By: Xavier Salinas
In my 15-year career in the world of IT and cybersecurity, the attack surface used by hackers has continually grown while we have more and more to protect. Simply put, the more we innovate and
advance, the more ways “in” hackers have. While the cloud remains a prime target for hackers today, earlier in my career the focus was on targeting network perimeters, critical internet-facing
vulnerabilities, and endpoint devices. Now, the emerging attack surface is single sign-on (SSO). While SSO eases friction for its users, it also makes hackers’ lives easier. Because it is mainly
stored in third-party cloud environments, it is also difficult to audit. Altogether, the inherent risk of SSO can have terrifying ramifications!
Single sign-on is like having a master key that unlocks your house, car, and office. It simplifies your online experience by allowing you to access multiple applications and services with just one set of credentials, sparing you the hassle of remembering multiple usernames and passwords. It is used by Microsoft, Google, Apple, Amazon, Facebook, Okta, Duo, and more. That’s right—it has become part of our personal and professional lives. For instance, when you log into your email, SSO seamlessly grants you access to your cloud storage, project management tools, and collaboration platforms without the need for repetitive logins. It is the magic wand that streamlines your digital journey. However, while this convenience is undoubtedly appealing, it comes with its own set of challenges and security threats. In this article, we examine five identity-based threats—Artificial Intelligence (AI), the inherent risk, vendors’ security, multifactor authentication bypass, and human error—to help you approach SSO with appropriate caution.
Picture this: you receive an email that seems to be from your bank, asking you to confirm or provide information. It looks convincing, just like a real email from your bank. But guess what? It’s not from your bank;it’s from a hacker who is using AI to make their phishing emails look legitimate. They have fixed all the grammatical errors and spelling mistakes, making it nearly impossible to tell them apart from genuine messages. With generative AI, hackers of all experience levels can carry out such attacks.
And that’s not all. Hackers also use AI to manipulate their voices, making them sound like someone you trust. Essentially, they back up their emails and phishing schemes with a call or voicemail. Whether it’s the reassuring tone of your bank’s representative, the authority of your boss, or the familiarity of a family member, these voices coax you into gaining a false sense of security. Therefore, you are more likely to provide sensitive information or money—just what the hackers want.While single sign-on as your digital master key is convenient, that convenience comes at an inherent cost. Like you, hackers only need that one key to get in. They can then use SSO as a launch point to get into connected online services. To illustrate the real-world impact of this, consider the reported case of MGM Resorts. Here, the ALPHV group used a simple yet ingenious tactic. Posing as an employee, they placed a phone call to MGM Resorts’ Help Desk and tricked their way into gaining access. Once inside, they targeted the SSO system, used it as a launch point, and gained access to servers, machines, and more. What began with a 10-minute phone call led to an estimated $100M loss for MGM. While SSO is convenient, it can thus also be a high-value target for cybercriminals, providing them with a shortcut to a vast array of sensitive data. Most of us have been targeted by these simple tactics and a lot of us know someone who has fallen victim to similar phishing and social engineering scams. They are all too common, and, frankly, all too simple.
Using SSO requires working with a third-party vendor—and relying on the degree of security the vendor offers. Relying on vendors’ security, however, poses risk for a couple of reasons.
First, if a vendor’s product has a security weakness or gets hacked, it could lead to a supply chain attack. This is when a hacker strategically targets a vendor intending to gain unauthorized access to the vendor’s systems, as well as their clients’ accounts