CCSK

 View Only
  • 1.  Cellular networks for MFA? Benefits & risks?

    Posted Nov 03, 2021 10:45:00 AM

    Hello!

    In module 5 of the CCSK training, they mention that cellular networks are weak and not very secure when it comes to MFA. So much of MFA nowadays rely on cellular networks however. How common of an occurrence is it for a hacker to get an OTP from someone's text messages? Does the benefit of MFA outweigh the potential risk of using cellular networks? 

    Thanks in advance :)



    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------


  • 2.  RE: Cellular networks for MFA? Benefits & risks?

    Posted Nov 04, 2021 07:09:00 AM
    These tokens are encrypted in transit and shouldn't matter

    ------------------------------
    Adnan Rafique Cloud Security Leader
    ------------------------------



  • 3.  RE: Cellular networks for MFA? Benefits & risks?

    Posted Nov 04, 2021 07:32:00 AM

    You've obviously never seen a rogue cell MITM attack or understood the cell station SS7 vulnerability!

    Paul 

    (ex-Global CISO, Motorola Cellular Infrastructure Division)



    ------------------------------
    Paul Simmonds
    CSA UK Chapter
    ------------------------------



  • 4.  RE: Cellular networks for MFA? Benefits & risks?

    Posted Nov 04, 2021 08:44:00 AM
    OTPs delivered via text messages delivered by phone carriers are not end to end encrypted, nor is using them a form of MFA.

    OTPs, like all passwords, are "something you know" - using them is "two step authentication with a single type of factor", unlike OTPs derived via a time based cryptographic process, where you must have the device in hand.

    Additionally, text messages are no longer just sent by the carrier to a single device. Things like "Your Phone" in Windows 10, IOS continuity features and carrier web-based portals all allow legitimate mechanisms for reading texts on devices other than the phone they were intended for. 

    And then there are a wide variety of Attack trees against each of these methods.

    ------------------------------
    Jim Scardelis
    Senior Security Consultant
    PSC
    ------------------------------



  • 5.  RE: Cellular networks for MFA? Benefits & risks?

    Posted Nov 04, 2021 09:25:00 AM
    I was blindly assuming App Authenticator and completely missed out other mechanisms- thank you and you are right

    ------------------------------
    Adnan Rafique Cloud Security Leader
    ------------------------------



  • 6.  RE: Cellular networks for MFA? Benefits & risks?

    Posted Nov 17, 2021 09:46:00 AM
    Edited by Jenna Morrison Nov 17, 2021 09:53:05 AM
    Hello,

    Thank you for your response! Can you clarify though, when you say OTPs are not a form of Multi-factor authentication? In the training and in the Security Guidance it says they are a common option for MFA, as they are not used by themselves but as a second step after inputting one's regular password. 

    Thanks, I appreciate it :)


    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------



  • 7.  RE: Cellular networks for MFA? Benefits & risks?

    Posted Nov 04, 2021 07:30:00 AM
    Read the advice here;

    https://www.ncsc.gov.uk/guidance/protecting-sms-messages-used-in-critical-business-processes
    https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services

    Regards

    Paul

    ------------------------------
    Paul Simmonds
    CSA UK Chapter
    ------------------------------



  • 8.  RE: Cellular networks for MFA? Benefits & risks?

    Posted Nov 17, 2021 09:52:00 AM
    Thank you! I find these very informative and helpful :)

    ------------------------------
    Jenna Morrison
    Training Department Intern
    Cloud Security Alliance
    ------------------------------