Roger Grimes. PHOTO: Cybercrime Magazine.

Multi-Factor Authentication Is (Not) 99 Percent Effective

Hackers are running circles around MFA, but it’s still useful

David Braue

Melbourne, Australia – Feb. 23, 2023

The Hacking MFA Report is sponsored by KnowBe4.

Multi-factor authentication (MFA), which has become near ubiquitous as a way of thwarting credential-stuffing cybercriminals, was supposed to be the surefire thing that would protect companies and their employees from compromise.

And, like most innovations in cybersecurity, it worked — until it didn’t.

As the details came out in the wash, last September’s breach of rideshare giant Uber — perpetrated by an 18-year-old cybercriminal in the making — proved to have been made possible not because the attacker found a way to bypass MFA or exploit a vulnerability in its code, but because he knew enough about how it worked that he could weaponize it against a hapless Uber employee.

Having already stolen the employee’s username and password, analysis has shown, the attacker wrote a script that automatically attempted to log into Uber’s systems — knowing that each logon would generate a new alert on the user’s smartphone, demanding that the logon be approved or denied.

Each time the user tapped “Deny,” the script would try to logon again — flooding the target for more than an hour with a string of notifications that became so annoying that, by the time the attacker contacted the employee on WhatsApp claiming to be an Uber technical support officer, the victim was ready to tap “Approve” just to make it all go away.

Once the logon was approved, the attacker was able to move laterally within Uber’s internal networks, ultimately locating a Microsoft PowerShell script with hard-coded credentials that provided access to other corporate administrative systems.

No wonder the technique — now well documented in the MITRE ATT&CK database — has become known as an “MFA fatigue” attack: it uses existing technological mechanisms to wear down victims’ resolve until they simply can’t resist anymore.

The technique has become yet another feather in the cap of cybercriminals that have, rather than throwing their hands up at the impenetrability of MFA, taken the technology as a new challenge to be overcome.

By all accounts, they’re succeeding: the past year has seen one tech company after another fall victim, with Microsoft and Cisco Talos among the flood of MFA fatigue attack victims that, according to one recent Microsoft study, saw over 382,000 attacks recorded during a recent 12 month period they tracked.

“MFA is not 99 Percent Effective; Never has been, never will be.”

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4

The dangers of great expectations

The success of MFA fatigue attacks is yet another reminder of just how well human engineering continues to find ways to work around the well-regarded security technology — not by breaking its technology, but by learning how it works so well that they can manipulate it to run rings around legitimate users.

That manipulation has produced several rather effective forms of MFA compromise — for example, MFA Interception, in which attackers compromise email accounts, smartphones, or other channels to intercept one-off MFA authentication codes.

Other attackers have developed ways to steal authentication tokens after they are granted — allowing them to spoof an authenticated user in a technique that exploits efforts to remove systems’ dependence on passwords.

“By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly,” the Microsoft Detection and Response Team (DART) noted in a recent blog post.

“This [is] a concerning tactic for defenders because the expertise needed to compromise a token is very low, is hard to detect, and few organizations have token theft mitigations in their incident response plan.”

Another popular exploit is network session hijacking, in which cybercriminals emulate a well-known tech brand — or the victim’s employer — in an authoritative phishing email that tricks them into logging into a lookalike site that uses a transparent proxy website to capture MFA codes or other details in a highly-effective “man-in-the-middle” attack.

Despite the successful bypass of MFA systems, the technology remains better than passwords alone for securing corporate systems — meaning it’s worth implementing, but with eyes wide open to its potential exploitation.

“All things considered, MFA is stronger than single-factor authentication, or at least that’s the theory,” Roger Grimes, data-driven defense evangelist with KnowBe4, told Cybercrime Magazine.

But “the dangers and vulnerabilities of MFA are actually fairly significant,” he said, “and we don’t talk about them enough.”

One of the biggest problems with MFA has been the claim — floated by Microsoft in 2018, repeated by “industry titans,” and regularly cited by security researchers as a cautionary tale — that MFA can block 99.9 percent of account compromise attacks.

Although MFA significantly improves security in most cases, it is not infallible: Grimes estimates that it can stop 30 percent to 50 percent of such attacks, but says the 99 percent figure “is not true and never will be.”

That said, phishing resistant MFA “is a great thing [that] stops a huge percentage of attacks… but if you’re not aware that your MFA solution can be easily hacked, you’re more likely to fall for being hacked.”

How to defend your MFA

Compromised credentials were involved in nearly half of the 4,250 non-error, non-misuse breaches analyzed in Verizon’s latest Data Breach Investigations Report (DBIR) — which advises that credentials, phishing, exploiting vulnerabilities, and botnets are the “four key paths leading to your estate [and] no organization is safe without a plan to handle them all.”

One study found 32.5 percent of companies were targeted by brute-force account attacks in one month alone, with a 60 percent chance of a successful account takeover every week in organizations with 50,000 or more employees.

Given that MFA hacking is closely linked to compromised credentials — which must be obtained to trigger the MFA verification request in the first place — a good place to start your prevention efforts is to take the time to audit the way you issue, store, and update user credentials.

Think about how you would compromise your existing password replacement process, for example, and then consider how you can close those loopholes to prevent malicious outsiders intercepting codes or spoofing employees’ devices.

“Most cybersecurity attacks are completely preventable if you do some pretty basic hygiene in your security,” notes Clare O’Neill, Australia’s Minister for Cyber Security and the recent recipient of Cybercrime Magazine’s Person of the Year Award 2022.

“We just have to do the right thing,” she continued, citing the importance of enforcing measures such as complex password requirements. “We cannot reduce cyber risk to zero… but if you don’t have two-factor authentication, what are you doing?”

When adopting MFA, it’s important to make sure your employees are aware of the technology’s risks as well as its benefits.

Teach them to look out for suspicious behavior, such as a series of access prompts in regular succession or contemporaneous contact by people claiming to be technical or other trustworthy employees.

Revisit MFA policies so that, for example, accounts are locked after 10 or 20 incorrect attempts — and force users to change their passwords after a certain number of MFA failures, so that attackers can no longer use stolen credentials to initiate MFA requests in the first place.

One key thing to remember is that each company typically only has one MFA solution — and each solution uses well-known techniques, ranging from one-time passwords and push-based authentication to biometrics.

That means it’s possible to give users very specific advice and training about known vulnerabilities with the solution they are using — and it’s relatively straightforward to outline abnormal behavior that should trigger their suspicions.

“Priority number one is to educate your employees that ‘these are the common types of attacks against your type of MFA, and this is how you recognize those attacks, and this is how you report them,’” Grimes explained.

As usual, reinforcement of that learning is essential: use phishing simulation tools to prod employees with emails adopting the techniques that would be used for exactly the type of compromise you educated your employees about.

“The people that fail this simulated phishing test get more education,” Grimes said, “so you’re putting the right education, in the right amounts, to the right people that need it.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by KnowBe4

KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.