How the Massive Hacking Attack Against the Macron Campaign Could Have Been Prevented
Americans were feeling a sense of déjà vu this past weekend as reports of a “massive hacking attack” against French presidential candidate Emmanuel Macron’s campaign flooded the news. The alleged assault, which consisted of up to 9 gigabytes worth of emails and other campaign data like accounting records being uploaded to an anonymous document sharing website, seems painfully similar to the email leaks that plagued Hillary Clinton’s presidential campaign last year. Much like the Clinton data dump, the Macron attack appears to have been perpetrated by accessing the email accounts of campaign members using a now commonly known method called phishing.
These types of cyber security hacks can be prevented by implementing one of our solutions.
The core problem with email security is that most email accounts can be accessed by typing in a username and password. Although some email providers like Gmail do allow for a second factor of authentication like receiving an SMS text with a code on your phone, most people don’t enable this additional layer of security, and even if they do, as we saw with last week’s SS7 hack, these measures are surprisingly easy to get around. When someone signs into your email account from another device, the email provider sends you a one-time code to type in to verify that it’s really you. But all the hacker needs to do to get around that is to eavesdrop in on the method you chose to receive the code to intercept it.
So if cyber criminals are able to phish our email passwords and get around our secondary authentication methods as well, how can we protect ourselves?
The most effective way for email providers and other service providers to secure their platforms and protect the privacy of their users is to enable Payfone’s instant authentication capability. This solution leverages the SIM card in the user’s mobile to authenticate the user and verify that the link contained in the SMS was clicked on from the user’s specific phone. The SIM card is a self-contained, multi-factor cryptographic device that is immune to both OS level attacks and network/routing attacks, and provides the highest Authenticator Assurance level (AAL3) as defined in the recently released NIST digital identity guidelines (NIST 800-63-3). In addition to strong authentication of the end-point device, SIM-based authentication uses a one-time cryptographic challenge response protocol that is impervious to man-in-the middle attacks and SS7 routing attacks. SIM-based one-time challenge response leverages a secret key (call the Ki Value) that is never exposed outside the SIM card. The Ki Value has never been hacked or compromised. Effectively, this is a zero-knowledge-proof that the link was clicked from the phone associated with the intended recipient.
So with Payfone, an attacker trying to log into your email account would not only need to know your username and password, but they would also need to be in possession of your phone, which is much more difficult than simply intercepting a one-time code.
Here’s how it works:
1. Let’s say that you’re visiting your sister in Maine but see that you need to check something quickly for work. You borrow your sister’s laptop and log into your email account using your username and password.
2. The email provider has Payfone authentication enabled and assesses that you are not on a PC or phone you typically use. In order to verify that it’s really you, your email provider sends an SMS message with an URL link to the phone number on-file.
3. You receive the SMS, and simply click on the link in the SMS from your phone. Payfone will let the email provider know that the correct phone was authenticated. Now the email provider can rest assured that there isn’t an attacker attempting to hack into an email account.
In the event that an attacker intercepted the SMS message, Payfone would know that the link was not clicked on your correct phone. Clicking the link on any other phone, laptop or server would fail authentication.
Although it’s still unclear who was behind the Macron data dump and what their motive was, what is clear is the need to replace the dangerously antiquated email security processes that allow such breaches to occur.
Find out more at Payfone.com