INVITATION TO CYBERSECURITY 196 because a user (or an eavesdropper) could type in an old passcode even if he does not have the device in his possession at login time. Text messages do not technically verify the person is in possession of a smartphone, but rather, a phone number. This is an important distinction because it opens up an attack vector called SIM swapping. SIM stands for subscriber identity module. It is a unique ID used by mobile carriers to identify customers when they change phones. If a hacker is able to deceive a mobile carrier into switching a target’s SIM to a SIM that the hacker controls, then all of the victim’s calls and text messages will be routed to the hacker’s phone. If text messages are used to send passcodes, then the hacker will receive the text message and could be authenticated as the victim. There have been several high-profile SIM swapping attacks, including one conducted against the former CEO of Twitter, Jack Dorsey, that allowed a hacker to control the Twitter account of the Twitter CEO! Many smartphone-based authentication tokens rely on smartphone apps instead of text messages. When a user tries to log in, a notification is pushed from the authentication server to an app on the user’s smartphone, and the user is prompted to either accept or block the login attempt. With a simple click of the accept button, the user proves he has the device and is authenticated. This method is not susceptible to SIM swapping attacks because mobile apps are not tied to SIMs. In general, it is a much more secure method because smartphone apps and authentication servers are able to authenticate one another cryptographically. Push notifications are still hackable, however, due to user error. If a user clicks accept on accident, out of confusion, or through deception, an attacker could still be authenticated as him. A nice advantage of smartphone-based authentication is that if a user receives a text message or a push notification when he is not attempting to login, this alerts him that his account may be under attack. 8.1.3.2 Smart card Another example of something you have is a smart card. A smart card is a plastic ID card with an embedded integrated circuit that can perform cryptographically-secure authentication. During the enrollment phase, each user is assigned a unique smart card. Since they are the same size as a credit card, smart cards are easy to carry around in a wallet or a purse. They also frequently double as an always-visible physical ID badge and include the name and picture of the user. At many workplaces, employees attach their smart cards to lanyards and wear them around their neck at all times. This is a security measure that helps to control physical access to buildings and rooms. Smart card readers can be purchased inexpensively and added to a computer and are sometimes even built-in to laptops and keyboards. When a user needs to be authenticated, he must insert or scan his smart card. An attacker would need to gain possession of the target’s smart card in order to be authenticated as him. That would be difficult because smart cards are protected closely and are handled with care. If one is lost or stolen,
RkJQdWJsaXNoZXIy MTM4ODY=