Not All MFA Is Created Equal When It Comes To Telecoms

By Geoff Schomburgk, Asia Pacific & Japan Vice President, Yubico

The telecommunications sector has long been a high-value target for cybercriminals, as its infrastructure is used to transmit and store large amounts of sensitive information, making it a lucrative target for bad actors. Whilst the industry has invested heavily in cybersecurity, we still see large telcos falling victim to significant cyber-attacks involving millions of customers’ highly sensitive identity documents being stolen.

The Australian Government has introduced new legislation so that telecoms carriers and eligible carriage service providers are responsible for reporting asset and cyber security incidents, making their obligations similar to those of other sectors of the economy defined as “Critical Infrastructure”. When it was initially established, the Security of Critical Infrastructure (SOCI) Act covered four major sectors (water, electricity, gas and ports). However, recent amendments to the Act included expanding the list to 11 industries, including telecommunications.

Insider threats for telcos

Insider threats are one of the most significant risks for the telecoms industry. There are two aspects to it; vindictive behaviour by someone on the inside and lack of awareness about the risks involved with their actions. Cyber threats have also increased due to many remote employees working remotely and connecting to corporate systems via unsecured WiFi at home or while travelling.

The need for more technical knowledge and awareness within telcos and their third-party suppliers can and should be addressed with employee education. Many organisations also rely on customers being vigilant about protecting themselves from cybercriminals -poor password hygiene and data sharing often lead to account takeovers that could easily be avoided. The Australian Cyber Security Centre recommends solutions on how organsations can better protect themselves, though the expectation is for organisations to adopt these solutions, as they are not mandated.

The number of incidents involving Business Email Compromise (BEC) doubled in 2022, replacing ransomware as the most common type of financially motivated cyber threat to all organisations. This growth in BEC was linked to a surge in successful phishing campaigns, accounting for 33 per cent of incidents where the initial access vector (IAV) could be established, a nearly three-fold increase compared to 2021, according to Secureworks.

Hackers don’t ‘break in’, they login, with phishing attacks. According to Proofpoint’s 2022 State of the Phish, 92 per cent of Australian organisations suffered a phishing attack last year, a 53 per cent increase over 2021.

Exploring more secure options

Recent events have shown that telcos remain an attractive target for cybercriminals due to the sheer amount of sensitive financial information and customer data they are required by the Government to store, including credit cards, bank accounts, driving licences, passports and email addresses. However, consumers are questioning whether a more secure digital method of proving their identity exists here and whether there is the need to retain this information for long periods.

Many countries have implemented national ID card programs to address rising concerns about cybersecurity. At the Prime Minister’s Cyber Security Roundtable in February this year, Australian Prime Minister Anthony Albanese said there was an urgent push to develop a national digital ID (eID) card,a move backed by telcos.

As part of the Government's vision to make Australia a global leader in cybersecurity by 2030, the Government intends to establish the proposed ID cards as a primary means of identification. By doing so, the government hopes to reduce the amount of personal data telcos need to store for identification purposes and to minimise the risk of data breaches that could compromise Australians’ personal information or digital identities.

How ID proofing and strong authentication protects Digital IDs

Even when the eID card is eventually rolled out and mandated for all Australians, there is still a possibility that an individual can have multiple digital identities to log in to accounts online. For instance, someone can have one digital identity (think Microsoft or Google accounts) for their work email, a different one for a personal email account and many others for social media accounts.

Ensuring that only the authentic user is given account access may require identity proofing. As the process for identity proofing is done online, it is used in conjunction with identity federation and strong phishing-resistant authentication to protect an individual’s digital identity. Identity federation securely exchanges identity and security information between an identity provider (IdP) and a telco’s online service. Identity federation relies on strong authentication like FIDO to protect against phishing, man-in-the-middle attacks and session hijacking.

Mandating strong MFA in telecoms

The Australian Federal Government already stipulates in its Telecommunications Service Provider (Customer Identity Authentication) Determination 2022 that “Multi-factor identity authentication (MFA) processes must be used for all high-risk customer transactions in the telecoms sector.” However, they have not defined the type of MFA that should be used.

By and large, telcos have only mandated legacy mobile authentication methods for employees and customers, such as a One Time Password (OTP) sent as a text message or authenticator apps. These are quick and easy to deploy and are enabled by the ubiquity of mobile devices. Yet today, telcos continue to experience cyber-attacks due to BEC or phishing, as most are still using these vulnerable legacy authentication methods. Not all MFA is created equal. Cyber-attacks have increased in sophistication to the point that these legacy methods are no longer secure. Phishing-resistant MFA is something that needs to be taken more seriously and that mandating other options, such as security keys, for customers and staff should be considered.

The take-out

To effectively fight against cyber-attacks, telecom companies must implement strong phishing-resistant MFA to eliminate BEC and phishing risks that will create a secure environment for their employees and safeguard their customers’ personal information.

Whether a telco is already using mobile authentication or is actively considering adding an extra layer of authentication, it’s essential to understand that MFA is a spectrum and that not all MFA is created equal. I would strongly recommend adopting security keys or biometric authentication from the device they're logging in from to prevent unauthorised access.

© Scoop Media