Most organizations are working to put multi-factor authentication (MFA) in front of critical systems and on average have 60% coverage around all systems. This is a significant improvement over single-factor or password-only authentication. But MFA can cause unwanted user disruptions to daily routines and may not be the breach savior we all want it to be.
The growing ways attackers get around multi-factor authentication (MFA)
You might be surprised to learn that there are many ways attackers can get around popular MFA methods to access your data unchecked. These typically include different ways to get around one-time passcodes (OTP) displayed on hardware tokens, SMS, voice calls, emails or a mobile authentication application. They may also include phone number porting fraud and getting around push-to-accept, and knowledge-based questions. Below is an overview of some of the most popular methods:
- Real-time phishing – It’s relatively easy for an attacker to trick someone into giving up their username, password, and one-time-passcode. IBM Security Intelligence first reported on real-time phishing in 2010; even back then, the technique was already being used in 30% of attacks against websites deploying MFA.
- Malware – Using mobile-based malware to obtain OTPs is not new, either. In the 2014 Emmental attacks on Swiss and German banks, attackers leveraged malicious code to scrape SMS OTPs from customers’ Android devices and gain access to their bank accounts. More recently, attackers used the Banksy Trojan and call forwarding to obtain voice-based OTPs.
- SMS & voice call interception – Attackers also use an inherent weakness in Signal System 7 (SS7), the protocol carrier networks use to communicate, to intercept OTPs in SMS messages and voice calls. For example, attackers in Europe attackers used this method to obtain access to victims’ bank accounts. The SS7 weakness was one of the driving forces behind NIST’s original proposal to phase out SMS-based OTPs.
- Phone number porting fraud – Attackers use social engineering to obtain a victim’s personal details, then use that information to convince a mobile phone carrier to either issue them a new SIM card or move the victim’s phone number to a SIM card they control. T-Mobile recently warned customers to be vigilant about the increased use of this attack vector. This video shows how an attacker uses social engineering to convince a major carrier network to move everything under her control in less than 2 minutes.
- Push-to-accept – A popular MFA method where a user either selects “accept” or “deny” depending on if actually authenticating at the time. David Kennedy, a well-known white hat penetration tester, claims at Def Con 22 that he got legitimate users to hit “accept” 6 out of 6 times when those users were NOT authenticating. That’s a 100% success rate! The belief is that users simply want the notification to just “go away” but doing so gives attackers access.
- Knowledge-based Q&A – We’ve all been asked to answer a “security question” and it’s something like the street you grew up on, the name of your first pet or your first-grade teacher’s last name. The problem is that most users put too much information out on social media, where answers to those questions could be easy for an attacker to uncover. For example, I’ve seen countless times people sharing old class photos with grade and teachers name on it, let alone photos of houses with addresses and posts about pets.
What can be done to improve multi-factor authentication?
History demonstrates the best security is deployed in layers. If attackers can get past one layer, they simply are presented with more barriers or layers to break through. The more layers, the better the protection, the harder an attacker has to work to get past them and reach their intended target. Think of a medieval castle with a moat, drawbridge, high outer walls, and turrets for guards with bows and arrows. A more modern example could be building security with a fence around the perimeter, guard shack with gate, security cameras, and key cards to access certain areas. The idea is always the same and similar to a bulletproof vest. One layer of security may not be enough to stop an attacker or a bullet, but when multiple layers are applied together, they become much more difficult to penetrate.
Risk checks are today’s multi-layered access protection
Augmenting MFA with multiple risk checks provides the added security to detect attackers early and often even those with valid credentials and ways around MFA. Is the phone being used in the authentication process recognized and coming from a known carrier and phone type? Has the phone number recently been ported? Is the location of where an access request is coming from known? Is the originating IP address from an anonymous proxy or on a threat feed from a previous breach? Is the user behavior consistent with normal daily routines? SecureAuth has more risk checks than any other vendor because they give your organization the best chance at avoiding a costly data breach.
Access security user barely notice
Most organizations are concerned that MFA will disrupt users’ daily routines. Beyond causing frustration, multiple MFA disruptions a day can result in a significant source of lost labor and productivity. Another benefit to all the risk checks mentioned above is elevated user trust. The more we know about a user’s characteristics, the greater confidence we have that the user is known or unknown. For users we have high confidence in, why even require an MFA step if not required or needed? Performing multiple risk checks better protects the organization from unwanted access, improves the user experience, and can remove MFA disruptions. SecureAuth processed 617 million authentications in 2017, and 90% of the time users were NOT presented an MFA step to gain access because the trust was elevated through multiple risk-based checks.
Check out some of our resources to learn more about multi-factor authentication:
- Download our white paper: “Increasing Security without Increasing User Disruptions”
- View our on-demand webinar: Phish-Proof Your Users: Negate Stolen Credentials and Go Beyond 2FA