Keeping You(r Money) Safe

There was a situation recently where a local bank had their website spoofed. Through DNS redirecting the malicious actors sent unsuspecting bank clients to a near copy of the bank's actual website. Users would attempt to log in and in doing so, reveal their credentials to the criminals.

The bank responded by notifying their clients and pulling their site offline.

Normally careful bank clients gave away their information without doing anything wrong. A trusted vendor had missed something and allowed this situation to occur.

The thing is that there exists a technology that makes this almost impossible to fall victim to. In fact, Google's Chrome browser has supported it since late last year.

The main issue is that few websites support this technology even though big names like Apple, Microsoft, Best Buy, GoDaddy, PayPal, Kayak and eBay do on their websites and in some cases, apps.

What is it? Passkeys.

Essentially, it's the replacement for traditional passwords and incorporates MFA right into the design. The linked article below explains it in detail and in fact we offer this product to our clients as they support passkeys and meet the strictest of commercial requirements at the moment, that being CMMC for defense contractors.

What is a Passkey? - Keeper Security

From the linked article:

"How Does It Work?

To create a new passkey, the user signs into their account normally and then enables the passkey option from the security settings screen of the website or app. The website or app then prompts the user to save a passkey associated with their device. The web browser or operating system will then request biometric authentication to approve the request, and the passkey is stored locally.

Subsequent logins to the website will then prompt the user to use a passkey from their device to login, instead of a password. If the web browser supports synchronization of passkeys between devices, the passkey will be available across those devices.

If the user is using a device that doesn't have a passkey for the website or app, they may have the opportunity to use another device. If the browser supports cross-device authentication, the browser may prompt the user with a QR code that can be scanned by a mobile device to complete the sign-in. Cross-device authentication also involves the use of Bluetooth to ensure proximity.

This is what the end user sees. Let’s take a look at what’s going on behind the scenes, at the server level. When an end user attempts to log into their account with a passkey, the account server sends a “challenge” to the authenticator, consisting of a string of data. The authenticator uses the private key to solve the challenge and sends a response back, a process known as “signing” the data and verifying the user’s identity.

Notice that at no time during this process does the account server need to access the user’s private key, which also means that no sensitive information is ever transmitted. This is possible because the public key – which the server stores – is mathematically related to the private key. The server needs only the public key and the signed data to verify that the private key belongs to the user."

In a nutshell, the server side never gets the user's private info so no data can be stolen. The login simply can't work on a spoofed site unless they have full access to the actual site and database of keys. At that point, it's a much bigger problem. It's also a much more sophisticated attack/hack. That makes it less likely to be done in my opinion.

What should you do?

Demand that your vendors start supporting MFA at a minimum but frankly ask when not if they will have passkey support implemented. If enough people ask, then maybe they'll be motivated to better protect their clients and their data.