Top 4 insecure standards we can't easily abandon
Security is hard enough using up-to-date standards and products, yet we still commonly encounter consequential incidents that boil down to users relying on obsolete products that are known to be vulnerable.
Even some of our most basic technologies are known to be insecure—and perhaps unsecurable. For a variety of reasons, we insist on continuing to use them. Here are four of the most troublesome.
The security problems with passwords have been obvious for literally decades: People use the same password for multiple or even all sites; people use weak passwords; and passwords can and are stolen from sites that store them improperly.
For decades, researchers have been trying to find usable replacements for passwords, and they've made progress. New standards, such as WebAuthn and FIDO2, allow strong authentication using smartphones or inexpensive physical tokens as secondary or even primary factors. Recently, Microsoft enabled completely passwordless access to its consumer services accounts using these standards.
But for almost all accounts users have, both business and personal, they still need a username and password. In an effort to make them more secure, administrators set rules to require passwords to be unique, long, and complex—like z^ek8!FE2@8c—which makes them impossible to remember. The only way a normal human being can operate within rules like these is to use a password manager, and they're not so easy to work with either.
Human beings hate complicated solutions and look for simple ones, so they continue to use simple passwords and they reuse them on many different sites. It will ever be thus until stronger methods become easy to use.
2. SMS as a second factor
Yes, we just described second authentication factors as a good thing, but not all second factors are the same. The first widely used second factor was to send an SMS text code to the registered user's phone, with the code proving that the user attempting to log in also possesses the registered user's phone.
Unfortunately, SMS second-factor methods are no longer secure enough. Depending on the laxness of provider procedures, mobile phones may be vulnerable to a SIM swap attack, in which a third party convinces a telco that they are the account owner and need a new SIM card. They plug the new card in and then have your phone number, including those text messages with the second-factor codes. It's surprisingly common, and easy: Twitter CEO and co-founder Jack Dorsey had his phone hijacked in 2019 in such an attack, and there are tools available to automate the attacks.
Here's how SIM swapping works. When you make a phone call, your phone's SIM card connects your phone to your cell phone provider's cellular network. Within it appear your phone's unique identifying number, international mobile subscriber identity (IMSI), your phone number, and other personal and device data.
Please read: Minimize risk now with multifactor authentication
Solutions are perhaps forthcoming. A new FCC proposal aims to curtail SIM swapping by strengthening the factors by which people authenticate themselves as the actual customer. But the best available solution is using a physical cryptographic key, which makes SIM swapping attacks impossible. Some of the best to consider are Google Titan Key, Kensington VeriMark Fingerprint Key, Thetis FIDO UCF Security Key, YubiKey 5 NFC, and YubiKey 5C. These devices cost from $20 to $60.
Authenticator apps are also helpful, free, and very safe. You can run these on your smartphone without worrying about the dangers of SMS. Popular options include Authy, Google Authenticator, LastPass Authenticator, and Microsoft Authenticator. Pick one, then stick with it. The most popular services, like Twitter and Facebook, support all of them.
3. Credit and bank cards with magnetic stripes
In the U.S., credit and bank cards still usually have a magnetic stripe and even a signature for security years after they've been cracked. Criminal gangs put skimmer hardware on card readers and keypads and use cameras to capture card data and PINs.
The fix arrived in the '90s, in the form of EMV chips that you see on global Europay, Mastercard, and Visa cards. These securely store a unique identity for the card on a tiny integrated circuit. EMV has long been used around the world but was resisted in the U.S. for years. American banks finally started issuing chip cards in the mid-2010s. To force businesses into joining the 21st century, credit card companies shifted liability for fraudulent card use and chargebacks to the retailers instead of card issuers in 2015. Nevertheless, today many card readers in the U.S. still haven't been upgraded, and many cost-sensitive cards, such as disposable gift cards, prepaid cards used for refunds, and even some store-brand cards, don't have EMV chips at all.
Some companies, such as Mastercard, are finally figuring this all out. In 2027, you won't have to get a magnetic stripe on your new Mastercard card in the U.S. After 2029, no new Mastercard debit or credit cards will come with a magnetic stripe. And by 2033, the stripes will be completely gone.
Wi-Fi is everywhere. Put another way, old Wi-Fi routers and access points are everywhere.
Wi-Fi always came with security, in the form of encryption of traffic using a shared secret key. The earliest version, Wired Equivalent Privacy (WEP), was quickly shown to be wholly insecure. Its successors, Wi-Fi Protected Access (WPA) and WPA2, took longer to crack, but crack they did.
Please read: WPA3: Your next wireless devices should support it
Today, your only good choice for Wi-Fi encryption is WPA3. With the arguable exception of certain complicated configurations of WPA2-Enterprise, designed for large defense organizations, everything else in the way of Wi-Fi security is weak. Programs such as Aircrack-ng make it possible for anyone with a clue to break into your network.
WPA3 is not just secure where its predecessors are easy to crack; it makes strong security easier to accomplish. A WPA2 network without a password is necessarily unencrypted, but WPA3 employs a new standard called Opportunistic Wireless Encryption, which negotiates strong encryption between the client and the network even without a password. When you connect in a coffee shop or other public space that doesn't require a password, even if it makes you view a web page to connect to the network, the connection is insecure with WPA2 while WPA3 solves the problem.
Adopting WPA3 creates a new secure baseline, but unless you fully control your client devices, you will likely incur a support burden from the vast number of old clients that don't support it.
Insecure technologies persist because they're often easier and more familiar than secure ones (although frequently, they are more expensive to use—at least in the short term—than secure ones). Or it's possible that those in a position to influence decisions just aren't pushing for secure alternatives. These reasons are all understandable, but in an effective enterprise, none of them are defensible.
Starting in 2027, you won't get a magnetic stripe on your new Mastercard card in America.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.