Your “user” label, typically represented by a login name or email address, is a unique identity in a user database.
If today’s cybercriminal obtains your login credentials, he can change your account settings, steal sensitive personal or company data, send out phishing emails as you, and possibly access additional accounts within your organization.
Automated scripts run through various password combinations (AKA, brute force attack) to discover the correct access.
Highly targeted emails from seemingly credible sources trick users into to revealing personal information.
Researching online databases and social media to data mine potential password information based on your name, location, phone number, or names of family members, etc.
Bots from multiple IP addresses perform high-volume username and password hacks to take over a number of accounts while staying unnoticed.
Stolen or leaked credentials are tested against multiple websites in the hope that the victim uses the same password for everything.
In order to prevent the above, connecting to your network and critical applications has developed from a simple password into a process of multi-factor authentication (MFA).
Here are the basics:
Your “user” label, typically represented by a login name or email address, is a unique identity in a user database.
For decades, authentication simply meant a username and password.
For example, a username and password (something you know), plus:
After authentication, the access control process establishes an access control token (or Kerberos ticket, cookie, text file, or other object) to further establish the user’s identity. The token may also have a pre-defined expiration, which forces the user to re-authenticate to remain in an “active” session.
While authentication verifies your identity, authorization verifies your permission to access resources such as data files, folders, databases, locations, etc.
Once Authorization is established, the holder of that access control token has access to all available system resources.
In other words, the key to cybercrime is obtaining that access control token to assume that user’s identity.
Multi-Factor Authentication is the solution, but MFA is not perfect. Cybercriminals will use social engineering (human error, misuse, or other human element, technical manipulation, or a mixture of both to beat MFA.
The most popular MFA option on the planet is SMS; that is, when an authenticating server sends a Short Messaging Service (SMS) message to your cell phone.
After you type in your username and password, your phone vibrates, and after typing a 4-6-digit code your 2-factor authentication is complete.
Since cybercriminals typically don’t have access to your physical phone, SMS seems strong. Unfortunately, they don’t need your phone if they can mirror your SIM.
Most cell phones store your personal subscriber data, along with your application data, pictures and contact information, in a physical (or increasingly virtual) small memory card called the Subscriber Identity Module (SIM).
For well over a decade, hackers have stolen, purchased, and phished SIM card information, obtaining the victim’s phone number, name, login name and/or credentials, and home address.
Usually the cybercriminal phishes private information directly from the victim, though sometimes this data is acquired through compromised online databases (large organizations who fell victim to phishing or ransomware).
However they acquire the SIM data, the hacker then performs a “malicious SIM swap,” which may involve convincing your cellular network provider (e.g., AT&T, Verizon Wireless, etc.) to transfer your SIM information to a new phone, enabling cybercriminals to mirror the physical device, and intercept your SMS message.
Malicious SIM swaps have occurred millions of times, forcing the U.S. National Institute of Standards & Technology (NIST) to decide that it will not accept SMS-based MFA solutions as legitimate authentication. (Special Publication 800-63 (https://pages.nist.gov/800-63-3/).
In 2018, Michael Terpin, the founder of the Bit Angels cryptocurrency investment group, sued AT&T for $224M, citing fraud and gross negligence because they transferred his SIM information without authorization. The cybercriminals stole $24 million in virtual currency.
The online platform reddit faced a similar issue: Reddit Got Hacked Thanks to a Woefully Insecure Two-Factor Setup.
For more MFA hacks, read this from knowbe4.
There’s an amount of reasonableness – companies can’t hook up retinal scanners to everyone — but a push notification to cell phone is reasonable. It’s easy to use, and easy to implement.
Richard Pressler
AllConnected CTO and Chief Architect
Deploying Multi-Factor Authentication on just one application, or in silos, is similar to locking your front door and leaving a window or back door open. To minimize your exposure to an attack, be sure to consider all access points within your organization, including the cloud.
We see many organizations implementing Microsoft Office 365 with MFA, and developing a false sense of security, feeling that, “Since we have MFA in place for O365, our organization is safe.”
Implementing consistent security across all data and workloads, on-premise, private cloud, and on public cloud, is important.
Implementing MFA across all end users, and privileged users, cloud and on-premise applications, VPNs, and Remote Access solutions will help you better prevent unauthorized access, data breaches, and password-based cyber-attacks.
While not perfect, implementing an Multi Factor Authentication policy in your organization will go a long way toward securing your IT infrastructure.
AllConnected also recommends the following:
AllConnected recommends Cisco Duo authentication for many reasons, but one is the Push option. When you set up the Duo application on your cell phone, you are asked to choose from:
The push notification option is more effective because it requires a timely response on the downloaded phone app instead of a code.