Protect The Enterprise From MFA Attacks

Multi-factor authentication solutions still require security awareness training

Add bookmark

Alarice Rajagopal
03/27/2019

Roger Grimes is the data-driven defense evangelist for KnowBe4, which means he uses data-driven risk analytics to help companies put the right defenses, in the right places, in the right amounts, against the right threats.

Since education is critical to establishing some of the best defenses, Grimes recently presented an introduction to multi-factor authentication, as well as 12 ways that it can be hacked. The goal of the educational on-demand session is to help organizations create an even better defense against MFA attacks.

First, Grimes explained that each MFA solution consists of:

Something you know: Password, PIN, Connect the Dots, etc.
Something you have: USB token, smartcard, RFID transmitter, dongle, etc.
Something you are: Biometrics, fingerprints, retina scan, smell, location, behavior, etc.

While MFA is usually better than single-factor authentication and we should all strive to use MFA solutions wherever and whenever possible, it’s important for users to understand that it can still be hacked. Grimes also noted that it’s hugely important to understand that “No matter how I authenticate (i.e. one-factor, multi-factor, biometrics, etc.), rarely does the authorization use the same authentication token.”

They are completely different processes, often not linked to each other.
Many MFA hacks are based on this delineation.

Again, Grimes reiterated that some MFA solutions are better than others, but there is no such thing as “unhackable.”

5 Types Of MFA Attacks

There are three major session hijacking methods including session token reproduction/guessing, theft of session access token at the endpoint, and theft of session access token in the network communication channel. In fact, KnowBe4’s Chief Hacking Officer Kevin Mitnick showed a demonstration of this type of attack, and Grimes went over a real-world example from March 2018, where the Google Authenticator was to blame for the Binance Exchange API hack.

If an endpoint attack is experienced, then MFA isn’t going to help. The attacker can do just about anything the user is allowed to do after a successful authentication. They can start a second hidden browser session, directly steal session cookies, insert backdoors or invalidate protection all together.

During a subject hijack, every MFA token or product is uniquely tied to a subject that is supposed to using the MFA device/software. If the hacker can take over the subject’s identity within the same namespace, they may be able to reuse the stolen identity with another MFA token/software. And the system will allow a completely unrelated MFA token/software to authenticate and track the fake user as the real user across the system. Examples of this are email hijacking or active directory/smartcard identity hijacking.

SIM swapping attacks can steal or transfer the user’s cell phone operations to another phone, allowing the attacker to get an SMS code. Many MFA methods include sending additional authentication codes via a user’s cell phone short message service (SMS). In fact, NIST SP 800-63 doesn’t even accept SMS codes as value authentication because of how easy it is to hack.

Finally, SMS rogue recovery hacks into your email using recovery methods. Because SMS message origination cannot be easily authenticated within SMS itself, anyone can claim to be anyone. To pull off this type of attack, the hacker must have your email address and associated phone number.

These are just 5 out of 12 different MFA hacks Grimes presented during the webinar. Listen to the full on-demand session in order to learn about the rest of the ways hackers can get into some of your favorite MFA solutions — including how to boost your defenses against these types of attacks.

To listen to the full on-demand session, click here.