Multi-Factor Authentication (MFA) is becoming increasingly popular as cybercriminals search and find new portals. […]
If done well, it can Multi-Factor Authentication (MFA) Be very efficient. If not, a security disaster threatens. Although more and more companies are using MFA to protect their employees, this method has not spread everywhere. In fact, according to a survey conducted by Microsoft last year 99.9 percent of all hacked accounts Not protected by multi-factor authentication. In total, only 11 percent of all company accounts are insured by an MFA.
The coronavirus pandemic has been good and bad for MFA adoption. On the other hand, shutdowns and remote work provided a good reason for more MFA deployments, and on the other hand, new phishing opportunities for criminal hackers have also emerged. in present Verizon data breach investigation report Quoting Bernard Wilson, Director of Network Intrusion Response at the US Secret Service: “Organizations that have failed to implement MFA are collaborating with VPNs It represents a large proportion of the victims who were attacked during the pandemic.”
In addition to Covid-19, there have been other good reasons to give up lately Multifactor authentication Add:
- Google has been using MFA as standard security since May 2021 For all user accounts. This was pointed out by Matt Tate, a former British analyst at GCHQ in a tweet like “One of the most significant cybersecurity improvements of this decade.”
- In June 2020, Apple announced that Safari will support 14 FIDO2 protocols, joining Android and most other major browsers. Background: FIDO gets better and better, even if apps require brainpower to be able to use them across browsers, different operating system versions, and smartphone apps.
However, the recent past shows that when hedging from two factors and Multifactor authentication There is still room for improvement. We will show you five common methods that criminal hackers use to exploit MFA vulnerabilities.
1. SMS-based man-in-the-middle attacks
Biggest problem Multifactor authentication It is related to the most common form of implementation: the use of one-time passcodes via SMS. It is easy for clever attackers to hack smartphones and temporarily allocate their phone number to a device under their control. There are several ways to carry out such an attack. One is bribing or persuading the cell phone service provider to reallocate the phone.
Another way is to use commercial services, such as Vice Reporter Discovered in a self-experience. For an investment of $16, a contract hacker successfully viewed or forwarded all SMS messages with the help of a service provider.
2. Angriffe supply chain
The most notable attack on the software supply chain so far has been Solarwinds– Hacking that infected various components of the program. User companies can be hacked without even realizing it. Around SuppliersThere are a number of possibilities to prevent attacks, for example source code checks in a runtime environment.
Gartner analyst Casey Panetta writes about it In a blog post As of January 2021: “You must not forget that the . file Solarwinds– The attack was discovered by a vigilant security guard who wondered why one of the employees had another phone Multifactor authentication He wanted to register. Conversely, this means that the attacker intended to use the Multi-Familial Technique (MFA) as the attack vector.”
3. Workflow bypass
Another example of a loophole in things Multifactor authentication This is the recently discovered vulnerability in the MFA Liferay DXP v7.3. The vulnerability enables each registered user to authenticate themselves by changing one-time passwords for other users. This then “blocks” the affected user. The bug has now been fixed.
4. Cookie pass attack
This method of attack was used Browser and Website Cookieswhich store authentication data in cookies. This procedure was originally chosen for reasons of ease of use. However, if a cybercriminal succeeds in extracting this data, they can take over your account.
5. Server-side spoofing
It was one of the greatest feats of the recent past hafniumA series of attacks can break all authentication processes with Microsoft Exchange servers. Four zero-day vulnerabilities have been exploited in Exchange, and Microsoft has now released a number of patches.
Common MFA attack vectors illustrate this Multifactor authentication It requires a certain amount of care if it is to function properly and safely. Garrett Becker, Senior Analyst at 451 Research, knows this as well: “Bad MFA is like bad sunglasses – they don’t provide any protection. The main reason multifactor authentication isn’t used too often is poor user experience.” , the analyst believes that MFA should be combined with a zero-trust architecture and persistent authentication technologies. Many providers have recognized this and have corresponding offers up their sleeves – but the implementation is not at all easy.
Account recovery option is another weakness of Multifactor authentication: Some companies have strong MFA protection for normal account logins, but if the user forgets their password, the recovery process begins with an SMS passcode.
Gerhard Geese from Akamai points out that In a blog post Point out that MFA is not always an appropriate antidote to credential stuffing. At his discretion, IT administrators will have to carefully review authentication workflows and login screens to ensure that attackers cannot access the login data by clicking on the web server. He recommends that administrators use bot management solutions to make sure that criminal hackers don’t stand a chance.
Multifactor authentication It must be part of a critical corporate security infrastructure. Recent attacks, in addition to urging government and business experts, should give a smart boost to MFA implementation processes.
*David writes for our US sister publications CSO Online, Network World, and Computerworld, among others.