It's been nearly 20 years since Bill Gates predicted the death of passwords. Yet, 70% of organizations worldwide continue to rely on passwords for authentication today. Ideally, with the emergence of technologies like single sign-on (SSO) and multi-factor authentication (MFA), and philosophies such as zero trust, passwords should've been extinct by now.
So, what's the hold-up?
According to John Tolbert, the lead analyst at Kuppinger Cole, this is because cybersecurity is not that high a priority in certain organizations. The reasons for this might be a lack of cybersecurity budget, legacy systems incompatible with new-age IAM software, or users' reluctance to switch to other measures.
In lieu of a password-less measure, which he deems a little far-fetched for now, he asks organizations to consider a password-fewer protocol like MFA instead. By password-fewer, he means that while MFA still uses a password as one of its authentication factors, it isn't the only measure in place.
While Tolbert is not wrong, MFA might not be the silver bullet that safeguards against all attacks. It's true that MFA helps block 99.9% of automated attacks but this might not always hold true in the future. History proves that no cybersecurity measure is infallible, and neither is MFA. There are several ways in which attackers can successfully bypass the protocol.
Here, we explore five ways.
SIM-Swapping attacks: If a user loses their phone, they can get a replacement SIM card with the same number. But before they get a new SIM, there is a verification process where the provider authenticates the user by checking some of their personal information, like their SSN. Lax handling of this process can lead to a cybercriminal easily imitating the user and obtaining access to their phone. If they have already obtained the credentials of the user through a data breach and now also have access to their phone, penetrating MFA where the second level of defense is mobile-based authentication becomes easy.
SMS-based attacks: Despite many experts advising against SMS-based authentication measures, they continue to be a popular choice for MFA because they are easy to use, don't require a lot of technical know-how from the user's side, and involve minimal token deployment. An SMS-based attack could either be the result of a SIM swap or interception of the SS7 network. The SS7 protocol is a common choice among most network providers and is easily exploitable due to several of its security flaws. An attacker could interrupt this network, intercept messages sent via SS7, and use it to log into a system or application that follows an SMS-based MFA verification method.
Pass-the-cookie attacks: Whenever a user logs into a website using MFA, the site stores this as an encrypted cookie. In a pass-the-cookie attack, the cybercriminals compromise the system through a cyberattack, and then attempt to retrieve the cookie database offline from the web browser. Once they retrieve the cookie, they decrypt it using open-source software like Mimikatz and upload it onto their web browser. During authentication, when the server asks for the cookie, it is presented with the victim's authentication cookie and MFA is bypassed until the login session ends. Unlike other methods where the attacker must know credentials like username or password to get through the first verification level, here all they have to do is hack into the user's system to get started. Because that's just the way the cookie crumbles.
Duplicate code generator attacks: Dealing with one-time passwords (OTPs) has become a routine practice and surprise, surprise, it is a popular MFA method. When you choose to receive an OTP and it is displayed in, for example, Google's authenticator app, a unique seed value is exchanged between the app and the service being accessed by the user. A seed value is a randomly generated secret code stored in SQL databases that can be easily accessed by attackers, who can come up with a duplicate code generator for every user. Turns out, free applications to accomplish this malicious task have been available online for over 20 years.
Man in the endpoint attacks: A good example of a man-in-the-endpoint attack is a remote access Trojan, like Bancos. Once a bad actor manages to compromise the system, they can install the Trojan which will monitor the user's activity. Now, suppose the user logs in to their bank account. Once the user gets past MFA, the malicious software will run a hidden browser session in the background. The bad actor will then use this to move money from the user's bank account to the bad actor's account. It's called a man-in-the-endpoint attack because the attacker has to gain access to a victim's system to carry it out. If you haven't guessed already, pass-the-cookie attacks, which we previously discussed, were also initiated by a man-in-the-endpoint attack.
So there you have it, five ways cybercriminals can successfully crack the MFA protocol.
To keep up with a world that moves towards a passwordless future, you need to:
Achieve this with ease through a unified SIEM solution like ManageEngine's Log360. Get in touch with our product experts for a free live demo to learn more, or explore on your own by downloading a free, 30-day trial.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.
