Wave Systems Corp. (fka WAVXQ)

[Genz2]

'You can't relax': Here's why 2-factor authentication may be hackable

https://www.cnbc.com/2019/01/04/how-secure-is-your-account-two-factor-authentication-may-be-hackable.html

•Cybercriminals can now use a type of phishing to get around two-factor authentication, typically a code sent your cellphone that is needed to log in, according to cybersecurity firm KnowBe4.
•KnowBe4 used LinkedIn for its demo, but said many other websites are also vulnerable.
•The code for the attack is now public, according to KnowBe4.

In a quest to make online accounts safer, many services now offer two-factor authentication. The system typically sends a code to a user's mobile phone that they need log in, along with a username and password.

Cybersecurity professionals have advised enabling two-factor to add an extra layer of security — but according to at least one expert, this may not be a silver-bullet. Kevin Mitnick, who was once the FBI's most wanted hacker and now helps companies defend themselves, found that two factor authentication can be vulnerable.

"Just by enabling two-factor authentication, you can't relax…a smart attacker could get access to your account," Mitnick said in an interview with CNBC. He is the chief hacking officer at KnowBe4, a cybersecurity company that trains people to spot phishing, or spoofed emails.

Mitnick told CNBC he found out about the vulnerability when it was posted online for anyone to find.

"The tool to actually pull these attacks off has been made public. So any 13-year-old could download the tool and actually carry out these attacks," he said.

According to Mitnick, the attack begins when a cybercriminal sends an email that looks real, and asks the receiver to click on a link.

Once the user clicks on the link, they are directed to log into the real website, including entering the code sent to their cellphone. Secretly, however, the log in went through the hacker's server and they were able to get the session cookie, the expert explained.

"If we can steal the user session cookie, we could become them, and we don't need their username, their password, or their two-factor," Mitnick said.

Mitnick showed CNBC that he was able to enter that code into his browser. "When I hit refresh I'm going to be magically logged into the victims account," he said.

Mitnick used LinkedIn to demo the attack for CNBC, but said many other websites are also vulnerable. The email he clicked on looked like a real LinkedIn connection request — but actually came from a fake domain, lnked.com. He said most people may not realize the difference.

"It's not LinkedIn that's vulnerable. It's the actual user… It's a security flaw with the human," Mitnick said.

In a statement, Mary-Katharine Juric, a LinkedIn spokesperson, told CNBC that the professional network took Mitnick's demonstration "very seriously," and that LinkedIn has "a number of technical measures in place to protect our members from fraudulent activity including phishing scams."

She added: "When we detect this type of activity, we work to quickly remove it and prevent future re-occurrences. We strongly encourage members to report any messages or postings they believe are scams, and utilize our member help center as a resource to educate and protect themselves from frauds online."

This attack is part of what is known as social engineering, when hackers take advantage of human behavior to get you to do something, like click on a link. Another way to protect yourself is to pay close attention to email you get, even if you use two-factor authentication.

"Social engineering if you do it right can be used to get into almost anything," said Stu Sjouwerman, KnowBe4'S CEO.

To protect from attacks like this one, some companies are making tools called security keys.

Instead of sending a code to your cell phone, security keys — which look like a keychain — contain a hardware chip, and use Bluetooth or USB to be the additional factor needed to log into your account. Recently, Google released its own version of the device, which it calls the Titan Security Key.

"The security key stores its own password and requires the site to prove it's legit before releasing the password and getting you signed in," said Mark Risher, Google's director of product management for security and privacy.

"It's not ubiquitous by a long shot but we are encouraged to see more and more sites and apps," he added.
=================================================================
See link below for information on tokens and why the laptop with a TPM (and Wave VSC 2.0) could be better than a security key.
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card

Get better security at less than half the cost

Passwords are weak. Tokens are expensive. Don’t compromise on security or price.

Wave Virtual Smart Card does anything your physical smart cards and tokens do, but it starts with hardware you already have: the Trusted Platform Module (TPM), a hardware security chip built into the motherboard of most business-class PCs. You may not even know you have it, but once you do, the TPM can be used in a myriad of ways. Wave turns it into a smart card, embedded directly into your laptop.

What can it be used for?

What do you use your smart card for today? With the exception of keying open the door at work, Wave Virtual Smart Card can perform any of the services or applications you rely on your smart card for today. Secure VPN, WiFi, remote desktop, cloud applications – it can all be done with a virtual smart card.

One helpdesk call you'll never get: "I lost my virtual smart card again..."

There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.

The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.

What will you do with >50% TCO savings?*

Tokens and smart cards require an additional hardware purchase, plus the time and money to ship to remote users. Use something that’s already in the users’ hands (the TPM), and your acquisition and deployment costs are lower.

Then consider the management savings in not having to replace lost and stolen tokens. That means fewer helpdesk calls, less interruption of user productivity, and fewer acquisition and shipping costs.

When we say “secure”…

…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).

*Actual number may vary. Contact us today to receive more details and a free quote.

Key Features:

• Full lifecycle management of virtual smart cards
• Intuitive interface to create (or delete) virtual smart cards
• Command line option to create and delete virtual smart cards
• Flexible PIN policies
• Helpdesk-assisted PIN reset and recovery
• Generates reports for compliance
• Integrates with Active Directory
• Supports familiar use cases ? Virtual Private Network (VPN)
? Local logon
? Remote logon
? Remote desktop access
? Intranet/Extranet
? Cloud applications