Identity Management

SIM Swapping Prevention

The LAPSUS$ cybercrime group which deleted 50TB of patient data from Brazil’s Ministry of Health have this week disclosed breaches on both Microsoft and Okta. LAPSUS$ are threatening to publish leaked data from Microsoft (source code) and Okta (clients) unless a ransom is paid. LAPSUS$ claim NVIDIA, Samsung, and Vodafone as targets that they have previously successfully breached.

LAPSUS$ use an identity spoofing approach involving SIM Swapping for gaining second factor control of a privileged account. This they achieve by recruiting internal employees at a telecom with the appropriate privileged access to commit a SIM swap. When they are ransoming for millions then $20k is a minimal overhead, but I would be extremely doubtful if they ever paid up!

A SIM swap by itself will not lead to a breach as it requires the right individual target and potentially another authentication factor. Let’s therefore look at how SIM Swapping work and the steps necessary to make use of a such a privilege. We will also look at the steps the Chief Information Security Officer should put in place to protect against such low tech / high impact attacks.

What is SIM Swapping

SIM Swapping involves user impersonation to request a SIM change at the Mobile Network Operator but this is harder to do now so scammers are looking at getting the Carrier’s employees to commit a criminal act. Once the scammer has control of an employee then they can target the specific mobile numbers of target individuals for SIM swapping. They can then access the One Time Passcodes necessary to take ownership of a number of services that use SMS as a factor in authentication. It is the responsibility of the Mobile Carrier to prevent such malicious behaviour and should be endeavouring in auditing and social engineering protection for its staff.

Telecoms firms hire thousands of privileged users with administrative privileges in their call centres and central administration centres. A lot of these processes are often out-sourced at lowest possible cost to third parties. Furthermore it is not uncommon for out-sourced processes to be implemented in Robotic Process Automation tools with minimal code reviews potentially allowing corrupt users to leave undetectable backdoors open to key systems. Carriers must enforce good access control and access auditing on major processes that bear a risk for their customers. This means internal fraud prevention must be identifying points of weakness in advance and recognising inappropriate actions as quickly as possible and identifying end users. The TM Forum’s Trust and Security Programme is a good start.

Protect Your System Administrators From Targeted Spear Phishing

As many as 1 in 100 System Administrators could be the victim of Targeted Spear Phishing attacks where they are blackmailed or connived into illegal behaviours. The UK National Crime Agency calculates the number of people in the UK with sexual interest in abusing children at 144,000 meaning that out of 26m adult males in the UK that 1 in 200 male sys admins can be blackmailed. Other threats such as a gambling problems, drug and alcohol dependence, other forms of blackmail cannot be ignored. For these reasons advanced vetting is recommended for all critical System Administrators with significant system access. Basic DBS checks should be the bare minimum. It is not possible to completely possible to remove all TSP attacks, therefore the security architecture must be appropriate and avoid using techniques which can be intercepted.

Switch Off SMS Based Authentication in Preference for Finger Print / Facial Recognition for All Employees

Okta and other Identity Management solutions allow the selection of which MFA credentials they will accept. There are risks with facial recognition and fingerprint spoofing, but these are much lower risks that interceptable SMS and One Time Passcode based MFAs. In the UK over 90% of mobile phone users are Smartphones and the penetration rate is above 100% amongst technologists. It therefore must be mandatory in any organisation that all System Administrators are using fingerprint or “Something You Are” biometric based MFA for privileged access. Remember though that regular password changes are increase the risk of breach as users move to easily rememberable passwords.

Conclusion: Always Have Backups Including Identity Management Platforms

With Dev/Ops and Infrastructure as Code it is possible to have backups to all systems that can be quickly redeployed. Have your architecture team review your systems estate for its complete recoverability so that you always have a fall back option. For transactional items keep a time series store of all transactions for recoverability. And every year run a full disaster recovery scenario planning practice day as a real event to understand as the CISO / CTO / CIO what are your risks.

How do Covid-19 tracing apps work and how do they comply with EU-GDPR?

Featured mustnotgrumbleLeave a comment

The UK is trialling its Covid-19 contact tracing application which tracks human interactions. The app uses Bluetooth Low Energy (BLE) communications between smartphones for registering handshakes’ duration and distance. This data is then uploaded to a centralised database so that if a user self-registers as Covid-19 positive, the centralised service can push notifications to all ‘contacts’. This is a highly centralised model based around relaying all users ‘Contact Events’ together with user self-assessments of Covid-19 symptoms.

A user can self-report having the symptoms of Coronavirus. They cannot report a positive test for Coronavirus as there is no way of entering either an NHS_ID or a Test_ID. Technically the UK mobile app does not match the mobile App ID against the user’s NHS ID and there is no mapping between the app and NHS England’s Epic system. This approach allows for greater anonymity as the centralised database will not be recording a user’s NHS identifier. The downside of this approach will be a higher percentage of false positives and contact notifications .

NHSX’s Covid-19 App requires GDPR Consent as the legal basis to enable permissions

NHSX and Pivotal, the software development firm, have published the App’s source code and the App’s Data Protection Impact Assessment. The latter is a mandatory document within the EU-GDPR framework. The user provides ‘Consent’ as the legal basis for data processing of the first three characters on their postcode and the enabling of permissions. The NHS Covid-19 app captures the first part of the user’s postcode as personal data. It then requests permissions for Bluetooth connectivity necessary for handshakes and Push notifications necessary for file transfer.

The UK NHS app captures ‘Contact Events’ between enabled devices using Bluetooth. The app records and uploads Bluetooth Low Energy handshakes based on the Bluetooth Received Signal Strength Indication (RSSI) measure for determining proximity. Not all RSSI values are the same as chip manufacturers and firmware are different. The RSSI value differs between different radio circuits. Two different models of iPhones will have similar internal bluetooth components whereas on Android devices there will be a large variation of devices and chipsets. For Android devices it will be harder to absolutely measure a consistent RSSI across millions of handshakes. A Covid-19 proximity virus transfer predictor should take into account the variances between BLE chipsets.

All of the ‘Contact Events’ are stored in the centralised NHSX database. This datastore will most likely hold simple document records for each event, its duration, the average proximity, the postcode (first three characters) only where that occurred and which devices were involved. It will then run queries against that database whenever a user self-registers their Covid-19 symptoms. The centralised server will push notification messages to all registered app users returned in that query. The logic in the server will most likely take a positive / inclusive approach to notification so that anybody within a 2 metre RSSI range for more than 1 second of a person with Covid-19 symptoms will be notified.

All EU countries must comply with EU-GDPR and all are currently launching their Covid-19 tracking applications. These applications because they require user downloading can only use ‘Consent’ as the legal basis for data capture and require a register of the user’s consent. The user must also be able to revoke ‘Consent’ through the simple step of deleting the app on their device. A more pertinent challenge is within a corporate or public work environment where there can be a ‘Legitimate Interest’ legal basis for capturing user’s symptoms. For example a care home could have legitimate interest in knowing the Covid-19 symptoms of its employees. It is likely we may see the growth in the use of private apps encouraged by employers if the national centralised government apps do not reach a critical mass. Either way we live in a smartphone world and bluetooth’s ubiquity is now certain.

Mobile Network Operators and UK Open Banking – Role of Password-less Multi-Factor Authentication and 5G Network Slicing (of course)

Featured mustnotgrumbleLeave a comment

In 2017, 22 million people managed their current account on their phone which is predicted to increase to 35 million customers using mobile banking applications by 2023. The mobile phone, rather than internet or retail banking, is also the de facto standard for mobile banking services with more than 250 million Apple Pay users.

UK Open Banking is intended to create a FinTech market similar to a 1980s consumer credit boom by decoupling the underlying bank from the service provider. Open Banking promotes an aggregated single view of all of a customer’s accounts in one place as well as aggregated personal finance and debt management tools. This creates an opportunity for the Mobile Network Operator interested in providing financial services without undertaking a full banking licence.

Open APIs and security are critical to Open Banking. The Open APIs enable third-party developers to extend the services of financial institutions. Open Banking effectively supports and extends the European PSD2 directive, how non-Brexity!. In Open Banking, the UK CMA introduced rules that mean that banks must allow the customer to share their financial information with other AUTHORISED providers. These are known as Account Information Service Providers (AISPs) and are regulated by the FCA. This requirement creates an opportunity for the Mobile Network Operator to either become a Mobile Banking AISP and / or to be a more general provider of Security Services to AISPs and Banks. Both options benefit from specific technologies that the MNO can provide. These include:

a 5G Network Slice dedicated to “Mobile Banking”
the exposure of Risk Evaluation services based on fraud prevention and location data
the implementation of Passwordless Multi-Factor authentication service

Network services that increase the quality and security of mobile banking

Users of any service do not like service continuity issues. This discontent is greater when the interaction is form based and stateful; and the worry is higher if the session drops during a mobile banking transaction. For example, it can be peeving when session interruption affects transferring money whilst in the back of a taxi on the way to an airport. Mobile applications can handle session management issues more gracefully than mobile browsers. Nevertheless there will always be customer dissatisfaction associated with session drops when using mobile banking services.

5G provides improved session and service continuity. One of the key features of a 5G data service is session and service continuity, it ensures uninterrupted service experience to the user regardless whether there is any change of UE (User Equipment) IP address or change in the core network anchor point (4G LTE evolved packet system only provides continuity of IP session). This means that the Mobile Network Operator can provide a chargeable “Mobile Banking” Network Slice; or consume the service itself as a Open Banking service provider.

A 5G Mobile Network Slice dedicated to “Mobile Banking” can also provide enhanced user security as unique security parameters can be defined for network slices individually.

Multi Factor Authentication mechanisms provided by the Mobile Network Operator

The MNO can provide enhanced security based on location based services (subject to GDPR & customer approval). The MNO can provide a risk score based on location of the customer.

The Mobile operator knows through the National Device Register if the device has been stolen. The MNO can provide improved 2^nd and 3^rd Factor authentication protection through the Equipment Identity Register. This is important as finger print spoofing is a known and achievable process; and an amputated digit injected with Botox will continue to provide a useable finger print for two weeks!

Mobile operator understands the roaming likelihood and can quantify the risk Matching spend and location reduces fraud. Hence the Apple Pay contactless system does not have a £30 limit. In fact it is even safer as a physical card can be cloned and a four digit pin can be noticed.

The MNO can also wrap 2^nd and 3^rd factor authentication into its mobile app as an identity provider in the Open Banking universe. And it can provide commercial Risk and Location based APIs consumable by Open Banking service providers.

How Open Banking Implements Multi Factor Authentication and Strong Customer Authentication

UK Open Banking can implement Multi-Factor Authentication including Passwordless authentication mechanisms as part of Account Information Service Provider and Payment Initiation Service Provider flows. UK Open Banking uses OAuth 2.0, OpenID Connect and the Financial API specifications from the Open ID Foundation. This extends the PS2 OAuth 2.0 flow where the providing bank must use Strong Customer Authentication to authenticate the user.

This can be a Username / Password combination or a higher factor of authentication. More interestingly this can also be Passwordless (finger-print recognition) authentication by seamlessly pushing authentication to the bank’s mobile app (if on a mobile device). Alternatively this push can be to Account Information Service Providers’ authentication service. The Mobile Network Operator can be a UK Open Banking Account Information Service Provider using a 3 Factor authentication in a single passwordless action supplemented by the MNO’s own location based and fraud detection services

Use of Open Banking in the Internet of Things

The Mobile operator can also support an AISP model when supporting consumer Internet of Things propositions. As an example, the consumer with a listed Airbnb property that includes a number of smart devices may choose to manage the IoT contracts through a separate bank account whilst managing all their accounts through a single AISP. This creates a nice up-sell loop for the Mobile Network Operator providing AISP capabilities alongside IoT propositions.

Conclusion

Trust is critical for the success of mobile banking. Security breaches can lower the adoption of online banking services. The most effective mobile banking service is the one that integrates all of the available security tools together. This is one that the Mobile Network Operator already does well and can do better with 5G Network Slices and the use of Passwordless 3 Factor Authentication.

Good Data Governance is required to gather and store customer consent as part of Auditing phase of implementing Open Banking. The flow to secure the relationship between the Bank and the Open Banking provider must be Multi-Factor Authentication mechanism. The only way to make mass market 3-Factor Authentication any stronger is to utilise the MNOs location services.

Finally, Mobile Networks Operators have historically made poor banks but with Open Banking they do not need to take that long step. Instead they can aggregate their customer’s existing banking providers through Open Banking.

Some Questions After Quad-Play

April 16, 2016 mustnotgrumbleLeave a comment

I work as an architect at a big telco that has recently become a quad-player. Part of my job is to think of what services come next. My previous interest has always been distributed computing, either networking or large data-sets. Also as part of my job I attend IT conferences on the internet of distributed devices.

My key questions & my current thoughts are:

What will become the distributed identity standard for device authentication?
- OpenID Connect (OIDC) (like SAML) is not an AuthN mechanism but extends the OAuth2.0 model. The identity attribute API can be used for profile loading to define a user’s identity onto the device. This can be a lightweight equivalent of a SIM Profile & also support the eUICC flows for ownership switch (similar to a Profile Content Update Function)
- Any AuthN & identity solution must support the limitations of loading profiles on smaller memory devices & requiring an authN flow over HTTP.
What will be the numbering & addressing standard for massively distributed devices?
- This is more of an open question relating to the history of the service so that eUICC enabled devices will require an international mobile subscriber identity and LPWA & WIFI enabled devices will require a MAC addressing / IPv6 registry with the service provider.
- The support for these addressing mechanisms and near field communication devices will have an impact of the network operator’s OSS IT architecture.
- The GSMA proposal for eUICC uses the START-IMSI required for profile loading which supports roaming and allows for profile swap on change of ownership.
- IPv6 offers a highly scalable address scheme. It provides 2¹²⁸ unique addresses, which represents 3.4 × 10³⁸addresses. In other words, more than 2 Billions of Billions addresses per square millimetre of the Earth surface. It is quite sufficient to address the needs of any present and future communicating device.
- 6LoWPAN provides a simple and efficient mechanism to shorten the IPv6 address size for constrained devices
Will the smart device co-ordination be through an embedded chip-set in the main home internet router?
- Probably not but I would have said probably not 5 years ago and I still have not seen Zigbee co-ordinators or Thread border routers catch on as stand-alone devices.

I’ve not been blogging for a while, too much work is not an excuse, but will be updating more on these topics soon.

Security Best Practice for Protecting Against Memory Scraping Malware in Target & Home Depot

September 25, 2014October 1, 2014 mustnotgrumbleLeave a comment

Credit and debit cards stolen from bricks-and-mortar stores sell on the black market for at least ten times the price of cards stolen from online merchants. There are plenty of TOR accessible card shops that will happily buy the cards from hackers and resell them on the open market. A card stolen from a bricks-and-mortar store can be reused in a real store to buy high value electronic goods or gift cards that can be easily converted into cash. Cards stolen online require a card verification value (CVV) and can only be used by online stores willing to send high value goods to a different shipping address from the billing address.

The two most recent major bricks-and-mortar store card breach stories that have appeared in the news recently are Home Depot where 56m customers’ card details have been stolen and Target where 70m customers’ card details have been stolen. In both cases the point of sales (POS) systems were been breached by variants of the same memory scraping malware. BlackPOS / Kaptoxa in the case of TARGET and Framework POS in the case of Home Depot. Both malwares run inside the POS system (running on Windows OS) and are registered as a service. Both malwares read card data before it is encrypted and then collate and later output the card data which is then made available as ‘dumps’ on black market stores.

Black POS / Kaptoxa behind the TARGET breach:

Continue reading “Security Best Practice for Protecting Against Memory Scraping Malware in Target & Home Depot” →

BSS for the IoT: You Don’t Have To Be A Mobile Network Operator To Do It

September 22, 2014October 1, 2014 mustnotgrumbleLeave a comment

The Internet of Things is not predicated on mobile or fixed-line operators. It is predicated on the value derived from the interplay between different sensors and actuators. In the history of mobile telecommunications it was the mobile network operators who provided a service that brought together radio waves and handset manufacturers. The success of mobile telecommunications has led to a 93.5% global saturation rate (source Informa) with the conglomerate operators China Mobile Vodafone. Airtel and Verizon etc being the big winners.

Continue reading “BSS for the IoT: You Don’t Have To Be A Mobile Network Operator To Do It” →

A Scottish Safe Harbour for Identity Management Update: RBS, Lloyds to move south if Scots vote for independence

September 11, 2014October 1, 2014 mustnotgrumbleLeave a comment

Reuters are reporting that the Royal Bank of Scotland and Lloyds Bank will both relocate to England if Scots vote for independence next week. The Royal Bank of Scotland, which employs 11,500 staff in Scotland, announced that it had taken the option to relocate to England because a vote for independence would create uncertainties which could impact its ability to borrow. Lloyds Bank, which employs 16,000 staff in Scotland, announced its contingency plans for Scottish independence included setting up “new principle legal entities in England”.

Continue reading “A Scottish Safe Harbour for Identity Management Update: RBS, Lloyds to move south if Scots vote for independence” →

A Scottish Safe Harbour for Identity Management

September 10, 2014October 1, 2014 mustnotgrumble1 Comment

The Data Protection Directive (officially Directive 95/46/EC) regulates the processing of personal data within the European Union and also provides the criteria for Safe Harbour privacy for companies operating within the European Union. The Safe Harbour regulations forbid sending of customer’s personal data to countries outside the European Economic Area unless there is a guarantee that it will receive adequate levels of protection. There are no Safe Harbour considerations for EU companies with services deployed to Scotland while Scotland is part of the UK and when Scotland has become independent of the UK and joined the EU as an independent country. However there may be a period of time between Scotland becoming independent and joining the EU (as an independent country) when Safe Harbour requirements really matter. At this time no EU company will have a Safe Harbour agreement with the newly independent Scotland. Therefore any company with Identity Stores (or business systems containing personal data) deployed in Scotland will be in breach of the Data Protection Directive. Scotland Id Store 7 PNG

Continue reading “A Scottish Safe Harbour for Identity Management” →

Some Identity Standard Factoids

September 1, 2014 mustnotgrumbleLeave a comment

The following are some interesting security factoids that point towards the benefit of a mobile 2FA (Over the Air or Wireless Public Key Infrastructure) federated identity model:

The most commonly used password in the English speaking world is ‘123456’. Previously it was ‘password’
An average UK internet user has five different username and password combinations that are used over an average of 25 different sites
4.5 billion compromised records, the size of the CyberVOR breach is the number of service compromised from each pair of compromised credentials
1.2 billion of the CyberVOR credentials are meant to be unique, belonging to over half a billion e-mail addresses
In 2009 OpenID announced that there were over 1 billion OpenID enabled accounts (a number that has certainly increased) that can be used for federated authentication
60% of all cases of fraud perpetrated against individuals is personal data theft
$12 billion: size of mobile identity infrastructure market by 2019

Single Identity Repository for Internal Staff, Partners & Customers and Security Zones of Control

September 1, 2014October 1, 2014 mustnotgrumbleLeave a comment

It is not impossible to have a single user directory tree for internal users / staff, partners and customers. All that is required is unique identifiers and different levels of permission normally managed through group membership. However pretty much every organisation quite rightly separates these groups as independent trees. These independent trees are normally realised as independent directory implementations thus providing security through isolation and security zones of control. This though has not stopped me being recently asked within a large organisation if it is not possible to have a single identity management solution.

This was an evident confusion between identity management solutions and directory structures. For which I drew two examples: the first was an example directory structure (below), for ACME_Corp and my test user Chester Drawers, showing how quickly a single directory structure would become very complicated.

Single Tree Model — An Extreme Example of Single Identity Tree for Employees, Partners & External Users

Continue reading “Single Identity Repository for Internal Staff, Partners & Customers and Security Zones of Control” →