Collective Intelligence Podcast, Peri Doerfler on Login Challenges and Account Takeover
By Mike Mimoso
Given the billions of compromised and publicly leaked credentials available on the surface web and within illicit underground communities, account takeover attacks are being elevated as a pressing issue for fraud teams.
Those defenders have a number of authentication methods at their disposal, and unsurprising to anyone, each has a varying degree of efficacy.
A recently published paper by researchers at NYU’s Tandon School of Engineering and Google looked at 14 different login challenges and examined how each helped ward off account takeover while still maintaining a measure of usability.
In this episode of the Collective Intelligence Podcast, NYU’s Peri Doerfler explains the results described in the paper, “Evaluating Login Challenges as a Defense Against Account Takeover,” written by Doerfler, NYU’s Damon McCoy, and Google’s Maija Marincenko, Juri Ranieri, Yu Jiang, Angelika Moscicki, and Kurt Thomas.
The study worked from a sample of 1.2 million legitimate users and examined more than 350,000 hijacking attempts and how successful things such as knowledge-based challenges, on-device prompts, SMS two-factor authentication, and more were in holding off account takeover attacks.
Some of the key findings include:
• Knowledge-based challenges, things such as recalling a secondary email address, are not a viable option against phishing, stopping only 10 percent of phishing attempts and 73 percent of automated hijacking attempts.
• On-device prompts, features such as app-based one-time passwords (Google Authenticator or Duo, or security keys, for example) were the strongest protection against phishing, blocking 99 percent of those attacks, and 90 percent of targeted attacks.
• SMS-based challenges were weaker against targeted attacks, yet prevented 96 percent of phishing attempts
• Risk-aware, or context-aware authentication, meanwhile was the best option, the results show, against automated hijacking attempts, stopping 99.99 percent, and 92 percent of phishing attempts.
• The results also demonstrate the efficacy of security keys, hardware-based universal two-factor authentication, especially for high-risk users as the best overall protection.
Throughout the podcast, Doerfler explains the problem set and takeaways in depth, and how these results demonstrate the continued challenges users and defenders have with passwords given that all of these login challenges are post-password factors of authentication.
The Collective Intelligence Podcast, presented by Flashpoint and hosted by Editorial Director Mike Mimoso, features regular interviews with a diverse set of industry experts and Flashpoint analysts on the latest information security news and industry trends.
Michael Mimoso brings over a decade of experience in IT security news reporting to Flashpoint. As Editorial Director, he collaborates with marketing, analyst, and leadership teams to share the company’s story. Prior to Flashpoint, Mike was as an Editor of Threatpost, where he covered security issues and cybercrime affecting businesses and end-users.
Prior to joining Threatpost, Mike was Editorial Director of the Security Media Group at TechTarget and Editor of Information Security magazine where he won several ASBPE national and regional writing awards. In addition, Information Security was a two-time finalist for national magazine of the year. He has been writing for business-to-business IT publications for 11 years, with a primary focus on information security.
Earlier in his career, Mike was an editor and reporter at several Boston-area newspapers. He holds a bachelor’s degree from Stonehill College in North Easton, Massachusetts.