The need for Mutual Authentication when dealing with websites

Running head: THE NEED FOR MUTUAL AUTHENTICATION 1

The need for Mutual Authentication

T Brett

Senior Lecturer and Technical Advisor

Institute of Public Administration / Sensei Cyber Security

Author Note

Information Systems Consultancy and training services

[email protected]

THE NEED FOR MUTUAL AUTHENTICATION 2

Table of Contents Abstract ............................................................................................................................... 4

The need for Mutual Authentication ................................................................................... 5

Current Technology Trends ................................................................................................. 5

Access Control and the three A’s ........................................................................................ 7

CIA Triad ........................................................................................................................ 8

Confidentiality ............................................................................................................ 8

Integrity ....................................................................................................................... 8

Availability .................................................................................................................. 8

The Triple A System of Authentication, Authorization and Accountability ................... 8

Authentication ............................................................................................................. 9

Authorization .............................................................................................................. 9

Accountability ............................................................................................................. 9

Factors of Authentication ................................................................................................ 9

Type 1. Knowledge Based - Something you know ..................................................... 9

Type 2. Token Based - Something you have ............................................................. 10

Type 3. Characteristic Based - Something you are ................................................... 10

Multifactor Authentication ........................................................................................ 10

Common Risks and Attack Methods effecting Authentication Systems .......................... 11

The User ........................................................................................................................ 11


Type 1 Authentication ................................................................................................... 11

Dictionary and brute force attacks: ........................................................................... 12

Key loggers: .............................................................................................................. 12

Social engineering: .................................................................................................... 12

Phishing attacks: ....................................................................................................... 12



Multi factor Authentication ........................................................................................... 15

Phishing......................................................................................................................... 15

Types of Phishing attacks .......................................................................................... 19

Avoiding phishing scams .......................................................................................... 19

What to do if you think that you have been phished ................................................. 21

Does multifactor authentication help reduce Phishing attacks ................................. 22

Mutual Authentication .................................................................................................. 24

Google’s new Password Free Account Sign-In ........................................................ 25

References ......................................................................................................................... 30


Abstract

With the increased use of online services together with more common cyber breaches, the need

for better security has never been more important. When IT systems and websites are analysed, it

is commonly known that the user is the weakest link, often fooled into disclosing part or all of

their login credentials to others masquerading as a system, process or colleague. These login

credentials are used to identify and authenticate users to systems whoever they may be. This

along with the fact that users still reuse passwords for multiple sites and applications and the

number of Phishing sites setup, the protection of login credentials is paramount to the security of

any and possible all systems. In order to protect systems and users against these types of attacks

it is imperative that organisation’s develop and implement systems incorporating mutual

authentication prior to passwords being submitted for authentication purposes.

Keywords: Authentication, Authorisation, Identification, CIA, Phishing, two way

authentication, mutual authentication


The need for Mutual Authentication

Current Technology Trends

The world that we live is has vastly changed over the last decade, although some have

been doing it for up to 25 years (Helman, 2015), we are now living in a ‘connected world’ where

we are constantly engaging and communicating online, the separation between our physical and

online presence is becoming increasingly blurry.

The following tagline provided by Huawei on their website, illustrates the companies prediction

for the near future: “Soon connectivity will be everywhere, improving life

even in the far reaches of the world” (Huwaei.com, 2015)

The amount and type of devices being connected is increasing all the time, this explosion

has given rise to the term ‘Internet of Things’ (IoT) where people are now interfacing with

devices such as door bells, kettles and watches from their internet connected networks in a reach

to be able to access and control literally everything from any device. A report from Gartner states

that there will be 6.4 Billion connected devices in 2016 which is an increase by 30% to that of

2015 (Gartner, 2015).


A huge problem with this explosion is that companies want access to data, this data is

considered the new Oil, the first reference I could find to this reference was back in 2006 by

Michael Palmer where in his blog, he states that “Data is just like crude. It’s valuable, but if

unrefined it cannot really be used. It has to be changed into gas, plastic, chemicals, etc to create a

valuable entity that drives profitable activity” (Palmer, 2006)

As has been seen in the past, when there is a rush for connectivity, security is often

neglected, an afterthought as such leaving vulnerabilities which can be used to compromise

systems and gain access to this valuable data. With the increasing amount of vulnerabilities being

identified in devices, some are starting to brand the ‘Internet of Things’ the “Internet of

(Insecure) Things” (Fruehe, 2015). A recent study and report from HP (Hewlett Packard

Entreprise, 2015) highlighted a number of concerns which include the following

80 percent of the devices studied raised privacy concerns

70 percent of devices used unencrypted network services

Figure 1 Data is the new Oil Retrieved from http://www.futuristgerd.com/2013/08/14/great-piece-on-why-data-is-indeed-the-new-oil-linkedin-connects-big-data-human-resources-via-wapo/


6 out of 10 devices studied used user interfaces which were vulnerable to a range

of known attacks like persistent XSS and weak credentials

80 percent failed to require long or complex passwords

As these devices become interconnected a simple vulnerability in a single device may be

used to compromise all of the other interconnected devices, an example of this could be the

disclosure of authentication credentials or encryption keys in plain text from one device to

another.

Several such vulnerabilities have been compromised, some devices have even been found to

have malware included within the devices firmware (Kirk, 2014) other devices have been found

to store wireless keys and passwords in plaintext (Kumar, 2016). This coupled with less secure

systems popping up to hold and manage the data creates a concern, during the time I have been

writing this article a new headline reports that 191 million U.S. voters Personal Identifiable

Information (PII) has been compromised in one single incident because of a misconfigured

database (Ragan, 2015).

With the increase of these devices sharing information, our online profiles are growing,

this along with the increased value of data and PII, there is an increasing need to secure and

control access to this information as cybercriminals will invest more time and resources to gain

access. There is also the new European Data Protection Regulations coming into effect as there

will be strict fines imposed for breaches leading to data leaks, organisations now have a legal as

well as moral obligation to implement adequate levels of security.

Access Control and the three A’s

Access is the flow of information between a subject and an object, the subject is the

active entity which requests access and the object is the passive entity to which access is


requested. Access is not only required by users to access systems and data, it is also required by

systems and applications as well, therefore a subject can be a user, program or a process and an

object can be a computer, a file, a database etc.

CIA Triad

Security as a word is a broad term, when we are dealing with Security in Information

systems we want to be more specific, therefore we break the overall security term into 3 distinct

categories: confidentiality, integrity and availability. The three categories of Security are

commonly known as the CIA Triad.

Confidentiality: ensuring that only the authorized entities have access

Integrity: ensuring the accuracy of the information held

Availability: ensuring that resources are available as and when needed.

The Triple A System of Authentication, Authorization and Accountability

When working with security, it is not enough to simply control access to objects, we also

need to identify and record what objects have been accessed by which subjects and what tasks

were performed on them (read, write etc.).

In order to maximize our effectiveness in securing resources we implement the triple A

system, which according to TechTarget.com “is a term for a framework for intelligently

controlling access to computer resources, enforcing policies, auditing usage, and providing the

information necessary to bill for services. These combined processes are considered important

for effective network management and security.” (Rouse)

This ‘Triple A’ system consists of Authentication, authorization, and accounting which is

briefly explained in the following below:


Authentication

Identification is used to provide an identity to a system. Identification alone is just a

claim, when identifying itself, the entity claims to be that person or process. Identification is

considered weak, we cannot just accept a subjects expressed identity so the subject proves its

identity by providing some proof such as a password or other form for example the use of a

smart token or biometric scan. Providing the proof that a subject is in fact whom they claim to be

is known as authentication.

Authorization

Authorization is what the subject can perform (example: read, write etc.) on the object,

there are numerous methods of controlling what can be performed, these are known as access

control models. Examples include Discretionary Access Control, Mandatory Access Models and

Role Based Access Control.

Accountability

Accountability is the measuring and or recording of what was accessed by the entity. It is

extremely important to record what is performed in order to be able to audit and provide reports

on the effectiveness of any system and to be able to identify what subjects did to objects and

potentially hold subjects accountable or be able to remediate and reduce risks.

Factors of Authentication

There are three factors of authentication

Type 1. Knowledge Based - Something you know

Type 1 or what you know involves proving your identity by use of a secret phrase or

password that you have already disclosed with the system. What you know is the most


common form of authentication, but it is also one of the most open to attack if not used

correctly. This will be addressed later in the section entitled ‘Risks’

Type 2. Token Based - Something you have

Type 2 or what you have involves the use of something in your possession, this could be

a smart card or some other device (A smart card is a credit-card sized card that has an

embedded certificate used to identify the holder).

Type 3. Characteristic Based - Something you are

Biometric methods provide the something you are (type 3) factor of authentication. Some

of the biometric methods that can be used are fingerprints, hand geometry, retinal or iris

scans, handwriting, and voice analysis.

Type 1 is the least secure with type 3 generally considered the most secure, The editors of the

Official ISC2 SSCP CBK state that “knowledge-based devices can be more easily defeated than

characteristic-based devices” (Contesti, Andre, Waxvik, Henry, & Goins, 2007)

Multifactor Authentication

Where an increased level of security is required, multifactor authentication can be used.

In multifactor authentication the subject must present more than one method to prove their

identity. A common example of this is where a visa card is presented along with a pin code, this

combines type 1 and type 2 factors which creates a stronger and more secure authentication

method because an attacker will now need to possess the card along with the knowledge of the

pin code to gain access or in this case to purchase goods. For this reason Multifactor

Figure 2: RSA SecureID Token Retrieved from http://www.emc.com/security/rsa-securid/rsa-securid-hardware-tokens.htm


authentication is commonly referred to as strong authentication.

Multifactor authentication is still susceptible to attack, but it reduces the risk, other examples

include token based systems see Figure 2 (EMC.com) whereby a device will provide a code

which needs to be entered along with the user’s password to gain entry to a system.

Common Risks and Attack Methods effecting Authentication Systems

The User

As Thomas Reid (Reid, 1786) wrote in his essay "In every chain of reasoning, the

evidence of the last conclusion can be no greater than that of the weakest link of the chain,

whatever may be the strength of the rest." Which has been changed and widely adapted as a

figurative phrase to the fact that that a chain is only as strong as its weakest link and when it

comes to Information systems and user authentication, the weakest link is most commonly the

user. Without trying to seem completely against the user, the user’s habits and bad practices can

easily compromise a system, but even knowledgeable trained staff have been known to fall

victim of spear phishing and social engineering attacks.

Type 1 Authentication

Type 1 authentication is generally considered the easiest to beat, the level of difficulty

depends on a number of practices to include the following

Complexity: the creation of the phrase involving alpha, numeric and non-

alphanumeric characters

Length: the longer the phrase the more difficult (longer to crack time wise) to

attack

History: Not allowing a previous password or phrase to be repeated before a set

amount of time or changes has occurred.


One also has to consider though that the more complex a password is, the more likely it

is that a user will record it somewhere and also use it on multiple systems. This is especially true

when it comes to long passwords or phrases.

Some common methods of compromising Type 1 authentication

Dictionary and brute force attacks: both dictionary and brute force attacks are methods

where the attacker uses a program to automate the entry of the users credentials, the difference

between the two is that with a dictionary attack the attacker uses a prebuilt file of common

passes and phrases where as in a brute force attack the attacker uses every combination of

characters to break the password. Both are extremely powerful with dictionary attacks being

considerably quicker which identifies the reason why users should not use common phrases/

Key loggers: key loggers are devices and or software used to record the keystrokes

entered into systems, they can either write the data to files or ROM’S (in the case of devices) or

alternatively transmit the captured keystrokes to a remote application or database.

Social engineering: Social engineering attacks are considered the least technical and are

the first choice for many attackers, Social-Engineer.org define Social Engineering as “a blend of

science, psychology and art. While it is amazing and complex, it is also very simple.” They

continue to state that “Any act that influences a person to take an action that may or may not be

in their best interest.”(http://www.social-engineer.org/)

Phishing attacks: Phishing attacks can be seen as a type of attack whereby the attacker

masquerades as a legitimate subject or organization contacting the user by e-mail, SMS or other

form in order to gain access to user’s personal information and or credentials. Phishing attacks

are covered in their own heading later on in this paper.


Education can be used to reduce the risks associated with type 1 authentication,

staysafeonline.org have published a list of tips for the securing of accounts and passwords as

follows (Alliance, n.d.):

Not to share your password with others.

Make your password unique to your life and not something that is easily guessed.

Have a different password for each online account.

Write down your password and store it in a safe place away from your computer.

Change your password several times a year.

Even with all of the advice commonly delivered from many websites and articles it is still

very common for users to reuse their password on more than one website a frightening statistic

was released in an online article on SecurityWeek.com which said that BitDefender conducted a

study of over 250,000 user accounts for social networking sites and the study revealed that 75

percent of the username and password combination were identical to their email accounts

(SecurityWeek.com, 2010). In a more recent study commissioned by TeleSign in 2015 concluded

that 73 percent of online attacks use duplicated passwords and that more than half of consumers

(54%) use five or fewer passwords in their whole life and 22% just using three or less (Telesign,

2015).


The benefit of a Type 2 Authentication is that the attacker must gain access to something

that the subject is in possession of in order to gain access to a system. A disadvantage to these

systems is that users can become over confident with regards to the security because of this and

may be careless with the devices possessed. Some devices can be cloned easily (for example


RFID cards), devices can also be lost or stolen allowing an attacker then to easily gain access to

a system


Although Biometrics is generally considered the most secure form of authentication, it

too is prone to errors. There is always the likeliness of a miss reading which could be caused

from a number of factors, for example in signature dynamics it could be a change in the way a

user signs their name due to differently placed work surface or injury, it could be caused by

direct sunlight during the scanning and even dirt on the subjects hand or finger being scanned

during a fingerprint or palm scan.

In order to reduce the errors logging in, the system sensitivity is adjusted.

When the system is adjusted to only accept exact matches, type 1 errors (false rejection) will

happen which is when a user who should be authenticated is refused. When the system is

adjusted to accept more deviations in the biometric scan this introduces type 2 errors (false

acceptance) which is the possibility of an unauthorized user to be accepted. There is a crossover

between the Type 1 and Type 2 Sensitivity known as the Crossover Error Rate (CER)


Multi factor Authentication

Although multifactor authentication reduces the risk of a site and account being

compromised it is still open to attack. Attacking multifactor authentication involves the attacker

gaining access to each of the authentication methods used causing an attacker more work, they

can still be compromised via man-in-the-middle attacks, trojans or account recovery attacks etc. .

An article published in ComputerWeekly.com states that while using multiple different types of

authentication to include biometrics are excellent at protecting devices against the login process

the author continues to state that “these technology options will not protect organisations if users

reuse the same insecure passwords on other systems that use only single-factor, password-based

authentication.” (McLaughlin, 2011)

Phishing

Phishing is a type of fraud, it can happen in a

variety of ways from attackers sending emails or

other channels of communication to setting up fake

websites.

The function of phishing is clear and simple: to

obtain credentials or account information by masquerading

as a reputable entity. According to Visa, “Phishing refers to scams that attempt to trick

consumers into revealing personal information that can be used to commit fraud. Such scams

can happen over the phone, email, mail and text message. Phishers often target users with fake

internet sites or email messages that are disguised to seem legitimate, or leverage social

networking sites where users are already sharing information with others.” (Visa.com, 2015)

ISC2 give a similar definition “Phishing is a form of social engineering. Phishing attacks use

Figure 3Phishing


email or malicious websites to solicit personal information by posing as a trustworthy

organization.” (ISC2, 2015)

Phishing is a popular technique used by cybercriminals because it is easier to trick a user into

disclosing credentials rather than break through a systems defenses. Users are often intrigued by

phishing emails wondering who would fall for them, some of these emails are badly designed

consisting on numerous spelling and grammar mistakes but others look professional and can be

difficult to spot by the untrained user. A recent whitepaper by Mimecast informs us “that 91% of

all hacking begins with an email-based phishing or spear-phishing attack” (Mimecast, 2015).

RSA, The security division of EMC report that they identify “a phishing attack every minute”

they further inform us that in 2014 “Phishing attacks cost global organizations $4.5 billion in

losses” (RSA). Current research does however show that there is an overall decline in the use of

phishing attacks, this can be seen in an online report entitled Spear-phishing statistics from 2014-

2015 by infosecinstitute.com released mid 2015 confirms this (see Figure 4) these figures are

Figure 4Phishing attacks per day Retrieved from http://resources.infosecinstitute.com/spear-phishing-statistics-from-2014-2015/


evident also in research conducted by Kaspersky Lab illustrated in the following graph (Figure

5).

Figure 5 Kaspersky.com : The proportion of spam in email traffic, October 2014 – March 2015

Retrieved from http://www.kaspersky.com/about/news/virus/2015/Spam-and-Phishing-in-Q1-New-domains-revitalize-old-spam

The frequency of these attacks can and do fluctuate with high profile events, as an example

Kaspersky lab reported an increase in phishing mails due to the war in Syria, they state that

“Widespread media coverage has increased international interest in the plight of Syrian citizens,

and this has led Nigerian scammers to jump on the bandwagon and exploit the kindness of

strangers looking to help those affected by events in the Middle East.” They also state that

although most of the emails are in English but that they are also being sent in German, French

and Arabic, these emails are “claim to be from Syrian citizens seeking asylum in Europe and

request assistance in investing large sums of money” (Kaspersky Lab, 2015).

Although the widespread use of phishing may have decreased, there has been an increase in more

targeted spear phishing and whaling campaigns, this is emphasized by a security alert issued on


the third of September 2015 by SMX Secure Cloud Solutions, where they state that there is a rise

in targeted emails (spear phishing) they further state that “We would also like to warn that

attackers are undertaking sophisticated whaling attacks, researching and identifying 'big fish'

within an organisation. These individuals are then attacked with a combination of social

engineering and email spoofing techniques in order to elicit funds” (SMX Cloud Solutions,

2015). Kaspersky Labs also identify an increase in the use of targeted phishing during the weeks

leading up to Christmas for customers of DHL and Fedex as attackers exploit online shoppers

spending sprees (Kaspersky Lab, 2015), an example of one such email can be seen in Figure 6

All of these facts clearly identify that phishing attacks are still very relevant and illustrate the

importance of properly managing the risk accordingly.

Figure 6: Phishing website example, Retrieved from https://securelist.com/blog/phishing/73174/tis-the-season-for-shipping-and-phishing/


Types of Phishing attacks

Spear phishing

Spear Phishing is a type of attack directed at specific individuals, roles or organisations.

Because these attacks are pointed specifically at an entity, the attacker may go to great lengths to

gather information which may be used to make the attack more believable therefore increasing

the likeliness of success.

Whaling

Whaling is a type of phishing attack which is aimed specifically at executive officers or

other high profile targets, these are also generally aimed at a specific organization, role or

individual so can be generally categorized as a sub form of spear phishing attack.

Smishing

Smishing is a type of an attack which is sent through a SMS message consisting of a

message and either a bogus URL a telephone number or requesting a SMS response.

Vishing

Vishing is a type of attack where an automated system is used to make calls and a

recorded message is sent requesting log in details, the system may request you to call out or enter

your pin or passphrase with a view to recording it and using it at a later time.

Avoiding phishing scams

Although the best defence for any type of phishing attack is user knowledge and training,

there are some general guidelines and best practices.

APWG.org identify the following main points as follows (APWG Anti-Phishing Working

Group):


Be suspicious of any email or communication (including text messages, social

media post, ads) with urgent requests for personal financial information.

Avoid clicking on links. Instead, go to the website by typing the Web address

directly into your browser or by searching for it in a search engine. Calling the

company to verify its legitimacy is also an option, too.

Don’t send personal financial information via email, and avoid filling out forms in

email that ask for your information.

Use a secure website (https:// and a security “lock” icon) when submitting credit

card or other sensitive information online.

Other general guidelines include checking website digital certificates, validating email

and website addresses to include the correct spelling etc.

Most online organisations now communicate the common messages that they will not

request your credentials from you, this is to combat phishing scams, the figure below shows an

example from paypal (Figure 77) below (PayPal.com).


Figure 7: PayPal: Recognize fraudulent emails and websites Webpage Retrieved from https://www.paypal.com/webapps/mpp/security/suspicious-activity

These messages generally provide examples of suspicious emails and may provide steps

to take in the event that you have been caught by such an attack.

What to do if you think that you have been phished

Whether you have fallen victim to a successful phishing attack or you have just received

a communication and suspect it to be a phishing scam, do not click on any of the links, check the

source of the message and contact the relevant organization who is supposed to have sent the

message by using another form of communication this can be by directly opening the website or

contacting a support contact number for them.

One of the biggest problems with phishing messages is that when we detect it we just

delete it, the problem here is that users who are less experienced may not identify it as a hoax

and may act on it. Organisations should train users on how to identify hoax messages and


provide a point of contact where suspecting messages can be sent. Organisations can then also

create their own phishing messages to audit and report on the effectiveness of training within the

organization. Organisations can then publicize the types of phishing scam emails to users to raise

awareness, example illustrated from Arizona State University

Figure 8 : Recent Phishing scams Retrieved from https://getprotected.asu.edu/phishing#accountexpirationalert

Does multifactor authentication help reduce Phishing attacks

This really depends on what type of multifactor authentication and the method of how it

is used, the current most common methods of multifactor authentication involves the sending of

a SMS message or email to the registered users account which includes a code or challenge this


code or an answer to the challenge needs to be included in the login process by the user to fully

authenticate with the site. An example of this type of login would be as follows:

1. User opens login page

2. User enters username and password combination

3. Site sends a phrase or code to the user via SMS or email

4. User enters the code

5. The code is checked and if valid access is granted.

Problems with these types of multifactor authentication

The main problem with multi-factor authentication here is that it is only designed to

protect and prevent access to the site or application but considering that a lot of users re-use their

passwords and that the login username is generally their email address, this leaves the user still

open to being phished if a site is copied, the fact that the phishing site does not send the SMS or

email is irrelevant as the users credentials have already been sent.

Multifactor authentication could actually be used to increase its effectiveness as a site

could be developed where the hoax login page informs the user that new challenges have been

created to increase its security, the site could inform the unsuspecting user that they must enter a

mobile number to associate with their account and that they will then receive an SMS message

with a code and that this is needed to be entered prior to login. This code could be a single static

code and may not even be validated, and given the amount of SMS type message software /

devices it is possible that the SMS may not be track-able back to the sending device.


Better Authentication approaches for dealing with Phishing scams

In order to protect a user’s credentials from phishing site scams, it is important to limit

the credentials which a user needs to submit to get authenticated but to instead provide some

form of one time password. A one-time password is just that, it is a password or passphrase

which can be used only once, this is not new and there have been several versions of these used

over time within entreprise environments for staff but just not with the general public, with the

more common ones a piece of software or a token device of some sort is in the possession of the

user, when the user logs in they are either asked for a value from the device or alternatively they

are presented with a challenge to which the user enters the challenge to the device and gets a

response, this response is then used to authenticate the user.

Mutual Authentication

In order to reduce the risk of a user’s credentials being captured via phishing scams there

is a growing need to introduce a method whereby the website (object) authenticates itself to the

user (subject) as well as the subject authenticating itself to the object. This is where mutual

authentication comes into play.

Shon Harris tells us that “Mutual authentication is when two entities must authenticate to each

other before sending data back and forth. Also referred to as two-way authentication” (Harris,

2013). Before communicating any sensitive data such as passwords to website, with mutual

authentication the site must also authenticate its identity to the subject accessing it as well as the

subject having to authenticate to the site. This can serve many purposes but in this paper it is to

prevent the unwanted disclosure of sensitive data to phishing based sites.


The definition on Techtarget.com is as follows “Mutual authentication is gaining acceptance as

a tool that can minimize the risk of online fraud in e-commerce”. (Rouse, Mutual Authentication,

n.d.)

Several methods of mutual authentication could exist, a simple version could be that upon

registering, the user submits a graphic or phrase that when they go to login, they supply their

username and the image or passphrase is shown to them prior to them entering their password.

Google’s new Password Free Account Sign-In

Although primarily a two factor authentication system, Google’s new password free sign-

in which they are working on, also provides mutual authentication as Google is sending you a

challenge on another platform / device known to be from Google as part of the login process.

This is been designed so that a user does not have to enter their password but instead gets sent a

challenge and waits for a response from the user on another device known to be theirs therefore

providing multifactor authentication without compromising the users password.

The process is as follows please note that the images included in the following steps have

been retrieved from Paul Rohit (Rohit, 2015) but have been modified to remove the Paul’s

credentials accordingly/

The user access the Google Sign in page,

The user enters their username (email address) and clicks next



A page displays informing the user to check their phone, and when a notification

appears from google to choose a specific value

The user accesses their phone, a message in the notification bar appears from

Google asking the user to confirm that they are trying to sign in

The user chooses yes


The user is then provided with a selection of choices and they choose the choice

based on the message they received when they went to log in via the browser


The user is then logged in to their account in the browser

This offers several benefits as follows

The user never has to enter their password (although there is a facility to access

their account in the event that they have no reception etc.)

The system uses multifactor authentication involving something they know

(username) and something they have (password)

As well as authenticating the user, the system also allows the user to authenticate

the system as they know that when they enter their username and click next that

response will be required from the other registered device.

Potential problems with the system

The main problem with this system is if the user losses their phone and it is

unlocked, an attacker will then be easily able to access the user’s google account

and data.

Google allows you to setup multiple accounts on multiple devices, I would

presume that the user will pick the device which receives the challenge.

Although everyone needs


References

Alliance, N. C. (n.d.). Passwords & Securing Your Accounts. Retrieved 12 15, 2015, from

https://www.staysafeonline.org/stay-safe-online/protect-your-personal-

information/passwords-and-securing-your-accounts

APWG Anti-Phishing Working Group. (n.d.). How to Avoid Phishing Scams. Retrieved 12 29,

2015, from apwg.org: http://apwg.org/resources/overview/avoid-phishing-scams

Contesti, D.-L., Andre, D., Waxvik, E., Henry, P., & Goins, B. (2007). Official ISC2 Guide to the

SSCP CBK. In Official ISC2 Guide to the SSCP CBK (p. 7). CRC Press. Retrieved 1 10,

2016

EMC.com. (n.d.). Hardware Tokens. Retrieved 12 20, 2015, from

http://www.emc.com/security/rsa-securid/rsa-securid-hardware-tokens.htm

Fruehe, J. (2015, 9 15). The Internet Of (Insecure) Things. Retrieved 1 9, 2016, from forbes.com:

http://www.forbes.com/sites/moorinsights/2015/09/15/the-internet-of-insecure-things/

Gartner. (2015, 11 10). Retrieved 12 29, 2015, from gartner.com:

http://www.gartner.com/newsroom/id/3165317

Harris, S. (2013). In All in one CISSP Exam Guide sixth edition (6th Edition ed., p. 164).

McGraw-Hill Companies. Retrieved 12 21, 2015

Helman, C. (2015, 4 14). Internet Of Things? We've Been Doing That For 25 Years. Retrieved 1

8, 2016, from forbes.com:

http://www.forbes.com/sites/energysource/2015/04/14/internet-of-things-weve-been-

doing-that-for-25-years/?ss=connect-world

Hewlett Packard Entreprise. (2015). Internet of things Research Study. Retrieved 12 29, 2015,

from http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-4759ENW.pdf


http://www.social-engineer.org/. (n.d.). What is Social Engineering?, http://www.social-

engineer.org/. Retrieved 12 28, 2015, from social-engineer.org.

Huwaei.com. (2015). Better Connected World. Retrieved 1 9, 2016, from Huwaei.com:

http://www.huawei.com/better-connected-world/en/

ISC2. (2015). Phishing Attacks. In Official (ISC)2 training Guide CISSP CBK (p. 87). ISC Press.

Retrieved 12 10, 2015

Kaspersky Lab. (2015, 12 7). Nigerian Scammers Use the War in Syria to Extort Money from the

International Community. Retrieved from kaspersky.com:

http://www.kaspersky.com/about/news/spam/2015/Nigerian-Scammers-Use-the-War-in-

Syria-to-Extort-Money-from-the-International-Community

Kaspersky Lab. (2015, 12 23). Phishing Messages Deliver Chaos to Consumers this Christmas.

Retrieved 12 29, 2015, from kaspersky.com:

http://www.kaspersky.com/about/news/spam/2015/Phishing-Messages-Deliver-Chaos-to-

Consumers-this-Christmas

Kirk, J. (2014, 3 4). Pre-installed malware turns up on new phones. Retrieved 12 20, 2015, from

PCWorld.com: http://www.pcworld.com/article/2104760/preinstalled-malware-turns-up-

on-new-phones.html

Kumar, M. (2016, 1 13). How to hack WiFi password from smart doorbells. Retrieved 1 18,

2016, from thehackernews.com: http://thehackernews.com/2016/01/doorbell-hacking-

wifi-pasword.html

McLaughlin, M. (2011, December). A pen tester’s perspective on creating a secure password.

Retrieved 12 22, 2015, from ComputerWeekly.com:


http://www.computerweekly.com/tip/A-pen-testers-perspective-on-creating-a-secure-

password

Mimecast. (2015). Countdown to Compromise: The Timeline of a Spear-Phishing Attack on Your

Organization. Mimecast. Mimecast. Retrieved 12 29, 2015, from

https://www.mimecast.com/globalassets/documents/whitepapers/ttp-whitepaper-2015.pdf

Palmer, M. (2006, 11 3). Data is the New Oil. Retrieved 1 9, 2016, from

http://ana.blogs.com/maestros/:

http://ana.blogs.com/maestros/2006/11/data_is_the_new.html

PayPal.com. (n.d.). Suspicious Activity. Retrieved 12 20, 2015, from

https://www.paypal.com/webapps/mpp/security/suspicious-activity

Ragan, S. (2015, 12 28). Database Configuration issues expose 191 million voter records.

Retrieved 12 29, 2015, from csoonline.com:

http://www.csoonline.com/article/3018592/security/database-configuration-issues-

expose-191-million-voter-records.html

Reid, T. (1786). Essays on the Intellectual Powers of Man. Retrieved 12 28, 2015, from

https://archive.org/details/essaysonintellec02reiduoft

Rohit, P. (2015, 12 22). Retrieved from

https://docs.google.com/presentation/d/1SgRcnhqMrUWvhBvrMrQRgn3zYfivdg1V8Pv0

hc4unKo/edit#slide=id.p5

Rouse, M. (n.d.). Retrieved 12 10, 2015, from

http://searchsecurity.techtarget.com/definition/mutual-authentication

Rouse, M. (n.d.). Authentication, authorization, and accounting (AAA) definition. Retrieved 12

28, 2015, from TechTarget.com:


http://searchsecurity.techtarget.com/definition/authentication-authorization-and-

accounting

RSA. (n.d.). RSA Online Fraud Resource Center. Retrieved 12 29, 2015, from

http://ireland.emc.com/: http://ireland.emc.com/emc-plus/rsa-thought-leadership/online-

fraud/index.htm

SecurityWeek.com. (2010). Study Reveals 75 Percent of Individuals Use Same Password for

Social Networking and Email. Retrieved 12 9, 2015, from

http://www.securityweek.com/study-reveals-75-percent-individuals-use-same-password-

social-networking-and-email

SMX Cloud Solutions. (2015, 9 3). SMX security alert: Spear phishing and whaling. Retrieved

12 29, 2015, from smxemail.com: https://smxemail.com/smx-security-alert-spear-

phishing-and-whaling.html

Telesign. (2015). TeleSign Consumer Account Security Report. Telesign.com. Retrieved 12 22,

2015, from https://www.telesign.com/site/wp-content/uploads/2015/06/TeleSign-

Consumer-Account-Security-Report-2015-FINAL.pdf

Visa.com. (2015, 12 24). Security. Retrieved from Visa.com:

https://usa.visa.com/support/consumer/security.html


Figures

Figure 1 Data is the new Oil Retrieved from http://www.futuristgerd.com/2013/08/14/great-

piece-on-why-data-is-indeed-the-new-oil-linkedin-connects-big-data-human-resources-via-wapo/

......................................................................................................................................................... 6

Figure 2: RSA SecureID Token Retrieved from http://www.emc.com/security/rsa-securid/rsa-

securid-hardware-tokens.htm ........................................................................................................ 10

Figure 3Phishing ........................................................................................................................... 15

Figure 4Phishing attacks per day Retrieved from http://resources.infosecinstitute.com/spear-

phishing-statistics-from-2014-2015/ ............................................................................................. 16

Figure 5 Kaspersky.com : The proportion of spam in email traffic, October 2014 – March 201517

Figure 6: Phishing website example, Retrieved from

https://securelist.com/blog/phishing/73174/tis-the-season-for-shipping-and-phishing/ ............... 18

Figure 7: PayPal: Recognize fraudulent emails and websites Webpage Retrieved from

https://www.paypal.com/webapps/mpp/security/suspicious-activity ........................................... 21

Figure 8 : Recent Phishing scams Retrieved from

https://getprotected.asu.edu/phishing#accountexpirationalert ...................................................... 22


Documents

The need for Mutual Authentication when dealing with websites