Hacking MFA. Photo: Cybercrime Magazine.

MFA Lulls Businesses Into A False Sense Of Security

Multi-factor authentication is nowhere near 100 percent effective

David Braue

Melbourne, Australia – Dec. 1, 2021

REPORT: HACKING MFA. Co-published by Cybersecurity Ventures and KnowBe4.

If you believe Microsoft’s advice, you can make yourself all but immune to cyberattacks by simply providing a cell phone number to your cloud applications.

To prove your identity at logon or when conducting sensitive transactions, they’ll send you a one-time code that you type into the system — a multi-factor authentication (MFA) technique that, Microsoft has famously claimed, can stop 99.9 percent of account compromise attacks.

Just tell that to the proprietors of Coinbase, which recently was in damage-control mode after it discovered that a cybercriminal stole cryptocurrency from more than 6,000 of its customers after figuring out how to bypass the company’s MFA system by manipulating the company’s account recovery function.

Coinbase refunded the money to affected customers and recommended they use alternative methods such as a time-based one-time password (TOTP) or a hardware security key — yet the material losses are nothing compared to the erosion of confidence in MFA, a widely-used authentication technique that was supposed to be the savior of companies whose deep reliance on passwords has become an Achilles’ heel.

“It’s kind of a weird way that we do authentication today,” Roger Grimes, data-driven defense evangelist of security firm KnowBe4, recently told Cybercrime Magazine.

“In the real world, you walk into a bank and they only allow you so far, and there are other obstacles and things so you can’t just rob the money. But in our online world it’s typically ‘OK, you can come in the bank, you’re allowed to be in a bank, so now you can access almost anything.’”

Fully 61 percent of data breaches last year involved misuse of credentials, according to Verizon’s latest Data Breach Investigations Report (DBIR), and the rampant dark web exchange of user passwords has made them fundamentally inadequate for protecting sensitive business systems.

One recent study found 32.5 percent of companies were targeted by brute-force account attacks in one month alone, with a 60 percent chance of a successful account takeover every week in organizations with 50,000 or more employees.

As a consequence, spending on MFA solutions is rapidly growing, with the global market projected to grow from $10.7 billion last year to $37.6 billion by 2027 — a year-on-year growth rate of 19.6 percent.

Although it can be compromised, MFA can be highly effective against certain types of attacks: one year-long study — conducted by Google along with New York University and the University of California, San Diego — found the use of SMS codes sent to recovery phone numbers blocked 100 percent of automated bots, 96 percent of bulk phishing attacks, and 76 percent of targeted attacks. On-device prompts were even more effective.

“One of the nice things about MFA is that it does significantly decrease the risk of password theft,” Grimes said. “If you don’t know of a password or don’t have a password, you cannot be tricked out of a password. So, use MFA where you can to protect things that are valuable and confidential.”

MFA has become a perennial hacker favorite

Despite the technology’s generally sound design and widespread takeup, however, ongoing reports of MFA hacks confirm that it is far from invulnerable — and that security executives mustn’t rest on their laurels by treating the technology as a cure-all.

Hackers have spent years closely studying MFA systems, poking and prodding them to understand how they work and where they may be vulnerable — and figuring out how they can be bypassed or compromised.

Working techniques are exchanged widely online, with online lists (such as these five techniques described in DarkReading and these 25 ways to hack MFA from Overt Software) recounting successful approaches and others evolving continuously as hackers pivot along with MFA designers.

Their solutions range from workable to extremely complicated, with some techniques relying primarily on technical solutions and others leaning heavily on social engineering.

Man-in-the-middle (MITM) attacks, for example, involve the installation of a proxy server that monitors authentication traffic until a validated access token is received; this token is then used to gain access to the system.

Man-in-the-endpoint attacks, by contrast, rely on malware that has been previously installed on an endpoint device. Once the user authenticates to a server legitimately, these tools establish a new remote-access session that remains invisible to the user — but lets them access any business system the victim can access.

Other cybercriminals have hijacked authentication APIs by intercepting session identifiers, with some going so far as to reverse-engineer MFA passcode generation algorithms and seed numbers.

Another social-engineering attack comes from SIM swapping attacks — in which cell providers are tricked into issuing a duplicate of the victim’s SIM card that lets them intercept MFA codes sent by SMS. Among other successes, this tactic was used to steal $1 million in cryptocurrency from an unfortunate investor.

This year marked the discovery of a new breed of purpose-built bots like OTP agency and SMSranger, which place an automated phone call to a victim about supposed unauthorized activity, then asks them to enter the current one-time password on their phone; this code is used to immediately log in to the target system.

The success of such attacks is far from academic: cybercriminals’ success has attracted attention from the highest levels, with the FBI warning years ago that some types of 2-factor authentication were being actively bypassed.

More recently, the Cybersecurity and Infrastructure Security Agency (CISA) warned about a range of MFA compromises and offered recommendations including universal use of MFA; routine review of Active Directory for anomalies; limiting users’ ability to consent to application integrations; use of user access logging; and more.

We have to talk about Kevin

Storied hacker Kevin Mitnick, who currently works as chief hacking officer with KnowBe4, recently published a video demonstrating the use of a MITM proxy server to trick users into entering their credentials — triggering a series of events that let Mitnick bypass LinkedIn’s 2FA.

Mitnick’s success against an A-list target demonstrates persistent hackers’ tenacity in fighting to continue working around MFA.

The code he used has been published on GitHub, allowing both cybercriminals and developers of security tools to study it and craft their respective projects.

Microsoft and myriad other companies are pushing hard towards a passwordless future, where zero-trust environments will authenticate users on a continuous basis using other indications like biometric security or even AI-driven analysis of individuals’ typing styles.

Technical innovation aside, Grimes said, cybercriminals’ continued compromise of MFA solutions means they should be used as one of many layered defenses.

“I continue to hear, day after day, of companies using MFA that are getting hacked,” he explained. “It’s always been that way and it will always be that way. MFA stops some forms of authentication attacks — the ones that ask you for or use your password — but that’s it.”

“It doesn’t stop any other type of attack. And even then, it’s so prone to error that companies using it are not as protected as they think.”

Although his best guess is that MFA stops as much as 30 percent of cybercrime, Grimes said, better patching can stop 20 to 40 percent of cybercrime and stopping social engineering will block 70 to 90 percent of attacks.

“If you stop social engineering, it prevents not only most of the attacks that MFA prevents but also stops the majority of other cybercrime,” he said, citing the example of a recent customer whose CFO was compromised after her MFA was attacked — all because, as she was trained, she had dutifully clicked to approve the more than 50 authorization push notifications her attackers caused.

“No matter what MFA solution you use,” Grimes said, “education is key. Just because you innately understand how to use something doesn’t mean every person who doesn’t do computer security as their job understands. It has nothing to do with intelligence; it has to do with education and awareness.”

Google, Microsoft, and MFA

“Google and Microsoft have been mischaracterized by their quotes in two blogs around the effectiveness of MFA,” said Steve Morgan, founder of Cybersecurity Ventures. “These companies employ some of the brightest minds in technology and cybersecurity who are well aware of the limitations of MFA, and any cyber defense method for that matter.”

The tech giants drive home an important point (forgetting about the statistical effectiveness) because MFA is underutilized and there is a big gain when turning it on for consumers and employees at organizations globally. But, in no way, do these companies or other purveyors of cybersecurity solutions believe that MFA will defeat social engineering and certain other threats 99 or 100 percent of the time.

“MFA is lulling some businesses into a false sense of security, and that is a cyber threat in of itself,” added Morgan. “At most, in our opinion, MFA should be called 50 percent effective. Or there shouldn’t even be a statistical value assigned to it. If you want to use 100 percent, then we say turn it on 100 percent of the time because it always makes sense to do so.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by KnowBe4

KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.