Two Factor Authentication has been vital advice for personal cybersecurity for years. But it’s starting to wear thin. Hackers have little problem bypassing weak implementations by intercepting codes or exploiting account recovery systems. It was even a tough start to the year for online payments giant PayPal, where at one point anyone could bypass two-factor authentication. But It’s not just PayPal suffering, it’s a cold climate everywhere. The stories of the demise of 2FA are abundant; from SIM swapping to high profile hacks of celebrity Twitter and Youtube accounts. The issue in reality is much more complex — It’s security dystopia, and whilst we have a general framework for protection, it’s not enough and it needs an upgrade. We need a solution for this new Orwellian environment.
Firstly, what is 2FA and why is it important?
2FA is a second check, at the point of authentication. This can be an SMS one-time code, a PIN number, voice ID, biometric data, an authenticator app or an external security key. In short they usually fall into three categories:
• Something you know — like a password, PIN, answers to specific security questions
• Something you have — including time-based codes generated by hardware tokens or one-time activation codes sent via a text message to a device you hold
• Something you are — such as fingerprints, facial profiles, voice IDs, and other forms of biometric data
A good example of 2FA in action is when you’re withdrawing money from an ATM. It requires you to present a bank card (something you have) and enter a PIN (something you know) to access your account.
The point is 2FA is meant to add an extra layer of security. But many of the above practices are falling short of the mark. A sobering statistic is brought to us from Verizon’s Data Breach Investigation Report (DBIR) showing that 81% of hacking-related breaches in its data set leveraged either stolen or weak passwords. There are simply too many issues that plague certain 2FA methods. Take a look at SMS as a 2FA method — it could be costing AT&T $23m due to a possible SIM swap scam that saw investor Michael Terpin lose approximately $24m in cryptocurrency. Terpin claims hackers managed to transfer his number to a smartphone they controlled to request a password change and 2FA token to a particular online account, which the thieves then entered and discovered a file that contained login details for his cryptocurrency wallets. In short, security is only as strong as the weakest link, and in Terpin’s case that weakest link could have been a centralized information gateway (a telco); in such case, the stolen assets could have been protected by an additional security layer with multi-signature wallets and proper key management.
There are other high stake security threats we need to be fearful of and solve such as the mercenary social security scam; an identity theft caller scam that caused losses to seniors that amounted to $38m, according to the Senate reports citing the Federal Trade Commission. It’s seemingly medieval that such scams exist in our technologically advanced world. Why do we still have paper SSA cards in the era of asymmetric cryptography on a microchip? The reason why this scam is possible is because social security numbers are written in plaintext, ready for any holder to read, memorise and tell. The only safety friction between a holder and a fraud is the holder’s full understanding of the security implications of their action. The SSA is unfairly expecting hundreds of millions of citizens to be well versed in information security practices.
Let us elaborate; Social Security Numbers have been used and abused. They are now far from secret, they’re widely shared with employees, doctor’s offices, schools and banks etc. They’re routinely used to help verify consumer identities at all sorts of institutions. People are therefore used to surrendering Social Security Numbers without challenging the authority of any requesting party, which is a really bad habit, almost impossible to eradicate. Current advice is along the lines of ‘think twice’ before revealing information such as a social security number on a medical form. This just isn’t good enough and also shifts the security onus on the citizen.
Half the problem is that the identifier is also used as an authenticator. It’s imposing a centrally issued secret key to a whole population, and then demanding citizens to use it indistinguishably as an identifier or as a passcode. This is the security equivalent of dictating your front door lock code alongside your address, then demanding you to surrender it to the dentist, the bank, the insurance company and the cable company; and then, use it to prove ownership of your accounts. It’s nothing short of alarming but this scam will continue to wreak havoc on citizens unless new measures are applied.
Switching to a more secure system isn’t that challenging and would be far more secure than a string of digits on a paper card. It’s 2020; asymmetric cryptography has been around for a while and it’s already at work to safeguard your browser traffic privacy, all the way to bitcoin and second factor hardware tokens. What’s needed here is a social security signing card. Asymmetric cryptography is the key to keeping a private “number”, like the Social Security number, secret, while being able to prove ownership with a digital signature and without being hacked. At Tangem, this is something we specialise in, with our cards. We like to utilise a quote from Orwell’s 1984, “If you want to keep a secret, you must also hide it from yourself”, because we believe that in an Orwellian world, we must empower individuals to secure their digital assets and information without a degree in cybersecurity.
New hygiene practices: A Tangem Solution…
Technology has changed and connectivity has dramatically improved, our expectations need to as well. Out with the clunky, inappropriate methods and in with easy to use solutions that are more secure and that fit multiple authentication workflows.
Tangem provides a fortified solution with application diversity and broad coverage that allows users to take back control of their identities and assets; all the secret access codes are stored inside a personal super-secure card, where it is not possible to remove them, write them down or make a copy. Our cards enable passwordless authentication, they are simultaneously identifiers and authentication factors all wrapped up in one, similar to having the convenience of an ID card and the power of YubiKey at the same time:
A One Size Fits All Solution and it looks a bit like this:
Tangem Developer Card — available for developers, system integrators and builders of secure
solutions for the 21st century
It’s designed for everyone; no physical onboarding and zero learning curve, it’s portable and forgery proof — just tap the card on any NFC enabled device to verify important actions. The significant concept to reiterate here is that the keys are generated inside the chip, which sign transactions and prove ownership, they are impossible to clone, even for the card manufacturer.
At the end of this week Tangem will announce an exciting milestone in the form of a partnership that will see our cards act as a ‘signer’ to wallets to confirm important actions. So you can hold what security feels like in the palm of your hand, a physical implementation of trust. You shouldn’t feel afraid to carry it around and lose it either, since it can be revoked at any time. It’s designed to maximise security so none of the costly above happens and to safeguard you from any invasive new looming breed of scam that’s hard to size up.
It may seem anachronistic, a return to the analogue in such digitally advanced times, but we believe a rejuvenation of a classic format, a physical card, with all the tech inside, encourages simplicity and minimises any risk of hacking. You can securely and easily manage your digital keys, physically.
“Get 2FA” is still good advice but for us protection and security is paramount and given the current climate of credential theft we REALLY recommend ensuring some strong hardware sophisticated 2FA is in place for all important services.