How Secure Is Your Multi-Factor Authentication ?
If today’s cybercriminal obtains your login credentials, he can change your account settings, steal sensitive personal or company data, send out phishing emails as you, and possibly access additional accounts within your organization.
Criminals can attempt this “malicious account takeover” through:
Hacking
Automated scripts run through various password combinations (AKA, brute force attack) to discover the correct access.
Phishing and Spear Phishing
Highly targeted emails from seemingly credible sources trick users into to revealing personal information.
Social Engineering
Researching online databases and social media to data mine potential password information based on your name, location, phone number, or names of family members, etc.
Botnets
Bots from multiple IP addresses perform high-volume username and password hacks to take over a number of accounts while staying unnoticed.
Credential Stuffing
Stolen or leaked credentials are tested against multiple websites in the hope that the victim uses the same password for everything.
In order to prevent the above, connecting to your network and critical applications has developed from a simple password into a process of multi-factor authentication (MFA).
The Four Steps of Authorization
Here are the basics:
Identity – definition: your unique identifier
Your “user” label, typically represented by a login name or email address, is a unique identity in a user database.
Authentication – definition: verifying your identity to gain user access
For decades, authentication simply meant a username and password.
- Single-Factor Authentication relies on a username and password to gain user access to resources.
- Two-Factor Authentication requires a username and password, along with something else only the user knows, like a pin number. In other words, it is “two of the same factor” authentication
For example, a username and password (something you know), plus:
- A digital code from an access token or fob, or a Duo approval notice on a cellphone (something you have).
- A fingerprint, retinal scan, facial recognition (something you are).
Access Control – definition: a token to establish your session
After authentication, the access control process establishes an access control token (or Kerberos ticket, cookie, text file, or other object) to further establish the user’s identity. The token may also have a pre-defined expiration, which forces the user to re-authenticate to remain in an “active” session.
Authorization – definition: permits your access to resources
While authentication verifies your identity, authorization verifies your permission to access resources such as data files, folders, databases, locations, etc.
Once Authorization is established, the holder of that access control token has access to all available system resources.
In other words, the key to cybercrime is obtaining that access control token to assume that user’s identity.
Multi-Factor Authentication is the solution, but MFA is not perfect. Cybercriminals will use social engineering (human error, misuse, or other human element, technical manipulation, or a mixture of both to beat MFA.
The SMS Swap Attack on Multi-Factor Authentication
The most popular MFA option on the planet is SMS; that is, when an authenticating server sends a Short Messaging Service (SMS) message to your cell phone.
After you type in your username and password, your phone vibrates, and after typing a 4-6-digit code your 2-factor authentication is complete.
Since cybercriminals typically don’t have access to your physical phone, SMS seems strong. Unfortunately, they don’t need your phone if they can mirror your SIM.
Most cell phones store your personal subscriber data, along with your application data, pictures and contact information, in a physical (or increasingly virtual) small memory card called the Subscriber Identity Module (SIM).
For well over a decade, hackers have stolen, purchased, and phished SIM card information, obtaining the victim’s phone number, name, login name and/or credentials, and home address.
Usually the cybercriminal phishes private information directly from the victim, though sometimes this data is acquired through compromised online databases (large organizations who fell victim to phishing or ransomware).
However they acquire the SIM data, the hacker then performs a “malicious SIM swap,” which may involve convincing your cellular network provider (e.g., AT&T, Verizon Wireless, etc.) to transfer your SIM information to a new phone, enabling cybercriminals to mirror the physical device, and intercept your SMS message.
Malicious SIM swaps have occurred millions of times, forcing the U.S. National Institute of Standards & Technology (NIST) to decide that it will not accept SMS-based MFA solutions as legitimate authentication. (Special Publication 800-63 (https://pages.nist.gov/800-63-3/).
In 2018, Michael Terpin, the founder of the Bit Angels cryptocurrency investment group, sued AT&T for $224M, citing fraud and gross negligence because they transferred his SIM information without authorization. The cybercriminals stole $24 million in virtual currency.
The online platform reddit faced a similar issue: Reddit Got Hacked Thanks to a Woefully Insecure Two-Factor Setup.
For more MFA hacks, read this from knowbe4.
There’s an amount of reasonableness – companies can’t hook up retinal scanners to everyone — but a push notification to cell phone is reasonable. It’s easy to use, and easy to implement.
Richard Pressler
AllConnected CTO and Chief Architect
Implement MFA Throughout Your Organization
Deploying Multi-Factor Authentication on just one application, or in silos, is similar to locking your front door and leaving a window or back door open. To minimize your exposure to an attack, be sure to consider all access points within your organization, including the cloud.
We see many organizations implementing Microsoft Office 365 with MFA, and developing a false sense of security, feeling that, “Since we have MFA in place for O365, our organization is safe.”
Implementing consistent security across all data and workloads, on-premise, private cloud, and on public cloud, is important.
Implementing MFA across all end users, and privileged users, cloud and on-premise applications, VPNs, and Remote Access solutions will help you better prevent unauthorized access, data breaches, and password-based cyber-attacks.
How to Prevent MFA Hacks
While not perfect, implementing an Multi Factor Authentication policy in your organization will go a long way toward securing your IT infrastructure.
AllConnected also recommends the following:
- Realize that nothing, including the best MFA solution, is unhackable.
- Adopt a “zero trust” policy. Don’t assume any email or link inside or outside your organization is okay. Verify anything and everything trying to connect to your systems before granting access.
- Learn the basics of social engineering so you won’t fall to phishing schemes requesting your personal information.
- Make sure your cell phone vendor has policies and procedures which prevent malicious SIM swaps, and more importantly, use application-MFA instead of SMS-based MFA whenever possible.
- For remote users, you can implement MFA policies on a variety of applications. While some legacy applications and databases don’t permit MFA, you can secure them through a Remote Desktop (RD Gateway) or Citrix environment, both of which accept MFA.
Consider Cisco Duo for Multi-Factor Authentication
AllConnected recommends Cisco Duo authentication for many reasons, but one is the Push option. When you set up the Duo application on your cell phone, you are asked to choose from:
The push notification option is more effective because it requires a timely response on the downloaded phone app instead of a code.