Multi-Factor Authentication Can Be Phished - Now What?

Nothing is unhackable... This is the one thing we have learned from the decades-long war between the system builders and the hacker "community."

Every program has bugs, every wave can be intercepted and interfered with, and every device can be reverse-engineered. People are also hackable, as we've learned from the evolution of con artists to phishing schemes.

In the last few years, it's been said that two-factor authentication (2FA or MFA) is the answer to many, if not most of the risks of account-thieving hacks. 2FA is great. It pings your phone or email if a hacker tries to login from a new device or location, and you (& your users) have a chance to reject, report, and defend against the hacking attempt. But no system is perfect.

There are already open-sourced strategies to overcome widely used 2FA methods. Fake password updates and spoofed confirmation emails are only the beginning. There are impersonation scams, website proxy logins, duplicated sessions from hacked endpoints, man-in-the-middle interceptions, and even SIM card duplication.

Let's talk about how multi-factor authentication can be phished and how we might keep users safe in spite of this fact.

2FA Phishing is the Old-New Game

When the cybersecurity battle was just a technical one, it was security algorithm versus code breaker. Early passwords were guessed or even brute-force cracked. Routing around to the human layer felt like a genius move. 2FA is the ultimate human insulation gap to defeat widespread password theft. But people can be fooled, are busy, and are used to things like bugs, logging back in , login hassle, and technical support asking tedious confirmation questions. It turns out people are easier to hack than machines.

So now, there is a complex network of both technical and scam-artist methods to get around 2FA, just like every other security barrier invented so far. The hacking community is, after all, the ultimate pool of test users. If there is a flaw, a work-around, or a weakness in commonly used business software and methods, they will find it.

2FA was the new kid on the block and it is powerful. A working 2FA system provides security updates and roadblocks that any attentive user can operate to block unknown and unexpected logins. But let's not stop there.

Types of Multi-Factor Authentication Phishing & Hacking

Phishing MFA Methods

• Email: A hacker sends a fake email from your company claiming the user must update their password or account information, correct a billing error, or some other basic transaction.
• The user then follows the hacker's links in the email and enters their credentials into a proxy website that looks like your website
• Or the user actually starts the process and is asked to enter their legitimate confirmation code into the hacked email or website
• Phone: A hacker calls the target claiming to be tech support from your company. They walk the user through the process of exposing their account, including reading out legitimate OTP or One Time Password confirmation codes.

When you place the barrier of human confirmation into the way of hackers, they hack people. What was once called a scam has now become a social hacking method. Lies and impersonations to assist in stealing accounts, infecting victim computers, and accessing protected data through fooling people into thinking they're dealing with someone official.

Hacking MFA Systems

1. Compromised Devices
2. Compromised OTP Servers
3. Man in the Middle Proxies
4. Website Impersonation
5. Known System Exploitations
6. SIM Card Duplication and Phone Taps
7. Compromised Personal Emails

2-Factor or Multi-Factor Authentication is no more foolproof than any other system, it just increases the visibility of false logins when they occur and adds a layer of complexity to hacking attempts. There are seven (at least) known ways that 2FA can be compromised. The user's device can be compromised so that every keypress and login is hacked. This can lead to duplicate sessions. Man in the Middle hacks can start at a number of points including phishing email, hacked websites, and domain typo-squatting.

If an OTP server is compromised, false and authenticated one time passwords can be sent. Even a user's phone is not a foolproof measure. The technology to duplicate SIM card signals and tap cell and SMS messages has existed for some time now. Likewise, the entire process can be circumvented just with the login credentials for the user's personal email account.

Defending Your Users Using 2FA Systems

Despite the fact that there are compromises, no system is perfect and 2FA has significantly cut down on the instances of account theft. The two-pronged defense strategy is 1) to keep your technology one step ahead of the hackers with the latest tools and security patches, and 2) to keep your users aware and vigilant against suspicious messages and unexpected confirmation requests.

1. Update Regularly to Stay One Step Ahead
   
   
• Make sure the technology you are using is not subject to one of the known exploits being shared on the darknet open source. Security patches and active vulnerability management can help you stay ahead of known risks.
  
  
2. Upgrade from 2-Factor to Multi-Factor
   
   
• Don't just use 2FA, diversify. The more ways that your users confirm their accounts, the better. Use phone and email. Use personal and work email. Use pins, biometrics, or get creative with unique dot-drawing and other developing password alternatives. This makes it more difficult for hackers to standardize their approach and helps to render stolen passwords less useful.
  
3. Use Unconventional Security Questions
   
   
• Never use the standard security questions. A mother's maiden name, childhood elementary school, and other standards can be easily researched. Use unconventional security questions like a person's favorite dead president, weird invention, or joke punchline.
  
  
4. Train Your Users in Scam-Spotting
   
   
• Phishing awareness training is vital for anyone in the modern workforce. Even young people need to know how to spot what the kids call "sus" (short for suspicious) signals. Tip-offs like asking for personal information, claiming to be a government body, or unsettling and threatening or overly promising language are all red flags that anyone with a phone or email address should know how to spot.
  
  
5. Provide a Quick Reporting Tool
   
   
• Most people who get that "sus" feeling and dodge a phishing attempt do not report it. They just don't respond to the email or text. This may save one person, but leaves every other target - in the company and beyond - susceptible. So, make it easy for your team to report an email and emphasize that your IT team wants these reports. Reporting a phishing email can save coworkers.
  
  
6. Conduct Phishing Drills to Promote Alertness
   
   
• Lastly, it's been found that many people will confirm a 2FA even if they did not just attempt a login. This happens because people get complacent - and because account access and recovery is so very common. The solution is phishing drills. If you get your team used to watching for suspicious messages and give rewards for spotting the spoof, they'll be on their toes for the real deal when it comes.

2FA is Here to Stay - Let's Secure It

2-Factor authentication is still an important and widely used part of the cybersecurity landscape. People use and need it, and it absolutely cuts down on stolen accounts. It can also be hacked both technically and socially like most other systems. Nothing is perfect. So here we are defending the "home" team in the great cybersecurity game, we play another round, upgrade your software, and get the team ready for a defensive play.

Contact Systems X for more information about MFA and other cybersecurity solutions.