When it comes to protecting online accounts, a general security advice given is to enable two/multi factor authentication where possible. Almost everyone knows that two factor authentication is better than simply having only one form of authentication such as passwords.There are many who believe that 2FA is ‘invincible’ or ‘unbreakable’ solution, contrary to the common belief it is not.
While it’s a best practice and highly recommended to use two factor authentication , we must get our expectations right about the level of protection it can provide. Every authentication method has its weaknesses and vulnerabilities and almost all of them involve the ‘human factor’ i.e being vulnerable to social engineering for instance.
One of the most commonly used second form of authentication is SMS where a security code/OTP is sent to user’s mobile phone via a text message.This is one of the most widely used method and most simplistic and cost effective in nature. One doesn’t even need to have a smartphone or data connection to be able to use it. This unfortunately is the weakest 2nd factor authentication and should be avoided where possible. So much so that National Institute of Standards and Technology (NIST), in their draft Publication 800-63, no longer recognises SMS as strong second form of authentication and advises organisations to look for more secure alternatives in future.
This control is tied to the SIM card in user’s mobile phones, so if a malicious actor is able to get hold of the phone and sim card inside it, they can easily get the code sent to the phone number and then can change the password, transfer funds if its a bank account and take over one’s identity. In fact, one doesn’t even need to have physical access to your phone to get the SIM card out, they can just get a replacement SIM card issued from service provider fraudulently using scams known as “SIM Swap” or “Port-out ”. These scams leverage social engineering and are on the rise, in recent years as more organisations including banks are pushing towards 2FA and mostly using SMS as form of authentication.This gives attackers a good motivation to target SMS authentication.In Australia in particular, these scams have increased. Telcos are following industry agreed process regulated by ACMA (Australian Communications and Media Authority) which provides very little security. Here are some more details on National Identity & Cyber Support website about how to prevent and respond to these scams if you’ve become a victim.
Another way to get around 2FA is by creating PITM (Person in the Middle) previously known as Man-in-the-Middle MITM situation.When a subject is authenticated after providing username/password and 2nd factor info ,they are issued a session cookie.This session cookie authorises the subject to access a web resource for one session. If attackers are somehow able to steal this cookie they can use it to successfully log on to the resource without having to know victim’s login information at all.
We all know about the phishing emails containing links to fake login pages (Office 365, Banks, Paypal, iTunes etc.) requesting users to input their usernames and passwords and a lot of us can recognise those scams fairly quickly (I hope) thanks to the training conducted by our organisation’s friendly cyber security guys. As organisations become more security aware and invest in security, cyber adversaries continue to develop newer ways to get around our defences. It is not too difficult for scammers to create the complete fake 2FA experience for any of the websites mentioned above. All they need to do is to add another step, another page where they request victim to put in the second piece of information generated by your hardware token, authenticator app or SMS code and then steal that information on the fly. The same method has recently been used in the so called Charming Kitten attack where attackers had created two fake pages to hijack google accounts.As the victim entered their user name and password into the fake log-in page, the attackers relayed those credentials into a real login page of google. If the accounts were protected by two-factor authentication, the attackers redirected victims to another fake page where they entered the one-time password and then attacker relayed this into real website and obtained a legit session with victim’s credentials.
Since seeing is believing, here is a POC of a similar attack.This is by a Polish security researcher Piotr Duszyński using his own tool named “Modlishka”. Piotr has released this tool on github as well.
Since tools like Modlishka are easily available online and I’m sure there will be few others also available on the dark web, 2FA bypassing attacks are only going to rise in future and it is very important for us to understand the risks and address them properly.
We can take some simple steps to improve our 2FA security, such as using hardware keys or authenticator apps instead of SMS, specially for the high risk accounts such as bank accounts. You can request your bank to issue you a hardware key and depending on the bank it is usually free.You can check which websites support what form of 2FA at twofactorauth.org. If a site allows the use of hardware keys, its worth investing in something like YubiKey or Google Titan Security Key and use them for your second factor auth. (Google Titan is not currently available in Australia directly.)
In terms of priority, I would always prefer hardware keys over any other method. If a site does not support it then an authenticator app such as Google Authenticator App should be used and if a site doesn’t even support that then probably there is no reason to be using that site in first place! And then last and of course the least preferred SMS can be used.
Lastly, I can not emphasise more on user awareness and education.Users, unfortunately are the weakest link in our defence chain but proper education and awareness can address this weakness and can even turn it into a strength. Educate the users, staff at work, family at home, make them more cyber savvy ,equip them with the knowledge to spot and identify the scams on their own.Technology and tools alone can not address all the risks and thwart all the threats if there is little support from the users.
In terms of priority, I would always prefer hardware tokens over any other method. If a site does not support it then an authenticator app such as Google Authenticator App should be used.
To sum up, multi factor authentication Must be used wherever available. It’s definitely more secure than a simple single password based authentication, however it is not a security silver bullet that will fix all your security problems and save you from account compromise. As a matter of fact there is no such thing in this world that can give absolute or complete security, there will always be some risk, always a chance of a compromise. However, working on education and awareness of our People along with improvement in Processes and investment in right Technology, we can certainly improve our security postures.