Multi-factor authentication (MFA) is increasingly being used, while cybercriminals are searching – and finding-new gateways. […]
If done well, multi-factor authentication (MFA) can be very effective. If not, a security disaster looms. Although more and more companies are using MFA to protect their employees, the method has by no means become widespread. In fact, according to a survey conducted by Microsoft last year, 99.9 percent of all compromised accounts were not protected by multi-factor authentication. In total, only eleven percent of all company accounts are secured with MFA.
The corona pandemic was both good and bad for the acceptance of MFA. On the one hand, lockdowns and remote work offered a good reason for more MFA deployments, but on the other hand, new phishing opportunities for criminal hackers have also emerged. In the latest Verizon Data Breach Investigations Report, Bernard Wilson, network Intrusion Response Manager at the U.S. Secret Service, is quoted as saying, ” Organizations that failed to implement MFA, along with VPNs, represent a significant percentage of victims who were attacked during the pandemic.“
In addition to Covid-19, there have been other good reasons to rely on multi-factor authentication recently:
- Google has been using MFA as the default protection for all user accounts since May 2021. Matt Tait, former British GCHQ analyst, described this in a tweet as “one of the most important cybersecurity improvements this decade.“
- In June 2020, Apple announced that Safari will support 14 FIDO2 protocols, joining Android and most other major browsers. Background: FIDO is getting better and better, even if the implementations require brains to be able to use it across browsers, different operating system versions and smartphone apps.
However, the recent past shows that there is still room for improvement when it comes to securing two-factor and multi – factor authentication. We show you five common methods that criminal hackers use to exploit MFA vulnerabilities.
1. SMS-based man-in-the-Middle attacks
The biggest problem with multi-factor authentication is related to its most common form of implementation: the use of one-time passcodes via SMS. It’s easy for clever attackers to compromise smartphones and temporarily assign their phone number to a device under their control. There are several ways to carry out such an attack. One is to bribe the employee of a mobile service provider or persuade him to reassign a phone.
Another method is the use of commercial services, as a reporter from Vice magazine found out in a self-experiment. For the investment of 16 dollars, an order hacker managed to view or redirect all SMS messages with the help of a service provider.
2. Supply Chain Attacks
The most prominent attack on a software supply chain to date has been the SolarWinds hack, which infected various components of the software. The user companies could be compromised without realizing it. There are a number of ways to prevent supply chain attacks, such as source code scans in the runtime environment.
Gartner analyst Kasey Panetta writes in a January 2021 blog post: “Don’t forget that the SolarWinds attack was discovered by a vigilant security guard who wondered why an employee wanted to register a second phone for multi-factor authentication. Conversely, this means that the attacker aimed to use MFA as an attack vector.“
3. Workflow Bypass
Another example of a loophole in multi-factor authentication is the recently discovered vulnerability in the MFA module Liferay DXP v7.3. The vulnerability allows any registered user to authenticate by changing the one-time passwords of other users. This then leads to the affected user being “locked out”. Meanwhile, the bug has been fixed.
4. Pass-the-Cookie attacks
This attack method uses browser cookies and websites that store authentication data in cookies. Initially, this approach was chosen for ease of use. However, if a cybercriminal manages to extract this data, he can take over your account.
5. Server-side forgeries
One of the biggest exploits in the recent past was Hafnium, where a series of attacks allowed all authentication operations to be leveraged with Microsoft Exchange servers. Four zero-day vulnerabilities were exploited in Exchange, for which Microsoft has now released a number of patches.
These common MFA attack methods make it clear that multi-factor authentication requires a certain amount of care if it is to work properly and securely. Garrett Bekker, senior analyst at 451 Research, also knows this: “Bad MFA is like bad sunglasses – it offers no protection. However, the main reason why multi-factor authentication is not used more often is the poor user experience.”To be truly effective, the analyst believes that MFA must be combined with a zero-trust architecture and continuous authentication technologies. Numerous providers have recognized this and have corresponding offers up their sleeves – but the implementation is far from easy.
The account recovery option is another multi-factor authentication vulnerability: some companies have solid MFA protection for normal account logins, but if a user forgets their password, the recovery process starts with an SMS passcode.
Akamai’s Gerhard Giese points out in a blog post that MFA is not always a suitable remedy for credential stuffing. In his view, IT managers would need to carefully review their authentication workflows and login screens to prevent attackers from tapping into the web server to retrieve login information. He recommends that admins use bot management solutions to ensure that criminal hackers have no chance.
Multi-factor authentication should be part of the critical infrastructure of enterprise security. The recent attacks, as well as the urging of experts from the government and business sectors, should give a boost to smart MFA implementations.
* David writes for our US sister publications CSO Online, Network World and Computerworld, among others.