Maksim Kabakou - Fotolia

Security Think Tank: Strong 2FA should be a goal in 2019

At the close of 2018, we asked CW Security Think Tank contributors to name one thing predicted for 2018 that did not happen, one thing that was not predicted but did happen, and one thing that should happen in 2019 but probably will not

One thing predicted for 2018 that did not happen

At the end of 2017 and into 2018, there was a lot of speculation about the introduction of the EU’s General Data Protection Regulation (GDPR) on 25 May 2018 and the size of the fines that would be levied, of up to 4% of annual turnover. 

Many thought and predicted the big tech companies would immediately be targeted with high fines. Google parent Alphabet was indeed threatened with a fine of £3.8bn, but this was related to a breach of competition rules because of the pre-installation of the Google search browser on Android devices sold in Europe. It is, however, very close to the maximum fine of 4% of Alphabet’s turnover.

The Austrian Data Protection Authority has issued a €4,800 fine against a company that put up a CCTV camera in front of its building, which also covered a large amount of the pavement. Large-scale monitoring of public spaces is not permitted under the GDPR.

There are clearly larger fish to fry and other action in the pipeline.

In the UK, for example, related to the Cambridge Analytica scandal, the Information Commissioner’s Office (ICO) has issued a notice to Canadian company AggregateIQ Data Services, as part of its ongoing investigation into using personal data for analytics and advertising. The ICO has told the company to stop using EU citizens’ personal data for analytics and advertising. If it doesn’t, it could face a significant fine under GDPR.

Legal wheels grind slowly and data breaches before 25 May are not covered, so it is perhaps not so surprising that there have not been more prosecutions. However, there are many out there who are still failing to comply with the detail. Under GDPR, it should be as easy to withdraw permissions as it is to give them, but this is almost never the case. Also, check boxes should not default to “agree”, but in some cases they still do.

I am sure we will see some big fines in 2019, but probably also a lot of smaller ones as well.

One thing that happened in 2018 that was not predicted

The UK authorities have always been reluctant to specifically attribute cyber attacks and call out other countries for their actions. This is understandable due to the difficulties of attribution and the need for certainty and to put supporting evidence into the public domain to counter the predictable denials.

“Under GDPR, it should be as easy to withdraw permissions as it is to give them, but this is almost never the case”
Paddy Francis, Airbus CyberSecurity

While there were hints towards a change of policy in December 2017, with the Foreign Office saying it was “highly likely” that the North Korea-based Lazarus Group had been behind the WannaCry attack earlier that year, and then in February 2018 with the National Cyber Security Centre (NCSC) saying that “the Russian military was almost certainly responsible for the NotPetya cyber attack of June 2017.

However, the calling out of Russia and joint announcements by the US and UK on Russia and, in particular, the GRU, with undeniable evidential support, took things to a new level. The stakes were raised again with the GRU attack on the OPCW [Organisation for the Prohibition of Chemical Weapons] in The Hague, when the bar was raised again with the level of detail released about the joint UK, US and Dutch action that thwart the GRU attack

These events have shown some of the ability of the NCSC to track these attacks. The question is how much more will we see in 2019?

One thing that should happen in 2019, but probably will not

Two-factor authentication (2FA) has long been hailed as much more secure than using a password alone. However, the most common form of 2FA is an authentication code sent by text message, despite the fact that this method has been known to be insecure for many years. The use of simple text-based 2FA should therefore stop as soon as possible and stronger methods adopted. However, it probably won’t, because it is cheap and easy.

“The use of simple text-based 2FA should therefore stop as soon as possible and stronger methods adopted. However, it probably won’t, because it is cheap and easy”
Paddy Francis, Airbus CyberSecurity

The idea of 2FA is that there is something you know (a password, for example) and something you have (a phone, for example). This is fine, but it falls down when using text messages to distribute codes. This is because it is possible for a criminal to take over a mobile number and receive the text. Therefore, it is not the specific user’s phone itself that is the second factor, but the phone number to which the text is sent, which can easily be compromised.

Alternative solutions that are now being used include “fingerprinting” of a user’s device so that it can be uniquely identified and if the log-on comes from another device additional authentication checks can be made. This can also be used on a user’s PC to associate it with a phone number to strengthen text-based authentication, but it generally isn’t. This approach can therefore be used to provide a second factor almost transparently to the user.

Organisations such as Google and Amazon also now provide much stronger 2FA solutions using third-party tokens implementing Universal 2 Factor (U2F) protocols, and others are starting to drop text-based authentication in favour of Google Authenticator. Some organisations, however – including financial institutions – continue to rely on text messages. This surely should stop in 2019, but I doubt it will.

Read more on Hackers and cybercrime prevention

Data Center
Data Management