Instant messaging (IM) apps are taking over our business lives.
Group chat capability provided by consumer IM services like Facebook Messenger, Snapchat and WhatsApp has found widespread appeal. Such is their convenience that employees are only too happy to add IM apps to their own mobile devices.
Figures show that 70 percent of workers use IM apps during working hours. Some are sending up to 100 messages a day on company time.
But IM and group chat on consumer apps, along with SMS, share an enduring problem.
How can you tell if the person on the other end is really who they say they are?
Of course, this does not mean people cannot trust their friends or relations.
But consumer IM apps are wide open to anyone. More and more companies, for example, are turning to them as a low cost, more personalized alternative to email as a way to market to customers.
If your telco or your bank can use IM or SMS to contact you then what’s to stop cybercriminals impersonating them to send malicious links or to commit fraud?
Fortunately there is a growing awareness of the risks.
"Instant messaging has become as much a part of business life as it has outside the workplace"
IM services companies are starting to do more to protect users by introducing authentication processes.
Nevertheless, the IM providers still put more emphasis on convenience than they do on improved security.
This is not good news for enterprise CIOs.
Flaws with SMS Authentication
Industry commentators have drawn a lot of attention to the authentication issue. Some Web-based IM services have responded by introducing two-factor authentication.
Most two-factor authentication processes comprise a user-generated password or PIN coupled with a temporary code sent by the service provider via SMS to the user’s phone.
While this is definitely preferable to a password on its own it’s by no means bulletproof.
According to the US National Institute of Standards and Technology (NIST) SMS-based two-factor authentication is an insecure process. Anyone could be using the mobile device or it could have been cloned. It is also impossible for the web service operator to know for certain whether the code has been received by the correct person.
SMS text messages can even be hijacked. For example, if an individual uses a voice-over-internet protocol (VoIP) service such as Skype instead of a traditional phone network to make the call a hacker could intercept this and use the SMS code to access accounts.
There are other risks too.
For example, a design flaw in the international telecoms standard Signaling System Number 7 (SS7) protocol could also allow messages to be intercepted. From there it’s a short step for an attacker to hijack web services such as Twitter, Facebook or Gmail that use SMS to send codes to reset passwords.
Nevertheless, despite its many flaws, web-based messaging apps are likely to persist with SMS for authentication purposes. For one thing, it’s convenient for the end-user. The process saves them from having to create yet another username/password to identify themselves.
It’s also convenient for the provider. The SMS authentication process can be automated. Automation costs a lot less to implement than alternatives like telephone support.
Another means of authentication popular with instant message service providers is to ask users for their phone numbers as a means of identification. It’s a good way for the app providers to build a database of customer contacts that could be used to market additional services.
It also absolves them of the burden of having to provide support. Any mobile-related issues, such as helping to recover access privileges in the event of a lost phone, are the network operator’s responsibility and not that of the messaging service.
Unfortunately most modern mobile phones are incredibly insecure. Anyone with some fairly basic scanning equipment could eavesdrop on conversations or use a man-in-the-middle attack to intercept communications with relative ease.
An intercepted phone number is all an attacker needs to launch a phishing attack like the one on Facebook Messenger used to install ransomware on mobile devices.
If enterprise continues to embrace Bring Your Own Cloud (BYOC) apps they will need an instant messaging platform that can stop personal smartphone vulnerabilities from spreading malware infections to the corporate network.
A new breed of enterprise-grade messaging and collaboration platforms has emerged. With their arrival we have finally seen the introduction of more robust authentication processes.
These platforms bring back security and control over BYOC collaboration apps to organizations while retaining an elegant end-user experience.
APIs make them extremely flexible, enabling them to connect seamlessly with existing user authentication services such as Active Directory (AD).
This type of integration offers multiple benefits including letting administrators automatically add or remove users based on changes in the AD.
Existing groups in AD can also be used as the basis for chat groups in the instant messaging service.
Furthermore, end-users can authenticate themselves by logging in to the messaging and collaboration system using their AD credentials.
In summary, instant messaging has become as much a part of business life as it has outside the workplace.
Yet ordinary consumer messaging apps lack the essential security measures needed for enterprise use.
Authentication processes for consumer apps are particularly flawed.
The answer is to implement a secure messaging platform that is purpose-built for enterprise. Such systems have an array of APIs that can integrate with existing infrastructures.
Most enterprises already have strong authentication procedures-AD services for example–already built into their systems.
It makes sense to leverage these for authenticating IM services, building on what you have already rather than having to rely on risky cloud-based processes that are beyond the enterprise’s ability to control.