Article posted: Feb 27, 2018
By Anders Adolfsson, Technical Consultant
We've written about the dangers of One-Time Passwords (OTP) for use in two-factor authentication and applauded the National Institute of Standards and Technology's (NIST) stance on eliminating SMS-based OTPs. It seems we're not alone. FireEye recently blogged about the dangers of OTPs in phishing campaigns and how hackers are using real-time phishing in attacks on corporate websites.
Real-time phishing dates back to 2010 and is defined as a man-in-the-middle attack that enables a criminal to commit real-time fraud. Many organizations dismiss the threat of real-time phishing attacks because engineering an attack this way is difficult. Still, with an abundance of OTPs and push notifications used in today's two-factor ID market, real-time phishing poses a real threat. And hackers are fully prepared to steal password information to access organization's servers and, more importantly, their data.
So how can companies cut the lines on the phishers? First, they should choose better multi-factor authentication methods, including virtual smart cards, tokens, biometrics and smart cards, to obviate the need for OTPs. It's also critical organizations configure all services protected by multi-factor authentication to minimize attacker impact if the attacker is able to navigate around whatever multi-factor protections are in place. Limiting employee access adds yet another protection layer; employees should only be able to access the necessary resources to do their individual jobs. This is easily managed with an identity and access management (IAM) solution.
It's easy for organizations to implement any of these anti-phishing techniques by using a trusted identity and access management solution (IAM). Using an IAM solution enables the IT department to monitor an employee's access to equipment and data within the organization throughout the employee's term of employment - from start day to last day. In addition, if the employee leaves, a good IAM solution provides the IT department with the ability to immediately revoke the employee's access.
We introduced vSEC:CMS 5.0 last month and support the greatest number of smart cards in the market. To learn more about how to better protect your organization from real-time phishing attacks with using identity and access management, visit https://versasec.com/vsec-cms.php.