Authentication Bypass & Privilege Escalation Lead to Stolen Financial Data
According to Trustwave’s 2015 Global Security report, 49 percent of their data breach investigations involved the theft of personally identifiable information (PII) and cardholder data. In 50 percent of breaches located in the EMEA (Europe, Middle East and Africa) regions, financial credentials were targeted.
Major Mobile App Flaws: Authentication and Privilege Escalation
The report also identified some of the most prevalent mobile application vulnerabilities, including authentication flaws that often result from enforcing authentication on the client side. Trustwave also cited numerous authentication bypass vulnerabilities in the password recovery processes for applications.
Other types of authentication and authorization vulnerabilities include the failure to enforce encrypted credentials in-transit, passwords standards and access control lists.
“If the application can’t trust that users are actually who they are authenticated as, security can’t be guaranteed.” - Trustwave
Another mobile app vulnerability is authorization enforcement failure, that is, privilege escalation that allows attackers to move laterally within environments to gain unauthorized access to user data.
The report stated that authorization vulnerabilities are particularly dangerous in apps that deal with financial transactions, which can give an attacker the ability to transfer funds from another user’s account to their own.
Shared and Weak Admin Passwords
Some of the report’s most common (and alarming) penetration test findings involved not only authentication bypasses, but also shared local administrator passwords and weak administrator passwords.
Obviously, if a password is shared across many different local systems, an attacker has a far better chance of getting access to more of the environment. After breaching a local system, an attacker can escalate to domain administrator privileges.
And domain administrators have quite a few default privileges, according to Microsoft TechNet’s library, including managing auditing and security logs, accessing computers from a network, shutting down systems, taking ownership of files, etc.
That just means they can give themselves the ability to cause a lot of destruction within your systems.
Trustwave also did a password-cracking analysis, finding they could crack 51 percent of Windows Active Directory hashed passwords within 24 hours, suggesting that your passwords aren’t as secure as you had hoped.
The report ends with the recommendation to use two-factor authentication whenever possible.
“Combining ‘something you possess’ with ‘something you know’ makes it more difficult for attackers to gain control of an account because they’d need to compromise both modes of authentication - a more complex proposition that might influence an attacker to move on to an easier target.” - Trustwave
‘Something you possess’ can mean a smartphone with a mobile authentication app that sends push notifications for identity verification. And ‘something you know’ may be the weaker authentication control of a username and password, but at least it’s only the first layer of defense. The second layer should be more secure in design (the use of asymmetric cryptography) and the use of out-of-band authentication (delivered over a mobile network).