The Terminator had it all wrong

It’s really easy to become complacent in security when the bad guys aren’t focussing you. But when the evil eye of Cyber Sauron casts its gaze your way, you soon realise your silver bullets were only silver-plated.

As lockdowns around the world ease to a degree and many organisations are welcoming staff back into the office. However, it’s not a complete return to office, and for now, it appears as if hybrid work environments are the way to go.

AWS Builder Community Hub

To support this hybrid environment, we’ve seen many strategies adopted. Cloud usage has increased, we’ve seen VPN’s crop up everywhere, and the shiny hotness that is MFA (multi factor authentication).

However, security departments aren’t the only ones thinking of hybrid environments – those pesky criminals have also adopted their attacks to operate in a more hybrid way to catch people off guard working from home – where the lines between work and home life aren’t blurred, they simply just don’t exist.

At the beginning of lockdown, we saw phishing emails which claimed to be from IT asking unwitting staff to download the latest VPN. Spoiler alert, it wasn’t a VPN.

We’ve seen MFA touted a lot, and I saw a tweet by Jen Easterly of CISA (Cybersecurity and Infrastructure Security Agency) tweet out that enabling multi-factor authentication makes you 99% less likely to get hacked.

Now, I’m not one to argue with Jen, but I do feel that people would read the tweet – which by the very nature of twitter needs to be kept short and sweet – and miss some of the nuance behind it.

So I’ll add:

  1. Not all MFA is created equal, try to use something robust – check out the FIDO Alliance
  2. SMS is not really two-factor, it’s two-step. But putting that aside, it’s probably one of the worst of the options out there

Yes, yes, I know, many will say, “but bad MFA is better than no MFA”. I get it – and where it is the only option, yes. But why are we making it the only option? This is one more for the providers than the users.

Don’t get me wrong, I strongly advocate the use of MFA wherever possible – the purveyors of such fine MFA need to make sure it is good quality MFA and does the job adequately and without creating a terrible user experience.*

What inspired this mini rant I hear you ask? Well, have a listen of this recording where a bot calls up a Paypal customer and is very sly in how it convinces the user to hand over the code that has been sent to them via SMS. To add insult to injury, the call ends with a reminder to the user to never disclose their password and only enter it into the official Paypal site. Go ahead listen to it, it’s only a minute long.

The Terminator was, and still is one of my favourite movies – it was the role Arnie was made for. But this call got me thinking – we, are probably more likely to fall victim to a scam that sounds like a robot than a human because we probably trust robots / technology more than we trust our fellow humans (not to say there isn’t good reason to do so).

Which is where the Terminator got it all wrong. Instead of the threat to humanity being a robot disguised to look and sound human – what really is the threat is a human masquerading as a robot!

So, it’s all a bit confusing to me – I’m going to go and have a chat to my smart fridge and hug my smart tv before my smart speaker soothes me to sleep.

* I appreciate creating something good and isn’t a horrible user experience is easy to say and very difficult to do. But nobody ever accused security of being easy.

** Mention of password less deliberately omitted as it was deemed outside the scope of this blog post which was only constructed so I could make the pun about terminator and robots masquerading as humans and vice versa so I could feel smug and clever about myself.

*** This is a Security Bloggers Network syndicated blog from Javvad Malik authored by j4vv4d. Read the original post at: