Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Secure Authentication. Show all posts

The Role of Biometrics in a Zero Trust Landscape

 

The illicit trade of biometric data, sourced from manipulated selfies, fraudulent passports, and cyberattacks on data repositories containing fingerprints to DNA information, has been thriving on the dark web. Despite their untraceability, these compromised biometrics empower attackers to access victims' most sensitive information, prompting criminals to refine their methods and produce synthetic IDs for more sophisticated attacks.

Efforts to safeguard biometric data have proven inadequate, with Gartner noting concerns about novel attacks and privacy issues hindering adoption. The rising threat of AI-enabled deepfake attacks undermining or rendering biometric authentication worthless is highlighted in Gartner's recent study.

VentureBeat reveals that deepfake and biometrics-based breach attempts against major cybersecurity firms have surged in the past year. Even the Department of Homeland Security has issued a guide, "Increasing Threats of Deepfake Identities," to counter these growing threats. All forms of biometric data are highly sought after on the dark web, and 2024 is expected to witness a surge in biometrics-based attacks targeting corporate leaders.

The focus on senior executives stems from their susceptibility to phishing scams, with C-level executives being four times more likely to fall victim than other employees, as reported by Ivanti's State of Security Preparedness 2023 Report. The prevalence of whale phishing, a targeted form of phishing, further exacerbates the threat landscape for executives.

Recognizing the shortcomings in current security measures, companies like Badge Inc. are taking innovative approaches to biometric authentication. Badge's technology aims to eliminate the need for passwords, device redirects, and knowledge-based authentication. By making individuals the "token" themselves, Badge's solution enhances security and privacy by deriving private keys on-the-fly using biometrics and chosen factors, without storing secrets or personally identifiable information. The company's approach aligns with the principles of zero trust, minimizing data access, and reinforcing least privilege access.

Badge's partnerships with Okta and Auth0 indicate its growing significance in identity and access management (IAM) platforms and technology stacks. With a cryptographically zero-knowledge basis and quantum resistance for future-proof security, Badge's technology is positioned as a valuable contributor to organizations' zero-trust architectures. Jeremy Grant, former senior executive advisor at the National Institute of Standards and Technology (NIST), recognizes Badge's compelling technology for addressing both consumer and enterprise use cases.

Hackers Can Use a Replay Attack Due to a Honda Vulnerability

 

A 'replay attack' vulnerability has been discovered in specific Honda and Acura automobile models, allowing a nearby hacker to open the car and even start it from a short distance. The threat actor captures the RF signals transferred from the key fob to the automobile and resends them to gain control of the victim's car's remote keyless entry unit. 

A hostile hacker can employ a replay attack to mislead a website or service into giving them access to the user by recycling the information used to identify the user. If a hacker can find and repeat a specific string of information, someone can use it to deceive a website into believing it was there, allowing anyone to get access to the online account.

Attackers might utilize CVE-2022-27254 to perform a Man-in-the-Middle (MitM) attack, or more particularly a replay attack, in which someone intercepted and manipulated the RF signals sent from a remote key fob to the automobile, and then re-transmitted these signals at a later time to unlock the car at his leisure. 

According to analysts, Blake Berry, Hong Liu, and Ruolin Zhou of the University of Massachusetts, as well as Cybereason Chief Security Officer Sam Curry, who discovered the vulnerability, the vulnerability in earlier models is mostly unaddressed. Honda owners, on the other hand, maybe able to defend themselves against such an attack. The remote engine start portion of the problem is also demonstrated in a video supplied by the researchers, however, no technical details or proof-of-concept (PoC) exploit code were published at the time. 

The Honda Civic (LX, EX, EX-L, Touring, Si, and Type R) models from 2016 through 2020 are the most afflicted by this issue. In a GitHub repository, Blake Berry explained it was also possible to change the intercepted commands and re-send them to get a completely different result. 

According to the experts' recommendations, automotive manufacturers should include "rolling codes," also known as "hopping codes." This security method responds to each authentication request with a unique code, ensuring the codes cannot be "replayed" by an offender at a later time. However, "At this moment, Honda has no plans to update older vehicles," the company stated. "It's crucial to remember this, while Honda is always improving security features as new models are released, motivated and technologically sophisticated thieves are striving to circumvent those safeguards." 

When not in use, users should store the key fobs in signal-blocking 'Faraday pouches', however, this strategy won't prevent a determined attacker from eavesdropping on signals when the fob is utilized. Consumers should choose Passive Keyless Entry (PKE) over Remote Keyless Entry (RKE), which makes it much tougher for an intruder to clone/read the signal due to the closeness they would need to be at to do so.

Experts predict the disappearance of passwords before the end of the decade

According to cybersecurity experts, password identification in online services is a thing of the past. In the future, they will be completely replaced by biometric authentication and other means of protection.

Since this year, biometric authentication applications have been available to corporate and home Windows users. You can also activate identity verification methods by sending a code to your phone, other device, or linked account.

Authentication by biometric parameters significantly simplifies the daily use of various services and at the same time complicates the theft of personal data, said Alexey Novikov, Director of Business Development at ESET.

"However, in case of data loss, attackers gain access to the user's biometric profile. Today, the introduction of secure technologies prevents the mass distribution of passwordless authentication, and it costs a lot. Large companies are not always ready to revise the budget, and small and medium-sized businesses can hardly afford this,” Novikov said.

According to Denis Bezkorovayny, co-founder of Proto Group, already in 2022 some of the largest sites and services will begin to refuse to use passwords.

According to the expert, the IT community has long set itself the task of distributing password-free access, there are successful cases of such implementation in the banking and corporate sector.

"Now we are coming to the fact that the password becomes less convenient for the user, and it becomes less problematic for attackers. Because of this, there is a leap towards password-free or passwordless authentication," the expert explained.

It should be noted that passwords can be replaced by authentication methods such as codes, hardware tokens, smart cards, and biometrics.

For example, in Estonia, every resident of the country has a smart card for access to public services, the electronic digital signature of documents, and much more, including password-free authentication on a variety of government and commercial resources.