Is this the key to foiling phishing attacks? Spoiler alert: probably

Posted on Aug 29, 2017 by Glyn Moody

As readers of this blog know, VPNs are a great way to protect your privacy and security. But they address only some of the online threats we all face every day. Another important class of problems are caused by attacks that lead to accounts being taken over, identities being appropriated, data theft and financial losses. A number of recent articles on the topic in the tech press remind us that even today, when most experienced online users are well aware of the issue, it is still possible for their credentials to be swiped. That might be by dropping your defenses for a second, and logging into a phishing site, or as a result of security lapses by others. Here, for example, is John Biggs, writing on TechCrunch:

At about 9pm on Tuesday, August 22 a hacker swapped his or her own SIM card with mine, presumably by calling T-Mobile. This, in turn, shut off network services to my phone and, moments later, allowed the hacker to change most of my Gmail passwords, my Facebook password, and text on my behalf. All of the two-factor notifications went, by default, to my phone number so I received none of them and in about two minutes I was locked out of my digital life.

Information from the accounts was used to cook up a ridiculous story about Biggs needing 10 Bitcoins immediately, or else an Ohio hospital would switch off his sick father’s life-support system, causing him to die. The friends of Biggs in the cryptocurrency community that were contacted by the phisher were not fooled by this, and led him or her a merry dance.

Although no money was transferred, the incident shows how a compromised system can have knock-on effects in terms of losing control of other services that can also be exploited. That was also the case in a dramatic phishing story, published by The Citizen Lab site in May. This time, the victim was David Satter, a high-profile journalist, and long-time critic of the Kremlin.

Despite being an extremely experienced journalist, doubtless subject to frequent hacking attacks, he mistakenly entered his log-in credentials on a phishing site. But this time, the intent was not to trick other people into parting with money using the phished account. Instead, Satter’s emails were downloaded, and then intentionally leaked, with small but significant falsifications. The idea was clearly to use the fact that the bulk of the emails were genuine to lend a specious plausibility to the lies that had been added.

The Citizen Lab post has fascinating details of how its researchers were able to use the successful action against Satter to uncover a much larger phishing operation, involving over 200 people, including politicians and diplomats; UN, NATO, and military personnel; as well as academics, journalists, and senior figures in the energy sector. A similarly ambitious phishing program from the same Russian context, was reported by The Intercept a couple of months ago:

Russian military intelligence executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election, according to a highly classified intelligence report obtained by The Intercept.

Among the classified intelligence is a chart produced by the NSA which shows how the phishing operation worked (shown above). Perhaps the most interesting part is found in the bottom right-hand corner. The NSA graphic explains that even if traditional two-factor authentication (2FA) has been enabled on the account that is being attacked, it provides no protection: the phishing site would simply ask for the 2FA authentication details as well as the password, then use both to log into the email service in order to change all the credentials and lock out the owner.

That’s deeply troubling. It means whether you are using the deprecated SMS 2FA, or the more secure Google Authenticator, phishing attacks can still succeed against Gmail users, say, if bogus requests for password and 2FA information are convincing enough. That fact is a problem for everyone, even for Google. Which raises an interesting question: what does Google itself do to protect its engineers? Turns out the company uses security keys – small, physical devices that must be present when you enter a site’s password – and with great success:

They protect users against password reuse, phishing, and man-in-the-middle attacks by generating cryptographic assertions over the website’s URL and properties of the transport layer security (TLS) connection. Security Keys also score favorably in the usability framework established by Bonneau et al. Our analysis of performance benefits in the two-year deployment study measures a significant reduction of sign-in times experienced by users and a reduction in burden on a support organization. Our Security Key deployment is based on the open Security Key protocol as standardized in the FIDO Alliance as U2F. This standard is supported by major browsers and login system of large web service providers such as Google, GitHub and Dropbox.

Google engineers have written a paper explaining the background to these security keys, the threat models they seek to counter, the detailed system design, and how Google has implemented the standard as part of its Chrome browser. The FIDO Alliance has further resources on its Web site , including how the technology works and which companies support it. One important name not mentioned on that page is Facebook, which added U2F security key support earlier this year. However, Twitter does not yet offer the option, which is a pity. If you want more practical information, there’s a useful FAQ about security keys, as well as a step-by-step guide to setting it up for Gmail, both on the Tech Solidarity site.

Security keys are not only more secure than other two-factor authentication methods, and very easy to use, they are also very cheap: you can buy basic models for under $10. If you compare that minimal cost to the huge damage that losing control of your main email account to a slick phishing operation could wreak on your life, that’s a really small price to pay. Until something better comes along, security keys look like one of the best ways to protect yourself from attacks that seek to gain control of your online accounts, with all the pain and inconvenience that implies.

Featured image by NSA.

Comments are closed.

2 Comments

  1. davecb

    We used to do soemthing similar at Sun with what were then fairly expensive crypto-cards from RSA. I wonder if there is a “critical mass” to offer card-based 2FA and have it accepted wodely enough to be worthwhile.

    7 years ago
    1. Glyn Moody

      Yes, I remember those earlier versions – as you say, expensive and specialised. These, by contrast, are very simple to set up, trivial to use, ultra-cheap – and seem to have growing momentum behind them. I hope so – I wish twitter and the rest would support them.

      7 years ago