What is the value of a data breach that does not happen

Fortress-Identity SS7 article banner

By Alessandro Chiarini

Motherboard posted a well-researched piece recently on hackers who have been exploiting the SS7 protocol in telco networks to pillage bank accounts in the UK.

As someone who advises banks on mobile biometric authentication, I can attest to the article’s accuracy. The writer not only got the facts straight, he did a masterful job of conveying the attitudes of the institutions involved. Reading between the lines of their terse statements, I saw the usual surprise, chagrin and feelings of “why us?”

But in fairness, defending a bank, healthcare organization, online retail business, etc. against determined and capable hackers is difficult. At best, it’s a running battle. We will continue to see occasional setbacks. But, on the upside, there’s much more that can be done to secure access to data, transactions and sensitive areas than many people seem to realize.

In this post I will…

  1. Recap the UK attacks. Were they the work of criminal geniuses or the result of leaving the backdoor and several windows open?
  2. Describe a multi-factor authentication solution that actually would have worked.
  3. Speak directly to developers. I believe you have a vital role to play in turning things around.

The Metro Bank breach shouldn’t have happened, period.

According to Motherboard, the hackers who robbed Metro Bank in the UK exploited…

“…gaping holes in the world’s telecommunications infrastructure that the telco industry has known about for years despite ongoing attacks from criminals.”

Specifically, they took advantage of the fact that SS7 does not authenticate users. Once inside the network…

“–SS7 will treat their commands to reroute text messages or calls just as legitimately as anyone else’s.”

In this case, it seems the hackers were able to intercept the text message containing a verification code that the bank sent to the account holder and enter it themselves.

Ironically, two-factor authentication (2FA) still has a decent reputation. As someone quoted in the Motherboard piece points out,

“…text messages are not the most secure type of two-factor authentication, (but) they still offer a huge advantage over not using any 2FA at all.”
Sorry, that’s not enough.

My four takeaways.

You must authenticate the identity of every user every time.

Definitively. Precisely. No one else will do it for you.

If you doubt the importance of authentication, reread the section above.

You must acknowledge the full extent of the danger you face. Then mount a robust defense. Half measures are often the result of poor threat assessment. My advice: call in experts, map your vulnerabilities thoroughly, then implement the substantial forms of protection available to you right now.

You must invest in user authentication.

Half measures can also be the result of misguided thrift. It might seem difficult to explain the value of a data breach that doesn’t happen, but it can be done. The security of your data and other assets isn’t “nice-to-have.” It’s mission-critical. Some organizations are doomed to find that out the hard way.

You must stay vigilant.

As noted above, this battle will never be over. If you have something valuable, you’re vulnerable. Act accordingly.

Mobile multi-factor authentication that would have prevented the Metro Bank robbery.

But first, a few things you should know.

Passwords are now analogous to electric typewriters.

ID cards, challenge questions and OTP pins are flimsy forms of defense and unsuited to a world that does business on mobile devices.

The new standard for user authentication is multimodal, multi-factor biometrics. Every human being on earth has hundreds of unique physical characteristics. When used in combination, biometrics are devilishly hard if not impossible to exploit. At Fortress Identity, we have made voice authentication the linchpin of our solutions for three simple reasons: voice is perfect for phones, voice can be analyzed to a fine degree of accuracy, voice is nearly impossible to fake.

And when you augment voice with passive biometric modes of defense, you’re getting close to making your organization inviolable.

If a Fortress Identity system had been in place at Metro Bank, the outcome would have been different. The person trying to access an account would have been asked to recite a random 10-digit number. This would have been vetted against the account holder’s registered voice print, an AI-driven analysis that considers roughly 80 different characteristics. In the background, various behavioral markers would also have been compared to those on file, e.g., typing rhythm, swiping, angle-of-phone, etc.

In short, the hacker would have had better luck trying to gnaw his way through the wall of Metro Bank’s London headquarters.

For developers only.

I seldom meet a manager who understands the threat that hackers represent. I seldom meet a developer who doesn’t. Which is one reason I think developers should take the lead in getting mobile user authentication moved to the top of the to-do list.

Implementation couldn’t be easier. Call on Fortress Identity, and you can incorporate the kind of biometric security described above with minimal lines of code. You will get a full range of modes and factors to work with, so you can specify whatever depth and type of security your organization requires. You can even implement it in stages. When you need something extra, you’ll have that additional modality already in the application.

The important thing is to get moving. We have an SDK for iOS and an SDK for Android. You can register to download one here.

Thank you.