I know why you are here. I know what you have been doing… why you hardly sleep… and why night after night, you sit at your computer reading event logs and reviewing SIEM events, looking for evidence.
I know because I once did the same thing. I was looking for an answer… but it’s the question that drives us. It’s what brought you here. You know the question just as I did:
“Is my multi-factor authentication solution enough to save my users and customers from account takeover and online fraud??”
The answer is out there. It’s looking for you, and it will find you if you want it to.
And with that, I am warning you – this is your last chance to stop reading this article. After this, there is no turning back. You can return to your SIEM event logs, sleepless nights, and believe whatever you want to believe.
Or…you can also keep reading, learn how to truly secure your environment from account takeovers and just how deep the MFA rabbit-hole goes…
The 2020 Verizon Data Breach Investigations Report confirmed that 80% of hacking-related breaches still involve compromised and weak credentials. Nearly 40% of all breaches, regardless of attack type, involved the use of stolen credentials.
And so, the question is, “Can multi-factor authentication minimize the impact of stolen credentials?”
Yes – MFA can help, but it is not a holistic solution to prevent accounts from being compromised.
Ten years ago, we thought adding a second step to the authentication process and requiring additional ‘factors’ to prove a user’s identity would stop the bad guys. By requiring the user to provide something they know (a password) plus something they are (biometrics) or something they have (smartphone token), a stolen password would no longer be enough for an attacker to gain access.
We were wrong.
The fact is, from the C-suite to the front lines, every employee and customer is a gateway to valuable information, and every account they use should be treated with the appropriate care. That means layers of protection, only one of which is MFA – because today, even unsophisticated attackers are armed with a multitude of MFA bypass techniques.
MFA Bypass Techniques
An example of one such exploit is alternative authentication: an unsophisticated attacker will attempt to log in via an alternative authentication mechanism that does not require MFA – for example, often an application’s password reset functionality automatically logs you in after password reset.
Shared Authentication Systems
Unsophisticated attackers may also exploit shared authentication systems. For instance, if another site of the same SSO (single sign-on) system does not require MFA, attackers will log into that site to bypass MFA.
Site 1: Does not require MFA
Site 2: Requires MFA
Anyone logged into Site 1 is automatically logged into Site 2.
If an attacker can compromise a user’s SSO password, they can log into the user’s account on Site 2 by logging into Site 1, easily bypassing MFA.
Forging Recognized Devices
We have also seen attackers forge a recognized device. Many times, an application will not require MFA from a device where users have logged in before. This is sometimes called adaptive multi-factor authentication (aMFA). In this case, attackers can try to figure out how the application recognizes a device and forge the signature of a “recognized device.” For example, if a site marks recognized devices by using a predictable cookie, attackers can add the cookie value to their requests.
Earlier this year, researchers at Cofense Phishing Defense Center discovered a phishing campaign that bypassed multi-factor authentication on Office 365 to access victims’ data stored on the cloud and use it to extort a Bitcoin ransom. The exploit relied on what appeared to be a genuine SharePoint link, a Microsoft Office 365 login page whose URL started with https://login.microsoftonline.com. However, a closer inspection of the full, long-form URL showed that there are clues to its nefarious intentions that someone without technical experience might not notice.
One-Time Password Interception & SIM-Swapping
While unsophisticated attackers rely on social engineering and technical exploit attacks, more sophisticated threat actors rely on SIM swapping to compromise one-time passwords (OTPs).
In 2019, the FBI specifically issued a warning about SIM swapping since they’ve seen a steady increase in complaints regarding customers of US banking institutions targeted by cyber attackers who port the customer’s phone number to a phone owned by the attacker.
In a SIM swapping attack, typically the attacker calls the phone companies’ customer service department and finds someone who is willing to provide information to complete the SIM swap. Once the attacker has control over the customer’s phone number, they call the bank to request a wire transfer from the victim’s accounts to another account they own. The bank, recognizing the phone number as belonging to the customer, does not ask for full security questions but instead requests a one-time code sent to the phone number from which the attacker is calling.
And the problem isn’t just with SIM swapping; in a report published earlier this year, security researchers from mobile security firm ThreatFabric say they’ve spotted an Authenticator OTP-stealing capability in recent samples of Cerberus, a relatively new Android banking trojan sold on hacking forums that launched in June 2019. “Abusing the Accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application,” the ThreatFabric team said. “When the OTP Authenticator app is running, the Trojan can get the content of the interface and can send it to the ‘command-and-control’ server,” they added.
Bottom line – even the best MFA solution combined with the best SIEM solution doesn’t make you immune from account takeover fraud. MFA is absolutely a deterrent but it’s not unhackable, and does not stop breaches or account takeover altogether.
So What Can You Do?
MFA is a layer of protection – an important first step – but additional layers are required to safeguard the identities of the employees, consumers, and suppliers logging into your systems. As we explained, if a user logs in with valid credentials (aka account takeover), the organization has no way to determine if the user is a criminal because the login doesn’t ‘trip a sensor.’
We recommend bolstering your cybersecurity program with credential exposure alerts so you are alerted when accounts are compromised very early in the breach lifecycle (before criminals can exploit them for all the forms of MFA bypass mentioned above), along with automated remediation of those exposed credentials (making it less of a burden for you to keep your users safe).