Cyber Security Awareness Month is here and as such we want to highlight the importance of protecting identities and access for personal, corporate and government entities, as well as the common types of attacks that are growing in number and sophistication. In this 4 part blog series, we will talk about the value of multi-factor authentication (MFA), types of attacks against MFA, break down an attack with the cyber kill chain and introduce a unique MFA option for use in environments where carrying a mobile device or hard token is not possible.
Passwords as the single factor of authentication has become a thing of the past and organizations have now adopted multi-factor authentication (MFA) as the standard. MFA incorporates the use of multiple factors when authenticating a user, such as knowledge (something a user knows), inference (something a user is), and possession (something a user has).
However, as the threat landscape grows MFA is no longer enough to prevent breaches from account takeover (ATO) attacks. Cybercriminals have adapted to the use of MFA and found new ways to compromise user accounts by exploiting weak MFA mechanisms. Some common MFA-based attacks are the SIM swap attack, MFA prompt bombing, and Adversary in The Middle (AiTM). These attacks are getting more sophisticated and successful at breaching an organization’s defense.
MFA-based attacks
SIM swap − SIM swapping is an MFA attack that has been around for a number of years, where an attacker impersonates a user using personal information gained from social engineering and phishing attacks to convince a telecom provider to activate a SIM card in their possession with the victim’s phone number. The attacker then uses a compromised credential as the first factor to log in and triggers an MFA request in the form of SMS one time passcode (OTP) or voice OTP that they can then approve as they have the phone number tied to the victim now on their own phone. In many cases attackers don’t need the password as they can request a reset password and use SMS OTP as a means to verify themselves to make the password change, successfully gaining access to the victim’s account. The victim only realizes this is the case when their phone gets disconnected, and they have no means of contacting their mobile service provider to get their accounts locked down.
MFA prompt bombing − Recently, a more secure MFA authentication mechanism using mobile push notifications has been targeted by attackers to compromise a user’s access. Known as MFA fatigue or prompt bombing, this attack works when an attacker runs a script that continuously logs in to an application or service prompting a second factor on the victim’s phone via mobile push notification repeatedly. Eventually, with the explosion of notifications on the victim’s smartphone, they accidentally or through fatigue click on “allow” at which point the attacker now has successfully completed an account takeover (ATO) attack. Attackers often launch these types of attacks late at night when the victim may not be fully cognizant of what is happening.
Adversary in The Middle (AiTM) – This attack is increasingly used in more recent attack campaigns as Brian Krebs discusses in his blog post here. Cybercriminals set up a reverse web proxy with a phishing site in between the victim and the legitimate application, or web page. The victim is then lured to the phishing site via SMS and/or email-based phishing attacks and implored to log on to their account via a legitimate-looking site. When the victim enters their credentials on the phishing site, they are then relayed to the legitimate site by the attacker who then also collects the second factor code (sent to the victim via SMS OTP) on the phishing site and gains access to the victim’s account. If the victim has a mobile push notification set up, the attacker can still gain access by intercepting the live session cookie and gaining access to the account.
MFA-based attacks are becoming more common and mainstream as well as highly successful, forcing organizations to evaluate the type of authenticators and safeguards in place to ensure they are using a secure MFA setup. Choosing a truly passwordless authentication mechanism in combination with a high assurance adaptive MFA configuration while balancing security and a great user experience is key in securing your organization.
Stay tuned for an upcoming blog post on the different types of MFA authenticators and the attacks they are vulnerable to.
In the meantime, learn more about high assurance passwordless solutions and the industry-leading adaptive MFA authenticators that the Entrust identity and access management platform offers for your users here.