Is MFA obsolete before many even adopt it?
- 28 November, 2019 11:55
Multifactor authentication or MFA for short. I have written an article about MFA before “Do I really have to say it? Stop resisting multifactor authentication” in which I told you all that you need to stop resisting MFA because so many organisations are still not adopting it, “it’s too hard, I don’t have the budget for that” you have probably heard the same comments as I have. I still recommend everyone use MFA for everything, yes some methods can be used to bypass it but that doesn't mean you shouldn't implement it.
Let’s look at some of these methods that can be used to bypass 2-factor authentication. I actually watched Kevin Mitnick do just that onstage at this year’s Cybercon in Melbourne, he basically hacked his google account onstage (here is a pre-recorded example from him), look this isn't something new and the proposed attack method has been around for about a year but it has shot into the mainstream more recently as the method is starting to be utilised by the malicious actors. As Kevin explains in his video the attack follows this sequence. The malicious actor, in this case, Kevin sends a phishing email to the proposed victim, it will follow the usual process of bringing up a page that requests your login details.
You as the victim would enter them unsuspecting that it is a fake site. In the background, the malicious actor's systems would have an automated process that immediately logs in with those new details and then redirects you to a page requesting the 2FA (MFA) code, which is sent to your app or mobile device that you enter in the page. In the background the malicious actor’s platform will log in with your provided code and woo Lah they are in. you would then be redirected to the real site and you will just try to login again thinking it failed somehow.
This method can work on many platforms not just google, here is an example of Microsoft office365 and there are many more online platforms that are susceptible to this attack. Okay so now some of you will be reading this and be saying “well what is the point of implementing it to start with if you can just bypass it”. I know some of you will be doing this, as while I was making my way out of the auditorium after the presentation by Kevin Mitnick at Cybercon I could hear several people saying just that.
Now before I continue I want to say something about that last sentence, what the hell? This was a security conference and a couple of the people I heard say “then why even use MFA?” these were people who are tasked with protecting companies from threats. Wake up just because there is a possible way to bypass MFA doesn't mean you shouldn't use. We are supposed to be the professionals here, start acting like it, please.
Okay, so mini-rant finished. Back to MFA. Look yes, I know MFA is not perfect and in some instances, it can be bypassed but a couple of sayings I have heard quite a bit come to mind "don't put all your eggs in one basket" or "Hedge your bets". Let me explain what I am getting at here. MFA is not the only protection you should have in place, this should just be a piece of the puzzle.
Yes have MFA with either google authenticator or another providers authentication app there are a few to choose from, combine it with a strong password (even use a password manager if you like – Lastpass, Dashlane, 1Password) and obviously don’t use the same password for all of your accounts this is a sure way to get your account breached. I am a fan of password managers, especially for the non-technical users because you can have a really strong unique password automatically generated for each different account and you don't need to remember them. You just have one really strong master password and setup MFA so that it requires a secondary push app authentication or even some sort of hardware authenticator like Yubikey. This will keep things simple and secure. Not much messing around but great security. This is just my opinion and I know some people don’t like password managers but I think it achieves a great result with reduced risk compared to not having it.
A secondary bonus about using a password manager is that in the described situation above, the password manager will not auto-load the login information because it isn't the real site, the PM will see the slight variation of the domain that we humans might miss. In some cases that may be enough to make a user pause and say hang on something isn’t right here. Doesn’t that make the PM worth a second thought?
Let’s not stop here though, as we should all be implementing click protection for email services to help block users from clicking on dodgy links, it's a great protection that yes may not protect us from everything but this is all about stacking the odds in our favour, don't you think? Put in great endpoint protection, use click protection, implement the best MFA you can get and then train your users so that they can recognise things that don't look right. That is not an exhaustive list here and there are more things we can do and yes many of these things on their own won't stop an attack, very true but put all of these things together and you are going to start to make the malicious actors job very hard.
If you can make it hard enough so the effort required to get in is much higher than the fruits of their labour than they will just go attack some lower hanging fruit. Trust me there is a lot of it for them to target (all the ones who still haven’t implemented any MFA would be a good place for them to start or the millions of accounts who still have the same passwords that were in breaches from a years ago). Segment your networks, isolate different departments and put firewalls between them. The list goes on and honestly you will never do all of them but please do all of us a favour and at least start with two-factor authentication with a good password.
So, yes you are right you can bypass MFA but remember what I have said it's about stacking the odds in your favour. Nothing is concrete and infallible but that doesn't mean if we put it all together we can't get close. If it makes it more fun for you to make it a game, why not think of it as putting obstacles in front of malicious actors just to get under their skin. Confuse them, have some fun with it and don't make it easy for them (where is the fun in that).
As always give me your opinion, let’s start a conversation that could make help keep us all better protected because alone we will fail together we might stand a chance.
Till next time…
