This past year was one of the most fruitful years in terms of cyberattacks. In fact, the number of data breaches through September of 2021 exceeded the total number of successful cyberattacks by 17% compared to 2020.
Having that in mind, security leaders have the responsibility to look back at the past twelve months, analyze the biggest cyber incidents and apply the lessons learned into security strategies for the next year — specifically with a focus on mobile security, which has historically been seen as a lower priority than desktop security.
Without further ado, let’s start by going through the incidents of 2021 before discussing the biggest risks security leaders will face this year.
2021: Traditional mobile authentication methods prove outdated
Somewhat unsurprisingly, the biggest cyberattacks in 2021 happened after the main protectors of the year had been compromised — the password and SMS one-time password (OTP) for two-factor authentication (2FA).
Last year, the world erupted with news of the Colonial Pipeline cyberattack, where the hackers took down the largest fuel pipeline in the U.S., leading to shortages on the East Coast.
Security leaders may assume that only the best of hackers could achieve a hack of this magnitude, but they would be thinking wrong.
This cyberattack was caused by a single compromised password, one which has since been discovered in a data leak on the dark web. A Colonial employee may have re-used the password on another account that had been previously hacked, a malpractice omnipresent today due to the hassle that is the management of tens of different passwords.
In fact, 66% of digital users "always" or "mostly" use the same password or variation across websites. Now, add to that the fact that this employee wasn’t using any type of multi-factor authentication, and it is clear why the attack was pulled off easily.
Any type of multi-factor authentication, including two-factor authentication, adds significantly more security to business accounts, but if an enterprise security team has the possibility to add an additional factor that isn’t SMS OTP 2FA, then that’s what security leaders should choose.
The other biggest incident this year, the Coinbase hack happened due to flaws in the company’s SMS 2FA system. In this attack, cybercriminals managed to steal cryptocurrency from approximately 6,000 Coinbase customers.
To take over an account via SMS 2FA, the cybercriminal needed to know the user’s account email address, password and phone number. As to where this data came from, possibilities could include a past data breach or a phishing campaign that Coinbase said targeted their users between April and early May 2021.
The company attributes the hack to a flaw in their SMS account recovery protocol, and while they did not specify the flaw, cybersecurity professionals have to be aware of the inherent flaws SMS 2FA comes with.
To start with, SMS uses the SS7 switching protocol that hasn’t changed since 1975 when SMS was originally introduced. It’s a design flaw that criminals can exploit to reroute or intercept the SMS containing your one-time password.
On top of that, SMS 2FA comes with the risk of SIM swapping, a hack in which fraudsters use personal information such as first and last names, social security number, dates of birth and more to trick mobile network operators and take control of SIM cards. This may sound like a stretch, but 80% of all SIM swap attacks are successful.
Finally, in 2021 security leaders have also seen a rise in OTP interception bots, which are designed to help cybercriminals easily intercept OTPs. When bots get into the game, the risk of the huge scale this hack could take on is unacceptable.
All that being said, cybersecurity professionals have to ask themselves whether 2022 is the year they finally decide to retire these two authentication methods.
2022: The expansion of the mobile threat landscape & what you can do to prepare
This year, it seems the mobile threat landscape will only continue to grow, with the main catalysts for this growth being work-from-home, bring your own device (BYOD) policies and the ongoing pandemic.
In a business setting, companies will have to be mindful of work-from-home practices and the BYOD policies they employ. When working from home, employees work on their own networks and sometimes on their own devices, which is why the security precautions taken by any organization with remote workers needs to be up to standard.
This means multi-factor authentication in the least, and continuous and zero trust security architecture if that type of investment is possible.
In the private setting, the remote workforce started doing just about anything online, and chances are, when it ends, the situation won’t change much. The convenience of remote work is tough to forget once employees have experienced it.
In turn, the pandemic also meant the skyrocketing of cyberattacks, and the way to prevent them is education of the general public, in addition to providing them with secure mobile authentication options.
With multi-factor authentication in both cases, it’s important to remember to make sure security systems provide a great user experience in addition to great security. Security leaders can look into mobile IP address-based authentication solutions and biometrics, the two rulers of frictionless user experience.
Otherwise, cybersecurity professionals risk employees or users cutting corners or abandoning the login process altogether, defeating the purpose of implementing it in the first place.