Important things to acknowledge about 2FA
- Two Factor Authentication is not an unhackable security solution.
- It does not prevent social engineering or phishing attacks from occurring successfully.
- Everyone should use it, but it’s not unbreakable.
- It should be used as part of a security awareness program.
Tools like NecroBrowser and Muraen are not the only threats to MFA practices. The Federal Bureau of Investigation has warned about such tools and techniques like SIM swapping. In a Private Industry Note (PIN) sent by the FBI last September, they announced that they had observed hackers and cybercriminals circumventing multi-factor authentication by using social engineering techniques and technical attacks.
PAST INCIDENTS OF MFA BYPASSES
The following recent incidents of multi-factor authentication bypass should be a reminder that there are multiple ways of bypassing MFA protections, including SIM swapping, and transparent proxies like Muraen and NecroBrowser.
- In 2016 customers of a US banking institution were targeted by a cyber attacker who ported their phone numbers to a phone he owned, an attack called SIM swapping. The attacker called the phone companies’ customer service representatives, finding some who were more willing to provide him information to complete the SIM swap. Once the attacker had control over the customers’ phone numbers, he called the bank to request a wire transfer from the victims’ accounts to another account he owned. The bank, recognizing the phone number as belonging to the customer, did not ask for full security questions but requested a one-time code sent to the phone number from which he was calling. He also requested to change PINs and passwords and was able to attach victims’ credit card numbers to a mobile payment application.
- Over the course of 2018 and 2019, the FBI’s Internet Crime Complaint Center and FBI victim complaints observed the above attack-SIM swapping-as a common tactic from cybercriminals seeking to circumvent two-factor authentication. Victims of these attacks have had their phone numbers stolen, their bank accounts drained, and their passwords and PINs changed. Many of these attacks rely on socially engineering customer service representatives for major phone companies, who give information to the attackers.
- In 2019 a US banking institution was targeted by a cyber attacker who was able to take advantage of a flaw in the bank’s website to circumvent the two-factor authentication implemented to protect accounts. The cyber attacker logged in with stolen victim credentials and, when reaching the secondary page where the customer would normally need to enter a PIN and answer a security question, the attacker entered a manipulated string into the Web URL setting the computer as one recognized on the account. This allowed him to bypass the PIN and security question pages and initiate wire transfers from the victims’ accounts.
- In February 2019 a cybersecurity expert at the RSA Conference in San Francisco, demonstrated a large variety of schemes and attacks cyber actors could use to circumvent multi-factor authentication. The security expert presented real-time examples of how cyber actors could use man-in-the-middle attacks and session hijacking to intercept the traffic between a user and a website to conduct these attacks and maintain access for as long as possible. He also demonstrated social engineering attacks, including phishing schemes or fraudulent text messages purporting to be a bank or other service to cause a user to log into a fake website and give up their private information.
- At the June 2019 Hack-in-the-Box conference in Amsterdam, cyber security experts demonstrated a pair of tools – Muraena and NecroBrowser – which worked in tandem to automate a phishing scheme against users of multi-factor authentication. The Muraena tool intercepts traffic between a user and a target website where they are requested to enter login credentials and a token code as usual. Once authenticated, NecroBrowser stores the data for the victims of this attack and hijacks the session cookie, allowing cyber actors to log into these private accounts, take them over, and change user passwords and recovery e-mail addresses while maintaining access as long as possible.
MFA is Effective and Should be Used
The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that companies use MFA.
Instead, the FBI wants users of MFA solutions to be aware that cyber-criminals now have ways around such account protections.
“Multi-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks,” the FBI said.
MFA ATTACKS ARE RARE
Despite the rise in the number of incidents and attack tools capable of bypassing MFA, these attacks are still incredibly rare and have not been automated at scale. Last week, Microsoft said that attacks that can bypass MFA are so out of the ordinary, that they don’t even have statistics on them.
In contrast, the OS maker said that when enabled, MFA helped users block 99.9% of all account hacks.
Back in May, Google also said a similar thing, claiming that users who added a recovery phone number to their accounts (and indirectly enabled SMS-based MFA) improved their account security.
“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation,” Google said at the time.
All in all, MFA is still very effective at preventing most mass and automated attacks; however, users should be aware that there are ways to bypass some MFA solutions, such as those relying on SMS-based verifications.
Instead, users should choose a stronger MFA solution that is not vulnerable to social engineering tricks like SIM swapping, or transparent proxies that can intercept the MFA token.
On this page, a Microsoft security engineer analyzed how various MFA solutions fare against MFA-bypass attacks. The solutions listed at the bottom of the table are the strongest.
What is Social Engineering?
First of all, it is the #1 weapon used by malicious actors and cybercriminals. It is based on trust or the violation of trust. It involves a certain level of manipulation combined with persuasiveness. It is a method to trick someone into revealing valuable information that leads to the benefit of the criminal.
What is the Best Method of Multi-Factor Authentication?
Multi-factor authentication can be accomplished in several ways. One method is to use a YubiKey. It is effective but not appropriate for all applications. A very reliable and safe method is to use an authentication app on your phone that stores no sensitive information and can be restored if your phone is lost or stolen. The app I use is called Authy. It’s a free app and has many instructional tutorials to assist in using it.