SAN FRANCISCO -- Successful phishing attempts may soon be a thing of the past, if efforts by Google, Microsoft and other companies prove fruitful.
Google and its partners are leading the move away from passwords and toward physical USB security keys, Google researchers Neal Mueller and Collin Frierson said at the BSides SF security conference here Monday (April 16). Google itself distributed USB security keys to its own employees a few years ago, with good results.
"In the four years since Google deployed security keys," Mueller said, "we've had zero successful phishing attempts at Google."
That doesn't mean that phishers aren't trying. Even security-conscious people will fall for a well-crafted phishing attack, and phishers are creating better-looking phishing pages all the time. Your correspondent was taken in recently by one, and only his antivirus software prevented his credentials from being stolen.
Phishing doesn't require any hacking, since it's essentially a con job -- "social engineering," to use the industry term. All you have to do is fool someone into giving up his or her username and password.
Because it relies on human nature, which is hard to fix, phishing is still a leading cause of data breaches, online theft and account takeovers. Mueller and Frierson said that a survey of Gmail data revealed 12 million people had fallen victim to successful phishing attacks in a single year -- far more than the 788,000 people who had fallen victim to keylogging malware.
Two-factor authentication (2FA) doesn't always help defeat phishing, especially if the second factor is a one-time passcode sent via SMS text message. Earlier on Monday, Jerrod Chong of Yubico demonstrated an extremely convincing phishing attack that targeted Gmail and asked the victim to enter his or her mobile phone number for verification purposes -- which would have allowed the attacker to intercept and capture the texted one-time passcode.
Even knowing the victim's phone number isn't necessary for a one-time break-in, Mueller and Frierson pointed out. When a phisher fools a victim into entering his or her Google credentials into a fake Google login page, the attacker can immediately enter the stolen credentials into the real Google login page. Google will send out a one-time passcode to the victim's phone -- which the victim will enter into the fake login page.
Yubico makes the well-known Yubikey security key, and it along with Google leads the FIDO (Fast IDentity Online) Alliance to standardize non-password authentication methods. USB security keys like the Yubikey or Google's own security keys have proven to be effective defenses against phishing attacks, and they're supported by Facebook, Dropbox, Salesforce and many other companies.
Only the legitimate user will possess the physical key to plug into a USB port or tap against a mobile phone. (Many security keys also have NFC functions to wirelessly connect with mobile devices at very short range.)
The FIDO Alliance is in the process of replacing its existing U2F (Universal Two-Factor) standard with what it calls FIDO 2, Chong said. Part of FIDO 2 is the upcoming WebAuthn standard, announced earlier this month, which will let users log into websites without passwords. With FIDO 2, Microsoft and Mozilla are joining the FIDO Alliance.
The end result of FIDO 2 is to have people not use passwords at all, Chong said. But when we asked him how a user would sign up for a web account in the first place with no password, Chong didn't have a solid answer. He could say only that the FIDO Alliance was looking at "different options."
However, the current FIDO U2F standard provides plenty of protection, Mueller and Frierson said, Google's own implementation of the standard verifies the user by examining 38 different factors.
For example, the user's preferred operating system, preferred browser, level of browser encryption and general location are already known to Google. If I usually use Chrome on Windows 7 from New York, but someone logging in as me is using Edge on Windows 10 from Kiev, Google will reject the attempt until that person can plug in my USB security key.
"Security keys are much more user-friendly than a one-time password," Mueller said.