By Gautam Hazari, Chief Technology Officer, Sekura.id
Imagine, you are sitting in a café, sipping the skillfully crafted coffee by the barista, with your laptop placed on the table in front. You open the screen and look around to see if no one is around “shoulder surfing”, and then you open your email, type in the user ID and the password on the keyboard and access your email. You didn’t notice that a few tables behind, there is someone looking at their phone, as their phone is kept on the table, and why would you care? A few minutes later, you close your screen and focus back on the coffee as you don’t want it to get cold. But something happened between sips; someone is accessing your email, someone is initiating a password reset for your banking account, or social media account. An account takeover is in action.
How did this happen? No, this was not someone accessing the laptop or sniffing into the Wi-Fi connection. Remember that person a few tables behind looking at their phone? The microphone in that person’s phone was “listening” to the keystrokes of your keyboard, and passing those to a trained deep-learning model which then revealed the password you typed.
This is SCA — not Strong Customer Authentication — but actually the antithesis of that. This is a Side Channel Attack, an acoustic side-channel attack, as published by researchers from Durham University.
A SCA is when signals from a device are collected and interpreted to extract secrets. The signals can be in any form: from electromagnetic waves, power consumption to sound waves. The interesting thing about side-channel attacks is that they do not need connectivity or any direct access to the device. The acoustic SCA uses the sound waves from the device, and in the above case – the sound of the keyboard strokes.
A recent report from Cornell University found that AI can be used to steal passwords by “listening” to a user’s keystrokes with over 90 per cent accuracy. And researchers from the universities in London found results up to 95 per cent accuracy in a similar report.
It doesn’t just stop there; the person doesn’t need to be sitting in that café a few tables behind. In fact, the same attack can be carried out remotely by listening through Zoom calls with 93 per cent accuracy.
How do we solve this? The answer is to stop using passwords, which clearly have several vulnerabilities that fail to protect ourselves and our data.
We almost forget that there is a digital service which we use several times a day that provides secure protection not offered by passwords. We even have a name for the fear of losing it – “nomophobia”. It’s our mobile phone service: what we use to make or receive phone calls and SMSs, or access any application or website on our mobile devices.
It uses the SIM to identify the genuine user. The “I” in the SIM stands for “Identity”; it stood for the same when the first SIM-based mobile phone call was made in 1991 and it still stands for “Identity” when we use the eSIM.
The Subscriber Identity Module (SIM) is a hardware-based cryptography engine, where a unique cryptographic key is stored securely specific to the SIM, which identifies the user. Mobile networks around the world use a cryptographic signature from the SIM through the unique key to authenticate the identity without challenging the user to enter a password or any other form of explicit authentication, making it much more humanized, seamless and also secure from stealing any secrets from the user.
At the same time, the SIM is one of the most inclusive technologies, which provides the exact same level of security and protection, irrespective of what device the user is using – from the high end expensive mobile phones to the simpler, more affordable mobile phones.
This SIM-based authentication method has been in use in mobile networks for the past three decades, and should continue to be fully utilized to replace passwords that fail to protect our data and identity time and time again. Let’s make the world passwordless. Let’s harness the SIM’s security superpower to make the digital world a safer place.
About the Author
Gautam Hazari is the Chief Technology Officer of Sekura.id, the global leader in Mobile Identity services, who believes passionately in humanizing technology by removing the password. He truly deserves his twin accolades of ‘Mobile Identity founding father’ and ‘Mobile Identity guru’. He is a strategically driven technology leader with over 24 years of robust experience in the telecoms industry. Gautam wrote the code and led the implementation of the mobile identity initiative – Mobile Connect – for 60 mobile operators across 30+ countries. An advisor to start-ups in digital identity, healthcare, Internet of Things and fraud prevention, he is a respected and sought-after thought leader for digital identity, advocating solving the identity crisis in the digital world by actively creating the Internet’s missing Identity layer.
Gautam Hazari can be reached on LinkedIn and at our company website https://sekura.id/
;
We are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.