Bypassing encryption without breaking the code. A new social engineering attack vector

Contemporary social engineering operations are advanced processes where hackers, posing as official support systems or security bots, manipulate the pressures of time and a sense of threat to trick their victims into making critical mistakes. Methods like trusted device abuse and PIN code fraud carried out with the intention of taking over accounts make it possible to completely bypass an app’s encryption and gain unauthorised access to data in real time.

Faced with such sophisticated threats, organisations have no choice but to evolve towards the full digital resilience defined by the European Union’s network and information systems NIS2 Directive and Digital Operational Resilience (DORA) Act. In an environment where implementing security in line with the secure by design principle is a must, moving beyond the rigid frameworks of IT systems and integrating protection on multiple levels is vital. State-of-the-art defence is rooted in combining secure application code with leakproof architecture and 24/7/365 monitoring for anomalies. One example of the kind of protective measure that pushes the envelope in terms of standard frameworks is creating advanced risk checklists for LLM-based systems and AI chatbots, among others. This makes it possible to identify gaps in data validation and the risk of data poisoning before potential fraudsters can exploit them.

This modular and strategic approach to security facilitates the transformation of potential contact points with hackers into a robust barrier protecting an organisation’s digital identity and assets.

The risks identified here are direct violations of regulatory frameworks and security standards such as the National Institute of Standards and Technology (NIST), ISO/IEC 27001, NIS2 and DORA, which place a crucial emphasis on the integrity of digital identity and operational resilience. In this field, an effective defence strategy has to go further than technological security alone. It needs to be grounded in rigorous adherence to the rules of digital hygiene and users’ situational awareness:

·     the rule of authorisation data confidentiality: verification codes and PINs should be handled with the same rigour as access passwords. Institutional technical support systems never initiate requests for them to be disclosed in communication channels;

·     communication channel verification: every single interaction with a service provider should take place only via official, verified touch points, such as a manufacturer’s website or an app’s native settings. Links sent in direct messages should be avoided at all costs;

·     session and device management: regularly auditing linked devices lists is essential in order to identify and terminate every single unauthorised session without delay. This interrupts any intruder’s access to the account’s resources.

In digital communications, effective threat detection requires an immediate response to any anomaly that could indicate an ongoing attempt to infiltrate an account. Critical alarm signals that demand particular vigilance include:

·     system communications: notifications about technical errors, data leaks or login attempts not instigated by the user;

·     non-protocol authorisation requests: requests for PIN codes or two-factor authentication (2FA) tokens sent directly within chat channels;

·     unverified functional links: links sent via private messages and leading to alleged ‘identity verification’ or ‘account recovery’ procedures;

·     atypical interactions with technical support: communication supposedly from ‘support’ and occurring within the app, whereas the official service team usually uses email channels or native system notifications.

We’d like to suggest that you conduct your own brief evaluation of your current defence mechanisms within your work environment. At under two minutes, the analysis will enable you to make initial identifications of any gaps in your authorisation protocols and assess your team’s operational readiness to tackle advanced infiltration vectors. So do give it a go!

1.  Session life cycle management. How frequently is the linked devices list in your company’s communication channels audited?

·    [ ] I ran a check just now. The session status is fully authorised.

·    [ ] The process is carried out as part of our regular digital hygiene procedures at a minimum of once a month.

·    [ ] The current architecture doesn’t include systematic monitoring of active access points.

2.   Resilience against encryption mechanism bypassing. In your company, is there awareness of the fact that exfiltration of a 2FA or PIN code makes it possible to completely bypass end-to-end security and facilitates unauthorised data synchronisation?

·    [ ] Yes. We have procedures in place that prioritise the rigorous protection of credentials.

·    [ ] The transport layer encryption is assumed to provide a sufficient protective barrier.

Modern security paradigms define protection not as a one-off implementation, but as an ongoing process integrated with the full technological life cycle. MakoLab’s trust by design strategy assumes that the integrity of digital identity must be a feature inherent to the ecosystem from the code design phase, via the cloud architecture, right up to and including the 24/7 operational support.

For organisations adapting to the NIS2 and DORA standards, evolving towards modular solutions that step .outside tradition system frameworks is vital. This encompasses:

·     risk analysis and strategy: building security roadmaps that align with business architecture and regulatory requirements;

·     integrating security into the DevOps cycle: embedding control mechanisms into development and operational processes directly for the early detection of vulnerabilities;

·     protecting identity in hybrid environments: designing secure workplaces and cloud infrastructure that guarantee high data availability while maintaining the rules of zero trust;

·     proactive operational continuity: systematic telemetry and real-time responses to anomalies in order to limit the impact of incidents on critical processes.

If you’re wondering how the current regulatory changes and new attack vectors are affecting your team’s architecture, our experience in designing secure solutions is at your disposal. Together, we can act to ensure that your organisation’s digital identity remains its strongest asset.

Let’s talk about a secure future for your data