If today’s cybercriminal obtains your login credentials, he can change your account settings, steal sensitive personal or company data, send out phishing emails as you, and possibly access additional accounts within your organization.
Criminals can attempt this “malicious account takeover” through:
In order to prevent the above, connecting to your network and critical applications has developed from a simple password into a process of multi-factor authentication (MFA).
The Four Steps of Authorization
Here are the basics:
Identity – definition: your unique identifier
Your “user” label, typically represented by a login name or email address, is a unique identity in a user database.
Authentication – definition: verifying your identity to gain user access
For decades, authentication simply meant a username and password.
Thanks to organizations like FIDO Alliance, authentication has become more sophisticated. Now, instead of yet another piece of information (like a pin or social security number), authentication is determined by the use of more than one factor, simply classified as “what you know”, “what you have,” or “what you are.
Multi-Factor Authentication (MFA) requires two or more levels of security from factors or categories of authentication.
For example, a username and password (something you know), plus:
MFA is therefore, much harder to beat since it requires access not only to the user’s identity and authentication, but also access to the user or the user’s electronics.
Access Control – definition: a token to establish your session
After authentication, the access control process establishes an access control token (or Kerberos ticket, cookie, text file, or other object) to further establish the user’s identity. The token may also have a pre-defined expiration, which forces the user to re-authenticate to remain in an “active” session.
Authorization – definition: permits your access to resources
While authentication verifies your identity, authorization verifies your permission to access resources such as data files, folders, databases, locations, etc.
Once Authorization is established, the holder of that access control token has access to all available system resources.
In other words, the key to cybercrime is obtaining that access control token to assume that user’s identity.
Multi-Factor Authentication is the solution, but MFA is not perfect. Cybercriminals will use social engineering (human error, misuse, or other human element, technical manipulation, or a mixture of both to beat MFA.
The SMS Swap Attack on Multi-Factor Authentication
The most popular MFA option on the planet is SMS; that is, when an authenticating server sends a Short Messaging Service (SMS) message to your cell phone.
After you type in your username and password, your phone vibrates, and after typing a 4-6-digit code your 2-factor authentication is complete.
Since cybercriminals typically don’t have access to your physical phone, SMS seems strong. Unfortunately, they don’t need your phone if they can mirror your SIM.
Most cell phones store your personal subscriber data, along with your application data, pictures and contact information, in a physical (or increasingly virtual) small memory card called the Subscriber Identity Module (SIM).
For well over a decade, hackers have stolen, purchased, and phished SIM card information, obtaining the victim’s phone number, name, login name and/or credentials, and home address.
Usually the cybercriminal phishes private information directly from the victim, though sometimes this data is acquired through compromised online databases (large organizations who fell victim to phishing or ransomware).
However they acquire the SIM data, the hacker then performs a “malicious SIM swap,” which may involve convincing your cellular network provider (e.g., AT&T, Verizon Wireless, etc.) to transfer your SIM information to a new phone, enabling cybercriminals to mirror the physical device, and intercept your SMS message.
Malicious SIM swaps have occurred millions of times, forcing the U.S. National Institute of Standards & Technology (NIST) to decide that it will not accept SMS-based MFA solutions as legitimate authentication. (Special Publication 800-63 (https://pages.nist.gov/800-63-3/).
In 2018, Michael Terpin, the founder of the Bit Angels cryptocurrency investment group, sued AT&T for $224M, citing fraud and gross negligence because they transferred his SIM information without authorization. The cybercriminals stole $24 million in virtual currency.
The online platform reddit faced a similar issue: Reddit Got Hacked Thanks to a Woefully Insecure Two-Factor Setup.
For more MFA hacks, read this from knowbe4.
Implement MFA Throughout Your Organization
Deploying Multi-Factor Authentication on just one application, or in silos, is similar to locking your front door and leaving a window or back door open. To minimize your exposure to an attack, be sure to consider all access points within your organization, including the cloud.
We see many organizations implementing Microsoft Office 365 with MFA, and developing a false sense of security, feeling that, “Since we have MFA in place for O365, our organization is safe.”
Implementing consistent security across all data and workloads, on-premise, private cloud, and on public cloud, is important.
Implementing MFA across all end users, and privileged users, cloud and on-premise applications, VPNs, and Remote Access solutions will help you better prevent unauthorized access, data breaches, and password-based cyber-attacks.
How to Prevent MFA Hacks
While not perfect, implementing an Multi Factor Authentication policy in your organization will go a long way toward securing your IT infrastructure.
AllConnected also recommends the following:
Consider Cisco Duo for Multi-Factor Authentication
AllConnected recommends Cisco Duo authentication for many reasons, but one is the Push option. When you set up the Duo application on your cell phone, you are asked to choose from:
The push notification option is more effective because it requires a timely response on the downloaded phone app instead of a code.
“There’s an amount of reasonableness – companies can’t hook up retinal scanners to everyone — but a push notification to cell phone is reasonable. It’s easy to use, and easy to implement.” Richard Pressler, AllConnected’s CTO and chief architect
If you would like to hear more about how AllConnected can strengthen your IT security, please contact us.