Troy Hunt: U2F could knock phishing ‘stone dead’

Are ‘hard tokens’ the way to get a handle on phishing?
13 June 2019

An NFC compatible YubiKey used with a smartphone. Source: YubiKey

Stolen or easily-guessed passwords remain the core culprits of 81 percent of hacking-related breaches, according to Verizon. And despite knowing the risks, more than 70 percent of employees reuse passwords at work, putting entire organizations in danger of being compromised. 

Troy Hunt, the founder of Have I Been Pwned? knows this well. His hugely successful website (which has just gone up for sale) reveals whether users’ credentials have ever been compromised by the data breaches occurring on an almost hourly basis.

At Infosecurity Europe last week, Hunt told TechHQ that the average person’s credentials have been victim to 1.6 data breaches, according to HIBP data.

Troy Hunt

Troy Hunt. Source: Wiki Commons

He predicted threat actors will continue to take “massive advantage” of credential risk in the coming years: “Adversaries are focusing on that because it’s a hard thing to solve without a huge amount of forethought, and it’s a hard thing to solve without a big impact on usability as well.”

The statistics are sufficient to say that passwords alone just don’t work. Tackling this basic, largely user-inflicted, vulnerability is therefore paramount to gaining some ground in the fight against cybercrime.

“[…] we’re seeing a lot come as not necessarily replacements for passwords, but changes in the prevalence of how often we need to use them,” said Hunt.

Is 2FA enough?

Multi-factor authentication, the most common being two-factor (2FA), is regularly touted as the most accessible solution.

Requiring two different authentication factors to be provided, 2FA requires a password and an additional security token to be provided. That could include a code sent via SMS or a prompt received on another of the user’s devices. Biometric factors, such as fingerprints or facial recognition, can also be used.

Google has used 2FA since 2010 and has said that as a second factor, SMS codes blocked 100 percent of automated attacks, 96 percent of bulk phishing attacks and 76 percent of targeted attacks. In comparison, providing secondary email addresses blocked just 73 percent of automated bot attacks, and 68 percent of bulk phishing attacks.

However, 2FA is becoming more vulnerable to sophisticated attacks. “We’re seeing things like soft tokens or hard tokens and things which require human interaction, being phished,” Hunt said. “There’s a massive prevalence out there now.”

Newly-created tools Muraena and NecroBrowser (now available on GitHub), can allow attackers to intercept security tokens in real-time, using phishing websites as proxies. Meanwhile, the smartphone that receives a token is not without risk of remote attacks itself.

U2F security

The answer (for now) may be to push users and businesses towards adopting U2F security keys. 

Universal Second Factor authentication, or U2F, relies on using a security key in the second stage of authentication. This is often in the form of hardware, such as a USB device like that of YubiKey, but an NFC-enabled device can also serve as a token.

On what he believed to be one of the biggest recent advances in cybersecurity, Hunt praised U2F as being “resilient to phishing”: “It’s something that really knocks the phishing problem ‘stone-cold dead’ […]

“There’s a financial barrier to entry but it’s not high, we’re seeing it integrated more into organizations so people are starting to get used to having a key or a token around them.”

In the years that Have I Been Pwned? has been in operation, the site has amassed almost 8 billion breached records. Save from being lost or stolen in the real world, physical security keys could prove a solid defense against the phishing’s eye-watering scale.

But not everyone will want to start carrying a YubiKey on their keychain, and a reliance on hardware— that could easily go missing— offers its own set of problems in convenience and practicality.

Being an open standard, the technology is not something vendors are vocally pushing, said Hunt. However, U2F technology could really start taking off with the rise of smartphones equipped with NFC as standard.

“[…] as we progress and make the technology more accessible, and particular as we integrate more of the things like Apple integrating NFC on iPhones, then the technology will give us a better ability to [deploy the technology at scale].”

As threat actors grow more sophisticated, and the tools emerge to 2FA’s detriment, a wide-scale move towards ‘hard tokens’ could see much of the battle against phishing and credential theft won.

It’s worth noting, however, that while U2F could prove an effective solution, it won’t ensure the systems it’s being used on aren’t compromised already— and it certainly won’t eliminate the human weakness in cybersecurity.

“Even if your USB key cannot be compromised, you, as a user, are still vulnerable if you use a compromised computer,” said a commenter on the Information Security forum.

“Your USB key is safe. You, it’s another story. At some point, you are the only one that can save you from using it on a machine infected with virus.”