There are two strategies that are regarded fool-proof when it comes to data security – encryption and two-factor-authentication (2FA). The idea is that when all the data that is transmitted between servers is replaced with cipher text, hackers would fail to interpret them even if they were able to hack into it. Also, when a user’s access into a system is tied to a physical asset like mobile phone, there is no way a hacker who does not have access to this device would be able to break in.
There are two strategies that are regarded fool-proof when it comes to data security – encryption and two-factor-authentication (2FA). The idea is that when all the data that is transmitted between servers is replaced with cipher text, hackers would fail to interpret them even if they were able to hack into it. Also, when a user’s access into a system is tied to a physical asset like mobile phone, there is no way a hacker who does not have access to this device would be able to break in.
While this continues to be the popular opinion among security analysts, some researchers have started wondering if the encryption and 2FA technologies deployed by many enterprises today is all but a security theater – a means to demonstrate improved security while not adding enough to actually make the system secure.
A recent report by PT Security showed that One-Time-Passwords used to authenticate user accounts on WhatsApp and Telegram are not effective since these codes are rendered over mobile communication systems which are not secure. The researchers here were able to hack into a message sent by Telegram to obtain the OTP. In short, the aura of additional security due to encrypted data transmission and 2FA was rendered ineffective because the channels used to carry out the authentication itself was insecure.
In another report prepared by the US National Institute of Standards and Technology (NIST), SMS based two factor authenticated was declared insecure since there are multiple scenarios where an SMS sent to a user’s phone could be accessed by a third party. Most software agencies follow NIST guidelines in their appliances and the latest report is being seen as the beginning of the end for SMS 2FA.
Despite these loopholes, encryption and two-factor-authentication remain two of our best bets against data theft. 2FA helps secure the end-points of a pipeline while encryption seals the pipe itself. Together, when executed correctly, 2FA and advanced encryption help seal data from hackers. Even if SMS 2FA may appear to have its set of vulnerabilities, there are alternate methods to two-factor authenticate a system through secondary login, key, biometrics, etc. Depending on the nature of data being secured, businesses may choose from any of the several secondary authentication channels.
As prominent American cryptographer Bruce Schneier puts it, data encryption is only as strong as the algorithm used. The algorithm itself is like a password and it can be broken into using brute force. In effect, a persistent enough system can break into an algorithm if provided with sufficient resources. One solution that has been universally accepted today is the AES which is also known as Rijndael, a block cipher algorithm that has been adopted as a standard by the US government.
There is nothing called fool-proof security and the fight between hackers and security researchers is always going to be a cat-mouse game. However, as enterprises, it is important to adopt the latest standards and techniques in security which are far more likely to keep your data safe. At the moment, it happens to be AES and non-SMS based 2FA and this is where your investments should go.