ICYMI: KnowBe4’s Roger Grimes Explores Ways to Defeat MFA
January 17 • Tampa, FL: If you couldn’t make it to Florida Cyber Conference 2019 back in October, you missed out on some great insight. But never fear! Several conference speakers are also guests on the current season of Cyber Florida’s podcast, No Password Required! Tune in anytime to catch up on the inside scoop from these and other industry luminaries.
Read on for a taste of the intriguing presentation by Roger Grimes, KnowBe4’s data-driven defense evangelist, on the ways cybercriminals defeat multifactor authentication. If you’d like to know more, you can watch the full presentation here. If you’re interested to hear some of Grimes’ other insights on cybersecurity (they’re not what you’d expect!), check out No Password Required, available here and from all major podcast platforms.
Roger Grimes is the defense-driven data evangelist for KnowBe4 with 30-years plus in computer security and expertise in host and network security, IdM, cloud security, honeypots, and more. Grimes attended the 2019 Florida Cyber Conference to share his knowledge about multi-factor authentication (MFA) and the common ways that it can be infiltrated by cybercriminals to hack into online accounts and perform malicious activities. What is multi-factor authentication? Multi-factor authentication is the process of using more than one method of authentication to confirm a person’s identity before granting access to a system or account. MFA can be implemented “in-band,” on the device you are trying to authenticate, or “out-of-band,” where the factor is validated using a separate communication channel. Out-of-band is typically considered to be a stronger protection method because it is more difficult to compromise. According to Grimes, multi-factor authentication is one of the best methods for securing online accounts and should be used whenever possible. However, despite the layered defense that MFA provides, it is not entirely safe from being compromised by cybercriminals. Here are three methods cybercriminals use to work around multi-factor authentication.
Three Ways to Defeat Multi-Factor Authentication
1. Network Session Hijacking
This type of attack is based on hijacking a running session or connection and is typically performed by a man-in-the-middle (MitM) attacker, who puts themselves inside the communication stream between the legitimate sender and receiver to steal their access session after successful authentication. Many MFA compromises occur when a hacker steals a victim’s text-file cookies or access control token, allowing access to the victim’s accounts and server without requiring any further authentication methods Session hijacking proxy theft is a common tactic used by cybercriminals to obtain the authentication information from a victim. According to KnowBe4’s website, “it’s essentially a man-in-the-middle attack, but it uses proxy_pass and sub_filter to modify and capture HTTP traffic.” Grimes explains that this type of attack often begins with a phishing message from an attacker convincing a victim to enter their login information into a rogue website, which appears to be a legitimate trusted site. This rogue website proxies all the information that the user types to the real website, including the session cookie and login information. Once the text-file cookie is obtained, the hacker can load the session key into a browser and hack into the account without needing to complete any further authentication methods. To watch a demonstration video of the way that session hijacking proxy theft works, visit https://blog.knowbe4.com/heads-up-new-exploit-hacks-linkedin-2-factor-auth.-see-this-kevin-mitnick-video2.
2. Duplicate Code Generator
Many MFA code-generating tokens initially begin with a randomly generated “seed” or “shared secret” value, which is then incremented by some sort of counter/algorithm that generates all subsequent values. This is known as a one-time password (OTP). Generated codes that are good only for a certain amount of time, based on the current date and time, are known as time-based one-time passwords (TOTP). This shared secret value will always be present in at least two places, such as a source database and the device itself. If attackers are able to obtain that seed/shared secret and algorithm, they are able to generate identical code generators that match the victim’s code generator. Google Authenticator’s QR code is an example of one way that hackers use this method to compromise MFA. The QR code, which may or may not expire, obtains all the token secrets necessary for the hacker to create the same Google Authenticator instance.
3. Reuse of Stolen Biometrics
Grimes considers biometrics to be one of the worst authentication methods that a subject can use because they are not secrets and can be easily stolen. Unlike compromised login credentials or smartcards, which can be changed fairly easily, if your biometric identity is stolen it is compromised for life, hence why it is known as a non-repudiation attack in the crypto world.
Roger’s Tips to Prevent MFA Compromise
- Don’t use real answers for your password recovery questions. According to Grimes, password recovery questions are the worst authentication method because they are the easiest to compromise. Recovery questions are often required when making an online account, but the answers can be easily guessed by hackers. A study showed that some recovery questions can be guessed on the first try 20% of the time, while 40% of people were unable to successfully recall their own answers. Additionally, 16% of the answers could be found in a person’s social media profile. To keep your online accounts as secure as possible, Grimes recommends using answers that are unrelated to the recovery questions and therefore more difficult for cybercriminals to guess. For example, if the question is “What is your mother’s maiden name?” you could answer with, “pizzapizza49582.” While this method may require you to record your passwords elsewhere, it will protect your account from the possibility of being infiltrated by hackers.
- Refrain from using SMS as an authentication factor.
SMS recovery methods are another authentication method that can be easily compromised by cybercriminals because SMS message origination cannot be easily authenticated within SMS itself. The only information needed for a hacker to infiltrate an SMS recovery method is an email address and associated phone number; both of which can be easily found by a motivated hacker. Once they have the necessary information, the attacker can phish the subject by sending a text from their “email provider” asking for the forthcoming SMS PIN reset code. The attacker can then force their email account into SMS PIN recovery, enter the SMS PIN code that they received from the victim, and proceed to take over the account. To prevent this type of MFA compromise, Grimes suggests avoiding SMS-based recovery methods whenever possible and being aware of rogue recovery messages. Additionally, recognize when SMS recovery PINs should be typed into browsers, not back into SMS.