If today’s cybercriminal obtains your login credentials, he can change your account settings, steal sensitive personal or company data, send out phishing emails as you, and possibly access additional accounts within your organization.

Criminals can attempt this “malicious account takeover” through:

Hacking: Automated scripts run through various password combinations (AKA, brute force attack) to discover the correct access.
Phishing and Spear Phishing: Highly targeted emails from seemingly credible sources trick users into to revealing personal information.
Social Engineering: Researching online databases and social media to data mine potential password information based on your name, location, phone number, or names of family members, etc.
Botnets: Bots from multiple IP addresses perform high-volume username and password hacks to take over a number of accounts while staying unnoticed.
Credential Stuffing: Stolen or leaked credentials are tested against multiple websites in the hope that the victim uses the same password for everything.

In order to prevent the above, connecting to your network and critical applications has developed from a simple password into a process of multi-factor authentication (MFA).

The Four Steps of Authorization

Here are the basics:

Identity – definition: your unique identifier

Your “user” label, typically represented by a login name or email address, is a unique identity in a user database.

Authentication – definition: verifying your identity to gain user access

For decades, authentication simply meant a username and password.

Single-Factor Authentication relies on a username and password to gain user access to resources.
Two-Factor Authentication requires a username and password, along with something else only the user knows, like a pin number. In other words, it is “two of the same factor” authentication

Thanks to organizations like FIDO Alliance, authentication has become more sophisticated. Now, instead of yet another piece of information (like a pin or social security number), authentication is determined by the use of more than one factor, simply classified as “what you know”, “what you have,” or “what you are.

Multi-Factor Authentication (MFA) requires two or more levels of security from factors or categories of authentication.

For example, a username and password (something you know), plus:

A digital code from an access token or fob, or a Duo approval notice on a cellphone (something you have).
A fingerprint, retinal scan, facial recognition (something you are).

MFA is therefore, much harder to beat since it requires access not only to the user’s identity and authentication, but also access to the user or the user’s electronics.

Access Control – definition: a token to establish your session

After authentication, the access control process establishes an access control token (or Kerberos ticket, cookie, text file, or other object) to further establish the user’s identity. The token may also have a pre-defined expiration, which forces the user to re-authenticate to remain in an “active” session.

Authorization – definition: permits your access to resources

While authentication verifies your identity, authorization verifies your permission to access resources such as data files, folders, databases, locations, etc.

Once Authorization is established, the holder of that access control token has access to all available system resources.

In other words, the key to cybercrime is obtaining that access control token to assume that user’s identity.

Multi-Factor Authentication is the solution, but MFA is not perfect. Cybercriminals will use social engineering (human error, misuse, or other human element, technical manipulation, or a mixture of both to beat MFA.

The SMS Swap Attack on Multi-Factor Authentication

The most popular MFA option on the planet is SMS; that is, when an authenticating server sends a Short Messaging Service (SMS) message to your cell phone.

After you type in your username and password, your phone vibrates, and after typing a 4-6-digit code your 2-factor authentication is complete.

Since cybercriminals typically don’t have access to your physical phone, SMS seems strong. Unfortunately, they don’t need your phone if they can mirror your SIM.

Most cell phones store your personal subscriber data, along with your application data, pictures and contact information, in a physical (or increasingly virtual) small memory card called the Subscriber Identity Module (SIM).

For well over a decade, hackers have stolen, purchased, and phished SIM card information, obtaining the victim’s phone number, name, login name and/or credentials, and home address.

Usually the cybercriminal phishes private information directly from the victim, though sometimes this data is acquired through compromised online databases (large organizations who fell victim to phishing or ransomware).

However they acquire the SIM data, the hacker then performs a “malicious SIM swap,” which may involve convincing your cellular network provider (e.g., AT&T, Verizon Wireless, etc.) to transfer your SIM information to a new phone, enabling cybercriminals to mirror the physical device, and intercept your SMS message.

Malicious SIM swaps have occurred millions of times, forcing the U.S. National Institute of Standards & Technology (NIST) to decide that it will not accept SMS-based MFA solutions as legitimate authentication. (Special Publication 800-63 (https://pages.nist.gov/800-63-3/).

In 2018, Michael Terpin, the founder of the Bit Angels cryptocurrency investment group, sued AT&T for $224M, citing fraud and gross negligence because they transferred his SIM information without authorization. The cybercriminals stole $24 million in virtual currency.

The online platform reddit faced a similar issue: Reddit Got Hacked Thanks to a Woefully Insecure Two-Factor Setup.

For more MFA hacks, read this from knowbe4.

Implement MFA Throughout Your Organization

Deploying Multi-Factor Authentication on just one application, or in silos, is similar to locking your front door and leaving a window or back door open. To minimize your exposure to an attack, be sure to consider all access points within your organization, including the cloud.

We see many organizations implementing Microsoft Office 365 with MFA, and developing a false sense of security, feeling that, “Since we have MFA in place for O365, our organization is safe.”

Implementing consistent security across all data and workloads, on-premise, private cloud, and on public cloud, is important.

Implementing MFA across all end users, and privileged users, cloud and on-premise applications, VPNs, and Remote Access solutions will help you better prevent unauthorized access, data breaches, and password-based cyber-attacks.

How to Prevent MFA Hacks

While not perfect, implementing an Multi Factor Authentication policy in your organization will go a long way toward securing your IT infrastructure.

AllConnected also recommends the following:

Realize that nothing, including the best MFA solution, is unhackable.
Adopt a “zero trust” policy. Don’t assume any email or link inside or outside your organization is okay. Verify anything and everything trying to connect to your systems before granting access.
Learn the basics of social engineering so you won’t fall to phishing schemes requesting your personal information.
Make sure your cell phone vendor has policies and procedures which prevent malicious SIM swaps, and more importantly, use application-MFA instead of SMS-based MFA whenever possible.
For remote users, you can implement MFA policies on a variety of applications. While some legacy applications and databases don’t permit MFA, you can secure them through a Remote Desktop (RD Gateway) or Citrix environment, both of which accept MFA.

Consider Cisco Duo for Multi-Factor Authentication

AllConnected recommends Cisco Duo authentication for many reasons, but one is the Push option. When you set up the Duo application on your cell phone, you are asked to choose from:

The push notification option is more effective because it requires a timely response on the downloaded phone app instead of a code.

“There’s an amount of reasonableness – companies can’t hook up retinal scanners to everyone — but a push notification to cell phone is reasonable. It’s easy to use, and easy to implement.” Richard Pressler, AllConnected’s CTO and chief architect

If you would like to hear more about how AllConnected can strengthen your IT security, please contact us.