Cat and Mouse: Hacking MFA and How to Stay Ahead
Multi-factor authentication, or MFA, has become a leading cybersecurity tool. By adding an additional log-in requirement from a secondary source, MFA makes traditional password hacking through brute force attacks or social engineering much more difficult.
This is widely recognized—the recently released PCI DSS v4.0 standard will make MFA mandatory for all users accessing a cardholder environment.
While using MFA is highly beneficial with real security benefits (VENZA recommends it for all clients), it is important to recognize that it is not a panacea. MFA systems can still be compromised, so it’s important that you understand the risks and take proactive steps to mitigate them.
Here are some examples of MFA exploits and how to prevent them.
Exploit: MFA Fatigue
How it works:
MFA fatigue is a social engineering tactic that attempts to wear down the victim, until they confirm a log-in as valid or reveal their secondary credentials.
For example, a hacker may use a script to repeatedly push one-time passcode notifications to a user’s phone. Spamming notifications pressures the user to approve a sign in to stop the deluge of notifications.
Sound unlikely? It’s not. This technique was recently used to compromise Uber, Cisco, and Microsoft.
The solution:
Security awareness training. Social engineering attempts to exploit employees that form your human firewall. Users should be educated on this method of attack so they can identify it, report it, and most importantly, not approve attempts.
Training using VENZA’s PEAK™ Learning Management System can help inoculate against this type of risk.
Exploit: SIM Swap
How it works:
One of the most common MFA methods is sending one-time passcodes through SMS text messaging. This is understandable, as the ubiquity of cell phones makes this convenient.
However, MFA through SMS is also one of the least secure mechanisms. In fact, NIST has recommended against using SMS for MFA since 2016.
Why? Because cellphones themselves are insecure. In a SIM swap, hackers impersonate their victims to dupe cell service providers into porting the phone number associated with a SIM card to a new device. This allows SMS texts to be rerouted—directly into the hands of the bad guys.
Some solutions:
- Implement non-SMS MFA options, like 2FA Apps or hardware tokens.
- Teach detection. SIM swap victims will be unable to send calls or receive texts and may notice other odd activity on their phones.
- Prevent impersonation. Guard personal information and create a PIN that must be entered before your cell phone information can be changed.
Exploit: OAuth Compromise
How it works:
OAuth, short for “Open Authentication,” is a method of access delegation that allows users to reach their accounts using a third-party login. This is common on many websites and apps, where users’ Google or Apple accounts can be an alternative means to log in.
As a result, if a hacker gains credentials for OAuth sources, they can bypass MFA entirely.
Some solutions:
- Avoid using OAuth sign-in options for network access
- Build security awareness to protect OAuth credentials. This exploit is ineffective if the underlying credentials are secure.
Final Tips
In addition to the steps above, some additional best practices can increase your security against MFA hacking:
- Use time-based One-Time Passwords (OTPs). OTPs should expire after a short time, to limit hackers’ ability to simultaneously brute force other credentials.
- Limit unsuccessful attempts. Servers should restrict logins after a certain number of incorrect entries.
- Monitor your attack surface. Using tools like Endpoint Detection & Response or Log & Threat Monitoring from a Managed Security Service Provider such as CyberTek MSSP can contain the impact of unauthorized access.
Ready to stay ahead? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.