One of the biggest fear projections for 2021, which has brought on primarily because of the COVD19 pandemic, is coming to grips to what is real and what is not out there in the Cyber landscape.  There are so many Phishing based attacks, domain heisting attempts, fake sites and real sites, blah, blah, blah, that even to a trained eye it is close to impossible to discern if you are visiting a legitimate or a spoofed-up website.  Heck, even I can’t tell at times.

Because of all this, and as I have written about before may times in the past, many companies now across Corporate America are fast scrambling to adopt the Zero Trust Framework – in which more than three layers of authentication are used (different ones, of course). 

But until this becomes a reality in full force, companies are also trying to adopt what are known as “One Time Passwords”, also known as “OTPs” for short. 

This is simply means that when you first log into a website, you are prompted to enter a unique code that is sent to either your Email or cell phone.  This OTP has a finite lifetime, usually about 10-15 minutes. 

Typically, this procedure is very often used in order to confirm the identity of the device that is logging into that particular website.  For example, if you visit your banking website frequently, it will “remember” the IP address of your device.

But of course, if you clear out your cache for whatever reason, then you will be prompted to enter this OTP possible numerous times until that website can actually recognize your device that you are using to log into it. 

So, now you may be asking how can a web application even tell the difference between a legitimate user and a Cyberattacker, other than using the OTP?  Here are some ways in which this actually happens:

*The use of Unique Device Identifiers:

Every device, whether it is hard wired or wireless, for the most part, contains what is known as a “UDI”. In a way, this is sort of similar to an IP address, but instead, it is a specific and unique number that is assigned.  So for example, if you are logging into your banking site with the same device, that particular app will recognize that UID, which is associated with your username and password.  But now, if your login credentials are heisted by a Cyberattacker, they will of course be using a different device with a different UID number.  If the coding in your banking app can detect this, it will then set off alarm bells that there is some unusual activity going on.  In this instance, the Cyberattacker will then be prompted to answer more login credentials, such as those of the Challenge/Response type. 

*Legitimate users will give up quickly:

If you are like me, if for some reason you cannot login, frustration and impatience will very often set in.  When this happens, I usually call the tech support line in order to get things straightened out (this is technically known as “Login Friction”).  But to a Cyberattacker, if they are not able to login in the first time, this becomes a challenge to them.  Rather than giving up, they will try every attempt they know of in order to get in the first time.  After all, if they try to login at random times, this is a clue that a fraudster is trying to login.  So, another sign of an impostor trying to login if they are trying to spend an enormous amount of time trying to login the first time around.  After all, their primary objective is to get in the first time as much as possible, and stay in.

*Making use of Proxy Networks:

A Proxy Network can be defined as follows:

“A proxy server provides a gateway between users and the internet. It is a server, referred to as an ‘intermediary’ because it goes between end-users and the web pages they visit online.”

(SOURCE:  https://www.fortinet.com/resources/cyberglossary/proxy-server#:~:text=A%20proxy%20server%20provides%20a,it%20uses%20an%20IP%20address.)

In order to hide themselves, Cyberattackers will very often try to hide behind these gateways.  Because of this, the UDI cannot be captured quickly and right off the first bat. So, this gives the Cyberattacker extra time to login and stay in, without going noticed.  But, if a company has some good tools in place, as that of using either AI or ML, the IT Security team can thus mathematically calculate if the same device is being used to login into the Web App from different IP addresses. 

*Too many and too few devices:

Here is a simple rule of thumb which does not take too much thinking:  If there are too many devices accessing one Web based app with just one username/password combination, or if there is just one device that is trying to access many online accounts all at once, then this is also a huge red flag.  Remember, unless a legitimate user is super rich, they will probably just have two to three devices at most, and probably no more than two or three online accounts (in this example,  we are assuming financial based accounts). Two rules of thumb here:

*1/1,000 devices access only three accounts typically;

*1/10,000 access only ten accounts typically.

*A One-to-One Network Relationship:

In most instances a network connection from the device a legitimate end user and to the server (and vice versa) that is actually hosting the Web based app is a two way one.  So, this will involve the use of just two UIDs (one for the server and one for the end user device).  But now, if there are too many UIDs that suddenly appear one just one network connection, then you know for sure that something is quite possibly wrong.  In these instances, it means that the Cyberattacker has purposely hijacked this lie particular line of network communications and have given their access to other Cyberattackers as well.  These kinds of attacks are also technically known as “Session Hijacking”. 

*Numbers don’t lie:

Buried somewhere in the log files of each server that hosts the Web app, there is a huge plethora of stats that can be unearthed.  This includes such as: 

*Total number of successful logins;

*Total number of failed logins;

*Resetting of passwords;

*The total number of times that either the MFA or Challenge/Response questions have not been responded to in a correct manner;

*Etc., Etc., Etc.

In this regard, all that your IT Security team really needs to do is calculate some simple statistical averages, probably one of the most important being the total number of successful logins for each single UID.  If this number is far below or far above over the historical averages you have kept track of, then you know you could possibly have the makings of a Credential Stuffing attack that could be taking place.  But one very important thing to keep in mind here as well:  These numbers should be calculated in real time and cross compared on a daily basis.  Of course, a good AI tool can help you to achieve this task.

My Thoughts On This:

One other item that I wanted to point here as well also is that most people tend to be creatures of habit, especially when it comes to their technological environments.  Meaning, nobody likes to change the settings or anything like that, especially on their web browser, unless they absolutely have to. 

Apart from the UIDs, many Web based apps of today can also detect the king of browser that you are logging into. 

If there are too many changes that are made to the environment of it, this then also is a red flag that should raise alarm bells amongst your IT Security team. In the end, using OTPs can be a pain, but it is there for a reason: To help keep you safe.