M Multi-Failure Authentication FINDING AND FIXING GAPS IN MFA By Chris Tuzeneu, VP-Information Security, CivITas Bank Solutions Multifactor authentication, or MFA, is widely regarded by security professionals as one of the best tools you can use to keep your accounts safe. By now, you probably already know how it works and how it keeps you more secure than just a username and password alone. But is it good enough to stop all attacks? As with anything, it has its weaknesses. So let’s take a look at some of the attacks used against MFA and how you can keep them from succeeding. Double Compromise Properly implemented, multifactor authentication is great, but a one-time passcode sent to your primary email address is one of the weakest methods. The scenario: In the event of email compromise, the attacker would simply use a “Forgot Password” link to reset the account in question, receiving the reset email to the compromised account. Then, after resetting the password, they would intercept the MFA code that was sent to the email address and would fully take over the account. This is not to mention the fact that these one-time codes are almost always sent unencrypted and could be intercepted by any email server the message passes through on its way to the recipient. The solution: If you have a choice between email and another delivery method for your MFA codes, something else is usually much more secure. Notification Fatigue This is a new tactic that the bad guys are using to try and wear you down so you let them in. This only works for accounts that are protected with Duo or Microsoft Authenticator, any implementation that requires you to tap “Yes” or “Allow” to proceed. The scenario: An attacker has guessed, phished, or bruteforced a password. They try to sign in over, and over, and over again in the hopes that the user will get tired of the notification and just approve it, thinking it’s something necessary for the account to work. Maybe they even do this late at night while the target is trying to sleep. The solution: If your authenticator app starts going nuts, talk to IT and get your password reset for the affected account. This will block any further sign-in attempts and stop the push notification frenzy. Always report any authentication requests that you didn’t initiate. Also, use your smartphone’s scheduled do-not-disturb function to eliminate noncritical notifications while you sleep ... or just keep your phone in another room. Good Timing The scenario: As with the last example, a password has been compromised and a push-based MFA solution is in place. The attacker learns the primary time zone of the company and tries to log in exactly at 8:00 local time (or whenever they learn work starts in the morning). The idea is to time the login attempt to when many employees will be starting their day, making it more likely that the push notification will get answered if it happens to coincide with a legitimate login attempt. The solution: Any push notification should give you some additional details about the login when you click it. Specifically, it should have the IP address and geolocation where the attempt originated. If your business is in the United States and the login is coming from China, that’s one you’ll want to say “No” to and report. Then, a password change will be in order. OTP Phishing The One-Time Passcode (OTP) is usually a six-digit code that is sent to your phone or generated from an authenticator app that you use to verify your login. Generally, the codes rotate every thirty seconds to five minutes, and when they are used once, they become invalid. This attack relies on the attacker capturing that code from you and using it in real time before it expires. www.coloradobankers.org 8
RkJQdWJsaXNoZXIy ODQxMjUw