Open Forum

 View Only

Security BUZZ - MFA Is under attack

  • 1.  Security BUZZ - MFA Is under attack

    Posted 06-09-2023 13:59

    We finally stopped resisting multi-factor authentication. Many vendors won't even ask us to configure anything. Silently you receive a code via email or text message to confirm you are who you said you were. Like anything else in this widely connected world, it is just a matter of time before hackers can circumvent it. 

    While multiple ways exist to bypass the inadequate security of two-factor authentication (2FA) that uses one-time passwords (OTPs) [six or more digits code] sent through SMS texts, systems protected by application push notifications or using hardware tokens are considered much harder to compromise. Yet, these are the three most common techniques to get around additional security.

    • MFA bombing (flooding), where an attacker will repeatedly attempt to log in using stolen credentials to create a deluge of push notifications, aims at taking advantage of users' fatigue for security warnings. Push notifications are a step up from SMS but are susceptible to MFA bombing and MFA fatigue attacks, bombarding the victim with notifications in the hope they will click "Allow" on one of them. Another popular tactic - the account reset attack - aims to fool tech support into giving attackers control of a targeted account. An attacker will compromise a user's credentials and pose as a vendor or IT employee, asking the user for a verification code or approving an MFA prompt on their phone.
    • Session hijacking - after a user logs in to an online account or cloud service, a session cookie containing the user's authentication credentials is typically set and remains active until the user logs out. A common post-compromise tactic is for the attacker to harvest every cookie in the browser cache for potential use as a session hijack or pass-the-cookie attack.
    • Adversary-in-the-Middle (AitM) attack, where the attacker compromises infrastructure between the user's device and a cloud service or online site. The attacker acts as a proxy between the compromised server and intercepts requests between the user and the destination server, allowing attackers to harvest the authentication mechanism in real time. This technique enables the attackers to bypass most available methods of MFA since the user is providing the site, and the hacker, with both the username and password and additional authentication.

    Takeaways:

    • Where available, always opt for the highest supported level of 2FA.  
    • Be aware of MFA-bombing attacks and always be cognizant when responding to or accepting any second-factor request.
    • Keep your computer and browser fully patched. It will help with AitM attacks.
    • Stay alert to any social engineering attack. "Tech support" scams have been around for over a decade. Remember, the wealth of information is easily accessible to create plausible and resonating social engineering pre-text. Always follow your company policies and processes while at work.


    ------------------------------
    Genady Vishnevetsky
    Chief Info Security Officer
    Stewart Title Guaranty Company
    Houston TX
    ------------------------------
    ALTA Marketplace