE NEED FOR MUTUAL AUTHENTICATION 14
RFID cards), devices can also be lost or stolen allowing an attacker then to easily gain access to
a system
Type 3 Authentication
Although Biometrics is generally considered the most secure form of authentication, it
too is prone to errors. There is always the likeliness of a miss reading which could be caused
from a number of factors, for example in signature dynamics it could be a change in the way a
user signs their name due to differently placed work surface or injury, it could be caused by
direct sunlight during the scanning and even dirt on the subjects hand or finger being scanned
during a fingerprint or palm scan.
In order to reduce the errors logging in, the system sensitivity is adjusted.
When the system is adjusted to only accept exact matches, type 1 errors (false rejection) will
happen which is when a user who should be authenticated is refused. When the system is
adjusted to accept more deviations in the biometric scan this introduces type 2 errors (false
acceptance) which is the possibility of an unauthorized user to be accepted. There is a crossover
between the Type 1 and Type 2 Sensitivity known as the Crossover Error Rate (CER)
THE NEED FOR MUTUAL AUTHENTICATION 15
Multi factor Authentication
Although multifactor authentication reduces the risk of a site and account being
compromised it is still open to attack. Attacking multifactor authentication involves the attacker
gaining access to each of the authentication methods used causing an attacker more work, they
can still be compromised via man-in-the-middle attacks, trojans or account recovery attacks etc. .
An article published in ComputerWeekly.com states that while using multiple different types of
authentication to include biometrics are excellent at protecting devices against the login process
the author continues to state that “these technology options will not protect organisations if users
reuse the same insecure passwords on other systems that use only single-factor, password-based
authentication.” (McLaughlin, 2011)
Phishing
Phishing is a type of fraud, it can happen in a
variety of ways from attackers sending emails or
other channels of communication to setting up fake
websites.
The function of phishing is clear and simple: to
obtain credentials or account information by masquerading
as a reputable entity. According to Visa, “Phishing refers to scams that attempt to trick
consumers into revealing personal information that can be used to commit fraud. Such scams
can happen over the phone, email, mail and text message. Phishers often target users with fake
internet sites or email messages that are disguised to seem legitimate, or leverage social
networking sites where users are already sharing information with others.” (Visa.com, 2015)
ISC2 give a similar definition “Phishing is a form of social engineering. Phishing attacks use
Figure 3Phishing
THE NEED FOR MUTUAL AUTHENTICATION 16
email or malicious websites to solicit personal information by posing as a trustworthy
organization.” (ISC2, 2015)
Phishing is a popular technique used by cybercriminals because it is easier to trick a user into
disclosing credentials rather than break through a systems defenses. Users are often intrigued by
phishing emails wondering who would fall for them, some of these emails are badly designed
consisting on numerous spelling and grammar mistakes but others look professional and can be
difficult to spot by the untrained user. A recent whitepaper by Mimecast informs us “that 91% of
all hacking begins with an email-based phishing or spear-phishing attack” (Mimecast, 2015).
RSA, The security division of EMC report that they identify “a phishing attack every minute”
they further inform us that in 2014 “Phishing attacks cost global organizations $4.5 billion in
losses” (RSA). Current research does however show that there is an overall decline in the use of
phishing attacks, this can be seen in an online report entitled Spear-phishing statistics from 2014-
2015 by infosecinstitute.com released mid 2015 confirms this (see Figure 4) these figures are
Figure 4Phishing attacks per day Retrieved from http://resources.infosecinstitute.com/spear-phishing-statistics-from-2014-2015/
THE NEED FOR MUTUAL AUTHENTICATION 17
evident also in research conducted by Kaspersky Lab illustrated in the following graph (Figure
5).
Figure 5 Kaspersky.com : The proportion of spam in email traffic, October 2014 – March 2015
Retrieved from http://www.kaspersky.com/about/news/virus/2015/Spam-and-Phishing-in-Q1-New-domains-revitalize-old-spam
The frequency of these attacks can and do fluctuate with high profile events, as an example
Kaspersky lab reported an increase in phishing mails due to the war in Syria, they state that
“Widespread media coverage has increased international interest in the plight of Syrian citizens,
and this has led Nigerian scammers to jump on the bandwagon and exploit the kindness of
strangers looking to help those affected by events in the Middle East.” They also state that
although most of the emails are in English but that they are also being sent in German, French
and Arabic, these emails are “claim to be from Syrian citizens seeking asylum in Europe and
request assistance in investing large sums of money” (Kaspersky Lab, 2015).
Although the widespread use of phishing may have decreased, there has been an increase in more
targeted spear phishing and whaling campaigns, this is emphasized by a security alert issued on
THE NEED FOR MUTUAL AUTHENTICATION 18
the third of September 2015 by SMX Secure Cloud Solutions, where they state that there is a rise
in targeted emails (spear phishing) they further state that “We would also like to warn that
attackers are undertaking sophisticated whaling attacks, researching and identifying 'big fish'
within an organisation. These individuals are then attacked with a combination of social
engineering and email spoofing techniques in order to elicit funds” (SMX Cloud Solutions,
2015). Kaspersky Labs also identify an increase in the use of targeted phishing during the weeks
leading up to Christmas for customers of DHL and Fedex as attackers exploit online shoppers
spending sprees (Kaspersky Lab, 2015), an example of one such email can be seen in Figure 6
All of these facts clearly identify that phishing attacks are still very relevant and illustrate the
importance of properly managing the risk accordingly.
Figure 6: Phishing website example, Retrieved from https://securelist.com/blog/phishing/73174/tis-the-season-for-shipping-and-phishing/
THE NEED FOR MUTUAL AUTHENTICATION 19
Types of Phishing attacks
Spear phishing
Spear Phishing is a type of attack directed at specific individuals, roles or organisations.
Because these attacks are pointed specifically at an entity, the attacker may go to great lengths to
gather information which may be used to make the attack more believable therefore increasing
the likeliness of success.
Whaling
Whaling is a type of phishing attack which is aimed specifically at executive officers or
other high profile targets, these are also generally aimed at a specific organization, role or
individual so can be generally categorized as a sub form of spear phishing attack.
Smishing
Smishing is a type of an attack which is sent through a SMS message consisting of a
message and either a bogus URL a telephone number or requesting a SMS response.
Vishing
Vishing is a type of attack where an automated system is used to make calls and a
recorded message is sent requesting log in details, the system may request you to call out or enter
your pin or passphrase with a view to recording it and using it at a later time.
Avoiding phishing scams
Although the best defence for any type of phishing attack is user knowledge and training,
there are some general guidelines and best practices.
APWG.org identify the following main points as follows (APWG Anti-Phishing Working
Group):
THE NEED FOR MUTUAL AUTHENTICATION 20
Be suspicious of any email or communication (including text messages, social
media post, ads) with urgent requests for personal financial information.
Avoid clicking on links. Instead, go to the website by typing the Web address
directly into your browser or by searching for it in a search engine. Calling the
company to verify its legitimacy is also an option, too.
Don’t send personal financial information via email, and avoid filling out forms in
email that ask for your information.
Use a secure website (https:// and a security “lock” icon) when submitting credit
card or other sensitive information online.
Other general guidelines include checking website digital certificates, validating email
and website addresses to include the correct spelling etc.
Most online organisations now communicate the common messages that they will not
request your credentials from you, this is to combat phishing scams, the figure below shows an
example from paypal (Figure 77) below (PayPal.com).
THE NEED FOR MUTUAL AUTHENTICATION 21
Figure 7: PayPal: Recognize fraudulent emails and websites Webpage Retrieved from https://www.paypal.com/webapps/mpp/security/suspicious-activity
These messages generally provide examples of suspicious emails and may provide steps
to take in the event that you have been caught by such an attack.
What to do if you think that you have been phished
Whether you have fallen victim to a successful phishing attack or you have just received
a communication and suspect it to be a phishing scam, do not click on any of the links, check the
source of the message and contact the relevant organization who is supposed to have sent the
message by using another form of communication this can be by directly opening the website or
contacting a support contact number for them.
One of the biggest problems with phishing messages is that when we detect it we just
delete it, the problem here is that users who are less experienced may not identify it as a hoax
and may act on it. Organisations should train users on how to identify hoax messages and
THE NEED FOR MUTUAL AUTHENTICATION 22
provide a point of contact where suspecting messages can be sent. Organisations can then also
create their own phishing messages to audit and report on the effectiveness of training within the
organization. Organisations can then publicize the types of phishing scam emails to users to raise
awareness, example illustrated from Arizona State University
Figure 8 : Recent Phishing scams Retrieved from https://getprotected.asu.edu/phishing#accountexpirationalert
Does multifactor authentication help reduce Phishing attacks
This really depends on what type of multifactor authentication and the method of how it
is used, the current most common methods of multifactor authentication involves the sending of
a SMS message or email to the registered users account which includes a code or challenge this
THE NEED FOR MUTUAL AUTHENTICATION 23
code or an answer to the challenge needs to be included in the login process by the user to fully
authenticate with the site. An example of this type of login would be as follows:
1. User opens login page
2. User enters username and password combination
3. Site sends a phrase or code to the user via SMS or email
4. User enters the code
5. The code is checked and if valid access is granted.
Problems with these types of multifactor authentication
The main problem with multi-factor authentication here is that it is only designed to
protect and prevent access to the site or application but considering that a lot of users re-use their
passwords and that the login username is generally their email address, this leaves the user still
open to being phished if a site is copied, the fact that the phishing site does not send the SMS or
email is irrelevant as the users credentials have already been sent.
Multifactor authentication could actually be used to increase its effectiveness as a site
could be developed where the hoax login page informs the user that new challenges have been
created to increase its security, the site could inform the unsuspecting user that they must enter a
mobile number to associate with their account and that they will then receive an SMS message
with a code and that this is needed to be entered prior to login. This code could be a single static
code and may not even be validated, and given the amount of SMS type message software /
devices it is possible that the SMS may not be track-able back to the sending device.
THE NEED FOR MUTUAL AUTHENTICATION 24
Better Authentication approaches for dealing with Phishing scams
In order to protect a user’s credentials from phishing site scams, it is important to limit
the credentials which a user needs to submit to get authenticated but to instead provide some
form of one time password. A one-time password is just that, it is a password or passphrase
which can be used only once, this is not new and there have been several versions of these used
over time within entreprise environments for staff but just not with the general public, with the
more common ones a piece of software or a token device of some sort is in the possession of the
user, when the user logs in they are either asked for a value from the device or alternatively they
are presented with a challenge to which the user enters the challenge to the device and gets a
response, this response is then used to authenticate the user.
Mutual Authentication
In order to reduce the risk of a user’s credentials being captured via phishing scams there
is a growing need to introduce a method whereby the website (object) authenticates itself to the
user (subject) as well as the subject authenticating itself to the object. This is where mutual
authentication comes into play.
Shon Harris tells us that “Mutual authentication is when two entities must authenticate to each
other before sending data back and forth. Also referred to as two-way authentication” (Harris,
2013). Before communicating any sensitive data such as passwords to website, with mutual
authentication the site must also authenticate its identity to the subject accessing it as well as the
subject having to authenticate to the site. This can serve many purposes but in this paper it is to
prevent the unwanted disclosure of sensitive data to phishing based sites.
THE NEED FOR MUTUAL AUTHENTICATION 25
The definition on Techtarget.com is as follows “Mutual authentication is gaining acceptance as
a tool that can minimize the risk of online fraud in e-commerce”. (Rouse, Mutual Authentication,
n.d.)
Several methods of mutual authentication could exist, a simple version could be that upon
registering, the user submits a graphic or phrase that when they go to login, they supply their
username and the image or passphrase is shown to them prior to them entering their password.
Google’s new Password Free Account Sign-In
Although primarily a two factor authentication system, Google’s new password free sign-
in which they are working on, also provides mutual authentication as Google is sending you a
challenge on another platform / device known to be from Google as part of the login process.
This is been designed so that a user does not have to enter their password but instead gets sent a
challenge and waits for a response from the user on another device known to be theirs therefore
providing multifactor authentication without compromising the users password.
The process is as follows please note that the images included in the following steps have
been retrieved from Paul Rohit (Rohit, 2015) but have been modified to remove the Paul’s
credentials accordingly/
The user access the Google Sign in page,
The user enters their username (email address) and clicks next
THE NEED FOR MUTUAL AUTHENTICATION 27
A page displays informing the user to check their phone, and when a notification
appears from google to choose a specific value
The user accesses their phone, a message in the notification bar appears from
Google asking the user to confirm that they are trying to sign in
The user chooses yes
THE NEED FOR MUTUAL AUTHENTICATION 28
The user is then provided with a selection of choices and they choose the choice
based on the message they received when they went to log in via the browser
THE NEED FOR MUTUAL AUTHENTICATION 29
The user is then logged in to their account in the browser
This offers several benefits as follows
The user never has to enter their password (although there is a facility to access
their account in the event that they have no reception etc.)
The system uses multifactor authentication involving something they know
(username) and something they have (password)
As well as authenticating the user, the system also allows the user to authenticate
the system as they know that when they enter their username and click next that
response will be required from the other registered device.
Potential problems with the system
The main problem with this system is if the user losses their phone and it is
unlocked, an attacker will then be easily able to access the user’s google account
and data.
Google allows you to setup multiple accounts on multiple devices, I would
presume that the user will pick the device which receives the challenge.
Although everyone needs
THE NEED FOR MUTUAL AUTHENTICATION 30
References
Alliance, N. C. (n.d.). Passwords & Securing Your Accounts. Retrieved 12 15, 2015, from
https://www.staysafeonline.org/stay-safe-online/protect-your-personal-
information/passwords-and-securing-your-accounts
APWG Anti-Phishing Working Group. (n.d.). How to Avoid Phishing Scams. Retrieved 12 29,
2015, from apwg.org: http://apwg.org/resources/overview/avoid-phishing-scams
Contesti, D.-L., Andre, D., Waxvik, E., Henry, P., & Goins, B. (2007). Official ISC2 Guide to the
SSCP CBK. In Official ISC2 Guide to the SSCP CBK (p. 7). CRC Press. Retrieved 1 10,
2016
EMC.com. (n.d.). Hardware Tokens. Retrieved 12 20, 2015, from
http://www.emc.com/security/rsa-securid/rsa-securid-hardware-tokens.htm
Fruehe, J. (2015, 9 15). The Internet Of (Insecure) Things. Retrieved 1 9, 2016, from forbes.com:
http://www.forbes.com/sites/moorinsights/2015/09/15/the-internet-of-insecure-things/
Gartner. (2015, 11 10). Retrieved 12 29, 2015, from gartner.com:
http://www.gartner.com/newsroom/id/3165317
Harris, S. (2013). In All in one CISSP Exam Guide sixth edition (6th Edition ed., p. 164).
McGraw-Hill Companies. Retrieved 12 21, 2015
Helman, C. (2015, 4 14). Internet Of Things? We've Been Doing That For 25 Years. Retrieved 1
8, 2016, from forbes.com:
http://www.forbes.com/sites/energysource/2015/04/14/internet-of-things-weve-been-
doing-that-for-25-years/?ss=connect-world
Hewlett Packard Entreprise. (2015). Internet of things Research Study. Retrieved 12 29, 2015,
from http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-4759ENW.pdf
THE NEED FOR MUTUAL AUTHENTICATION 31
http://www.social-engineer.org/. (n.d.). What is Social Engineering?, http://www.social-
engineer.org/. Retrieved 12 28, 2015, from social-engineer.org.
Huwaei.com. (2015). Better Connected World. Retrieved 1 9, 2016, from Huwaei.com:
http://www.huawei.com/better-connected-world/en/
ISC2. (2015). Phishing Attacks. In Official (ISC)2 training Guide CISSP CBK (p. 87). ISC Press.
Retrieved 12 10, 2015
Kaspersky Lab. (2015, 12 7). Nigerian Scammers Use the War in Syria to Extort Money from the
International Community. Retrieved from kaspersky.com:
http://www.kaspersky.com/about/news/spam/2015/Nigerian-Scammers-Use-the-War-in-
Syria-to-Extort-Money-from-the-International-Community
Kaspersky Lab. (2015, 12 23). Phishing Messages Deliver Chaos to Consumers this Christmas.
Retrieved 12 29, 2015, from kaspersky.com:
http://www.kaspersky.com/about/news/spam/2015/Phishing-Messages-Deliver-Chaos-to-
Consumers-this-Christmas
Kirk, J. (2014, 3 4). Pre-installed malware turns up on new phones. Retrieved 12 20, 2015, from
PCWorld.com: http://www.pcworld.com/article/2104760/preinstalled-malware-turns-up-
on-new-phones.html
Kumar, M. (2016, 1 13). How to hack WiFi password from smart doorbells. Retrieved 1 18,
2016, from thehackernews.com: http://thehackernews.com/2016/01/doorbell-hacking-
wifi-pasword.html
McLaughlin, M. (2011, December). A pen tester’s perspective on creating a secure password.
Retrieved 12 22, 2015, from ComputerWeekly.com:
THE NEED FOR MUTUAL AUTHENTICATION 32
http://www.computerweekly.com/tip/A-pen-testers-perspective-on-creating-a-secure-
password
Mimecast. (2015). Countdown to Compromise: The Timeline of a Spear-Phishing Attack on Your
Organization. Mimecast. Mimecast. Retrieved 12 29, 2015, from
https://www.mimecast.com/globalassets/documents/whitepapers/ttp-whitepaper-2015.pdf
Palmer, M. (2006, 11 3). Data is the New Oil. Retrieved 1 9, 2016, from
http://ana.blogs.com/maestros/:
http://ana.blogs.com/maestros/2006/11/data_is_the_new.html
PayPal.com. (n.d.). Suspicious Activity. Retrieved 12 20, 2015, from
https://www.paypal.com/webapps/mpp/security/suspicious-activity
Ragan, S. (2015, 12 28). Database Configuration issues expose 191 million voter records.
Retrieved 12 29, 2015, from csoonline.com:
http://www.csoonline.com/article/3018592/security/database-configuration-issues-
expose-191-million-voter-records.html
Reid, T. (1786). Essays on the Intellectual Powers of Man. Retrieved 12 28, 2015, from
https://archive.org/details/essaysonintellec02reiduoft
Rohit, P. (2015, 12 22). Retrieved from
https://docs.google.com/presentation/d/1SgRcnhqMrUWvhBvrMrQRgn3zYfivdg1V8Pv0
hc4unKo/edit#slide=id.p5
Rouse, M. (n.d.). Retrieved 12 10, 2015, from
http://searchsecurity.techtarget.com/definition/mutual-authentication
Rouse, M. (n.d.). Authentication, authorization, and accounting (AAA) definition. Retrieved 12
28, 2015, from TechTarget.com:
THE NEED FOR MUTUAL AUTHENTICATION 33
http://searchsecurity.techtarget.com/definition/authentication-authorization-and-
accounting
RSA. (n.d.). RSA Online Fraud Resource Center. Retrieved 12 29, 2015, from
http://ireland.emc.com/: http://ireland.emc.com/emc-plus/rsa-thought-leadership/online-
fraud/index.htm
SecurityWeek.com. (2010). Study Reveals 75 Percent of Individuals Use Same Password for
Social Networking and Email. Retrieved 12 9, 2015, from
http://www.securityweek.com/study-reveals-75-percent-individuals-use-same-password-
social-networking-and-email
SMX Cloud Solutions. (2015, 9 3). SMX security alert: Spear phishing and whaling. Retrieved
12 29, 2015, from smxemail.com: https://smxemail.com/smx-security-alert-spear-
phishing-and-whaling.html
Telesign. (2015). TeleSign Consumer Account Security Report. Telesign.com. Retrieved 12 22,
2015, from https://www.telesign.com/site/wp-content/uploads/2015/06/TeleSign-
Consumer-Account-Security-Report-2015-FINAL.pdf
Visa.com. (2015, 12 24). Security. Retrieved from Visa.com:
https://usa.visa.com/support/consumer/security.html
THE NEED FOR MUTUAL AUTHENTICATION 34
Figures
Figure 1 Data is the new Oil Retrieved from http://www.futuristgerd.com/2013/08/14/great-
piece-on-why-data-is-indeed-the-new-oil-linkedin-connects-big-data-human-resources-via-wapo/
......................................................................................................................................................... 6
Figure 2: RSA SecureID Token Retrieved from http://www.emc.com/security/rsa-securid/rsa-
securid-hardware-tokens.htm ........................................................................................................ 10
Figure 3Phishing ........................................................................................................................... 15
Figure 4Phishing attacks per day Retrieved from http://resources.infosecinstitute.com/spear-
phishing-statistics-from-2014-2015/ ............................................................................................. 16
Figure 5 Kaspersky.com : The proportion of spam in email traffic, October 2014 – March 201517
Figure 6: Phishing website example, Retrieved from
https://securelist.com/blog/phishing/73174/tis-the-season-for-shipping-and-phishing/ ............... 18
Figure 7: PayPal: Recognize fraudulent emails and websites Webpage Retrieved from
https://www.paypal.com/webapps/mpp/security/suspicious-activity ........................................... 21
Figure 8 : Recent Phishing scams Retrieved from
https://getprotected.asu.edu/phishing#accountexpirationalert ...................................................... 22