IT and Security executives are hit with a constant stream of updates surrounding the latest cyber-attacks and advanced tooling to prevent them. They have a lot of noise to cut through. But when the FBI speaks, they’re more inclined to pay attention.
It’s unfortunate then that in the case of last week’s FBI Bulletin, the bureau missed a golden opportunity to highlight just how effective multi-factor authentication (MFA) can be in preventing cyber-attacks. Instead, they focused on how certain forms of MFA can be compromised without giving MFA its proper due.
As one bright spot, the FBI’s findings on methods used to circumvent MFA are quite astute. The bulletin provides concrete examples of vulnerabilities that security industry news outlets like Krebs On Security have been ringing the warning bells about for years.
But attention spans being what they are, too many may not have read beyond the headline. And they may mistakenly use it as yet another reason to question the effectiveness of multi-factor authentication despite its well-documented benefits.
If progress is going to be made in preventing data breaches, authorities on the subject of cybersecurity, like the FBI, need to be bold in their recommendations and careful with their headlines. Given the rock solid proof points on the effectiveness of MFA, the headline of the FBI’s paper Cyber Criminals Use Social Engineering and Technical Attacks to Circumvent Multi-Factor Authentication should have been different.
Since you’re still reading—and I’ve been successful in keeping your attention—I won’t squander this opportunity to provide some perspective on what you may have missed from the FBI Bulletin.
How Weak Coding Practices Cause MFA to be Circumvented
The first attack described in the bulletin describes a web application vulnerability known as injection, which isn’t a vulnerability specific to MFA, but to web applications in general. This type of attack is so well known and used so frequently that it’s remained number one on the OWASP Top 10 List since it first emerged in 2013.
Specifically, the cyber attacker abused unsecured Knowledge Based Authentication (KBA) fields, where a customer would enter a PIN and answer a security question. Instead of a valid input, the attacker entered a manipulated string into the web URL that made his computer appear to be a computer recognized on the account. This in turn allowed him to bypass KBA and initiate wire transfers.
Putting the known weaknesses of KBA aside, the use of “safe APIs,” "whitelist" server-side input validation or other methods could have prevented this type of attack and should be a top priority for information security teams. Better yet, they should eliminate the use of KBA in favor of more secure methods to provide the strongest defense.
Not All MFA Is Created Equal
The next two attack types outlined in the bulletin became the center of cybersecurity debates back in 2016. At that time, the National Institute of Standards and Technology (NIST) publicly restricted the use of SMS as a method of multi-factor authentication. The vulnerability of SMS was originally linked to the ease with which an attacker could leverage a spoofed phone number from a VoIP service to compromise an account. The recommendations against using SMS have since been linked to SIM swapping attacks.
There are two common ways hackers compromise accounts—and steal money—through the continued use of SMS one-time passcodes: social engineering of individuals and social engineering of the cellular provider.
Social Engineering & You
Successful hackers play the volume game. They know that even if you don’t fall for a scheme like the one illustrated below, it’s probable that one or more of the other 10,000 people they target will.
Here’s how it works: a hacker armed with your username and phone number clicks the “password reset” option on your account to trigger an SMS one-time passcode to be sent to your mobile phone. Then, posing as your bank, they’ll notify you that fraud has been detected, but before they can discuss they need you to disclose the OTP you’ve just received.
Social Engineering of the Phone Company (aka SIM Swapping)
SIM swapping is an extremely popular attack method because it removes the need to interact with the most skeptical party: you. While it’s been a known problem for years, SIM swapping came back into the spotlight a few months ago when Twitter CEO Jack Dorsey’s Twitter account was compromised using this method.
Unlike the method described above, attackers go straight to mobile network operators. Pretending to be you, they convince an unwitting customer support agent to transfer your mobile number from your phone to theirs. The attacker might attempt to move your number during an upgrade to a new device or even bribe customer support agents to complete the SIM swap.
Suffice to say that, despite their frequent use, SMS one-time passcodes are a known vulnerability, and security practitioners should be pushing their organizations toward more secure forms of MFA. For example, risk-based authentication combined with out of band push notifications embedded into your existing mobile application provides strong security while also improving user experience.
Preventing Advanced Cyber-attacks with FIDO
The final two attack types cited in the FBI bulletin describe methods used by advanced attackers, including man in the middle attacks, session hijacking and automated phishing schemes. Using tools like Modlishka, Muraena and NecroBrowser, hackers are able to intercept traffic between a user and a target website by spoofing the website (phishing) or compromising the browser to store login credentials, token codes and other sensitive identity data.
Mainstays in the hacker’s toolbox, these tools are in widespread use and very effective, as demonstrated at both the 2019 RSA Conference in San Francisco and 2019 Hack In The Box Security Conference in Amsterdam. But they’re also preventable.
The FIDO standard was built specifically to thwart attacks like these. The FIDO protocols use standard public key cryptography techniques to provide strong multi-factor authentication. During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. FIDO requires that requests for access must come from the same domain that holds the public key.
While FIDO is still in its infancy, the continued use of sophisticated hacking tools like those mentioned here will surely hasten its adoption. To see firsthand the effectiveness of MFA and FIDO against phishing tools like Modlishka, watch this short video.
The FBI closed the bulletin with two recommendations. The first recommendation is a solid if not obvious one that nonetheless is worthy of a reminder:
Educate users and administrators to identify social engineering trickery—how to recognize fake websites, not click on rogue links in e-mail, or block those links entirely— and teach them how to handle common social engineering tactics.
Since your end users are on the front lines, they need to understand how to fend off phishing attacks and other schemes used to compromise credentials. Providing regular training to keep them abreast of the latest attacks just makes sense. Further, security trainings have proven to be quite effective. The 2019 Phishing by Industry Benchmarking Report found that a mature awareness training program lowers the average PPP (phish prone percentage) from 29.6 percent all the way down to 2 percent—regardless of industry and size of organization.
But the second recommendation falls short in this author’s opinion and demonstrates a sorely lacking understanding of modern risk-based MFA.
Consider using additional or more complex forms of multi-factor authentication for users and administrators such as biometrics or behavioral authentication methods, though this may add inconvenience to these users.
The addition of that final caveat is a real head scratcher. While biometrics and behavioral authentication methods take some effort to stand up on the part of the organization, the end result is increased user convenience and a more seamless experience, not the other way around.
Given the widespread adoption of smartphones, the use of device-based biometrics is far more convenient than other methods such as one time passcodes and hard tokens. Of course, device-based biometrics may not be applicable to every use case, for example places like call centers and hospitals may not allow the use of smartphones by their employees. But for the majority of enterprise and customer MFA use cases, device-based biometrics are becoming the de facto authentication method.
Finally, the use of risk-based authentication—which includes behavioral authentication as specifically mentioned—is designed specifically to increase user convenience. While other forms of MFA take a one-size-fits-all approach, risk-based authentication allows you to set policies that dynamically step authentication requirements up or down based on the risk involved.
Risk-based MFA allows you to use intelligence—such as user behavior and geolocation—to determine if additional authentication is necessary. Companies can leverage a wide variety of risk signals and attributes to determine authentication requirements, including IP reputation risk scores, the risk associated with the application access being requested, and even the size of the transaction to decide whether a user needs to provide an additional form of authentication. Risk-based authentication also enables passwordless authentication for a range of enterprise and customer use cases.
Multi-factor Authentication: A Critical Component of a Strong and Future-proof Security Posture
While the FBI no doubt had the best of intentions when it issued its bulletin on cyber-attacks, they failed to explain the multitude of security benefits that multi-factor authentication provides. They also missed a valuable opportunity to improve their own understanding of modern MFA as the foundation for a strong and future-proof security posture.
Multi-factor authentication is also enabling the latest security strategies being adopted by the world’s leading enterprises, including Zero Trust. Ensuring all access is authenticated and authorized is a foundational principle of Zero Trust. At its core, Zero Trust is about ensuring that all access is secure access, no matter the user, device or resource requested, and MFA provides this assurance.
To learn how MFA is enabling Zero Trust, join Ping and MobileIron for one of our upcoming webinars. REGISTER HERE.