Most users employ 2FA for account management and have security reasons for doing so. For example, some people use 2FA to prove ownership of a bitcoin account, while others do it to prevent scammers from stealing their login credentials. Although all these are valid security concerns, users should be aware of another important benefit of 2FA.
The Dark Web, or Deep Web, is the hidden area of the Internet. It is accessed via Tor (on the Internet, HTTPS protects us from our country’s law enforcement, the NSA, and other federal agencies) which hides users’ IP addresses, user’s network addresses, user’s usernames, and other important information. While 2FA is a great way to prevent data theft, a conundrum comes when the protection on it is lax or non-existent.
On the dark web, 2FA data might be stolen and sold for nearly nothing on the Deep Web, or directly on the Deep Web.
Recently, we stumbled upon a single item that contained account credentials for hundreds of popular websites and services. The compromised credentials were a treasure trove for scammers, who can now access, change and sell the stolen information. While some details were withheld, the result is obvious.
Not all vulnerabilities can be prevented, and for those that cannot, researchers have found many vulnerabilities that can be used to create long chains of different users’ login credentials. This can then be used to break 2FA.
Table of Contents
2FA and the Blindspot of “Managed Service Providers”
There is no doubt that managing and securing accounts is no simple task. This is why “managed service providers” (MSPs) – usually small businesses – offer the service of helping their clients achieve their security goals.
In the process of obtaining a customer account, MSPs often ask for the following information:
- Login Name
- User ID
- Registration URL (or other URL the user intends to access the service from)
- Proof of membership to the organization
The process requires that customers link a specific credential to a particular application that will log into the account. This generally takes the form of the user providing an email address or username and password. In cases where users do not supply this information, it can be in the form of a hash.
This form of authentication uses a one-time password generated from a predetermined set of words or numbers. Hashing is a technique that is based on the mathematical manipulation of data. Hashes are used to produce a certain series of numbers or characters to alter the way that the data is processed and stored. Since hashing passwords allows an attacker to recover them in the event they are leaked, attackers can check for a large number of common hashes and see if any of them match those of the user’s password.
Most services use a hashing function to generate one-time passwords. Since the data is obfuscated, even the service provider has no insight into the value of the password. Even though such functions have been around for a few years now, it seems that most services still use it to protect passwords, because it is simple to implement.
Unfortunately, even if a provider is diligent about implementing a hash function and protecting the data, it is still vulnerable to common vulnerabilities.
The Problem with the Master Password
The reason for this vulnerability is simple. The one-time password is derived from the first user’s master password and thus is potentially exposed to attacks, should that master password be leaked. This includes phishing, password cracking, and brute force.
Another drawback of single-factor authentication is that when a user has to submit her credentials at one site, she cannot go to another, because the password cannot be transferred to a new device or application. This is one of the issues that led to the issue with the Spotify breach.
A solution to this problem is to ensure that a user’s login credentials are stored only on her device. For this purpose, many services offer “HTTPS tunneling,” a technology that allows passwords to be sent over the Internet without being transmitted through an intermediary.
With HTTPS tunneling, a user’s credentials are encrypted between the user and the provider. A script is then used to intercept the transmission and extracts the password and user information.
This solution helps to ensure that sensitive information does not travel beyond the device. However, counting on 2FA for foolproof security is not reliable.
DRM solutions
The solution is to use DRM solutions. In simple words, DRM stands for digital rights management. The idea behind this type of security solution is that once a user logs into the application, any device that that user visits that contains the application will authenticate her credentials automatically.
Digital rights management solutions have a huge advantage over traditional two-factor authentication applications. With a DRM-enabled solution, classified documents, eBooks, digital books, and digital pictures have long been safeguarded and kept secure. In addition, digital content is always up to date, preventing duplication of content or sharing of said content with unauthorized sources.
In practice, this means that a user’s credentials can only be viewed by the device from where the user is logged into the application. If a user’s credentials are saved on the user’s device, a malicious actor cannot access the credentials unless he has access to her device. A device, as mentioned before, can also not access credentials stored on another device.
While providing the highest level of security, a DRM solution relies on both hardware and software components that work in sync with one another. With DRM systems as all information is encrypted in one place which makes it difficult for anyone to access the information even someone from another device.
This security solution ensures that your company’s data is always safe and can only be accessed by those you want.
I am a passionate, adventurous, and insatiate learner who loves to write about the latest technology trends. My experience working in an MNC has motivated me to understand that there are certain niche requirements for writing strategically about brands’ messages towards people’s interests which I’ve mastered over time through trial and error of many projects under various clients across diverse industries. It is my honest effort to put my experiences and knowledge of industry towards readers.