Why Passwords Don’t Hack It Anymore

Security folks (like me) have been telling people for years that passwords are just not secure enough anymore.

Now we have another reason that is true.

Companies have been promoting single sign on as a way around the insecurity of passwords, but now, even that is not secure anymore.

Multifactor authentication helps, but even that isn’t perfect and people grump about it a lot.

Lets pick this apart.

First we told people to look for the padlock in the browser address bar. That worked until hackers started buying doppleganger domains. Is GOOGLE.COM different than G00GLE.COM? What about TIME.COM vs. T1ME.COM? Or DISNEY.COM vs DlSNEY.COM? You get the idea.

When the web went truly international, the browsers had to support different character sets and the hackers added homograph attacks. These are attacks that abuse those different character sets in a way that looks visually identical to the real domain.

Now attackers are figuring out how to compromise single signon attacks. Examples that consumers see are “signon with Google” or “signon with Facebook”, but the business world uses Microsoft single signon or Ping or Okta.

Here is an example of a real and fake “signon with Facebook” screen:

real and fake single signon page

There is a difference between these two, but even I can’t see what it is.

They still have to lure you to the bad website, but if they do and you fall for the sign on with xxx bait, they have you.

But you say, what about multifactor authentication? It definitely helps, but does EVERY site you log into use MFA? I didn’t think so.

And users LOVE having to enter a number from a text message (ignore the SIM swapping attack for the moment). If EVERY SINGLE WEBSITE that you care about uses MFA and you use a more secure MFA method like an authenticator app, that is probably still pretty good.

But if you reuse passwords or if you don’t use MFA EVERYWHERE, you have a problem.

According to researcher mr.d0x, it is pretty simple to concoct the fake popup login with basic HTML and stylesheets. Using Javascript, you can make the window pop up anywhere on the screen – on a button click or a page load or whatever.

This attack, called a Browser-in-the-browser attack, can also fake out the hover over the URL trick. Go to the link for details on how that works.

One tool that reduces the effectiveness of this attack is a password manager. Why? Because the password manager doesn’t rely on the visual URL. It is looking at the code underlying that and it isn’t as easily fooled.

But most companies don’t use – or at least force the use – of password managers and most consumers have no clue what a password manager is.

Client-side encryption certificates are also great, as is IP whitelisting. Most companies don’t even know what that is. Consumers certainly don’t. And, many systems don’t even support this technology.

None of this is bullet proof, but it makes things a lot more secure.

FIDO keys work well too, but how many people have FIDO keys?

Bottom line is that IT teams need to up their game before it is too late.

You can find the rest of the story at Threatpost.

Leave a Reply

Your email address will not be published.