Demystifying FBI Notes on Cyber Attacks Involving Multi-Factor AuthenticationHackers are Looking for Every Opportunity to Bypass Security Measures, and MFA is no Exception.
The US Federal Bureau of Investigation (FBI) released a warning about attacks that bypassed multi-factor authentication (MFA) several months ago. Much of what is covered in this alert is not new to the security community, but it does emphasize the point that hackers are looking for every opportunity to bypass security measures, and MFA is no exception, and that less secure MFA solutions will unfortunately put organizations at a disadvantage. This FBI report helps us understand which security measures are most important when fending off attacks.
With this in mind, let's look at the incidents cited in the FBI report in detail to help determine when you should worry about these types of threats and what you can do to prevent them.
- Bank Attack - 2019: This attack occurred due to a misconfigured eBanking application which created a vulnerability that allowed the hacker to bypass MFA. To prevent this type of incidents, make sure your systems are fully aligned so that two-factor authentication solutions can perform effectively.
- SMS and Phone-Based Attacks - 2018-2019: These attacks confirm that SMS authentication should be avoided as it's been consistently reported that you are greatly exposed to being hacked (hint: big reason why WatchGuard's AuthPoint does not offer SMS as an MFA option). As mentioned by NIST in 2016, "SMS authentication should be avoided and almost not even considered as a two-factor authentication method." Other options, like push notification, provide a more secure experience since the message is encrypted and it cannot be intercepted.
- Live Demonstration at RSA - 2019: This case refers to a presentation given during the RSA Conference (possibly from the great Roger Grimes), which showed ways of circumventing MFA, including SMS and social engineering attacks. This is also a good reminder that MFA technology is designed to authenticate, not authorize users.
- Phishing Attack - 2019: The last threat involves session hijacking through a phishing email. Of course, if you've been phished, you're probably in big trouble. The attacker would install a trojan in your computer, use a proxy to connect to the protected services. This is applicable only for web applications, and requires phishing to happen successfully, while a password attack might happen without the user even knowing or participating in it.
Let's look at the incidents cited in the FBI report in detail to help determine when you should worry about these types of threats and what you can do to prevent them.
The FBI isn't arguing the importance of MFA as a key method to protect identities, accounts, and information; in fact, it reiterates that companies should continue to enable these practices. More than ever, MFA is a "must-have" for every company's security program...it's value is perhaps best characterized in Verizon's 2019 Data Breach Investigations Report when they advised their readers to "MFA everything."
This warning really is a wake-up call to acknowledge that MFA solutions aren't bulletproof and every solution doesn't provide equal protection. You may create the most secure method in the world, with three types of biometrics, two hardware devices, passphrases, etc. There is always a chance that your accounts or systems could be circumvented. But you can make it harder for an attacker by applying what we've shown you here...about how hackers are attacking MFA and what you need to look for in your MFA solution to be best equipped to resist them.