3 ways cybercriminals are undermining multifactor authentication (MFA)
Many have heralded multifactor authentication (MFA) as the ultimate cyber defense. Organizations and individuals “feel” safer with it enabled and believe it to be virtually foolproof. After all, an attacker would need the login credentials and access to the secondary device to compromise a system. And yet, that false sense of security is dangerous because it has become relatively easy to get around these protections without extensive technical skills.
Just as sophisticated technology is used to strengthen systems, threat actors can use that same technology to exploit weaknesses. They can even use legitimate infrastructure to bypass MFA and access corporate networks and personal data. The following are just some of the ways these attacks have been successful.
One of the more pervasive attack methods is a man-in-the-middle (MitM) or reverse Web proxy attack. In this case, a malicious user sends a link either through email or SMS that directs the target to a phishing website that resembles (almost exactly) a legitimate site. It is virtually impossible to the untrained eye to distinguish the fake from the authentic site.
For example, assume that a bank’s login page employs two-factor authentication (2FA). The attacker knows that even with the username and password, they won’t be able to access the site. Therefore, they put in place a reverse web proxy between the phishing page and the actual service (hence the name “man in the middle”).
When the user’s real credentials are entered on the phishing site, it communicates to the legitimate service, which, in turn, sends the second-factor token or code to the user. When the user submits the authentication code on the phishing site, they unknowingly provide the attacker with the last piece of information they need to access to the account.
The simplicity of this attack is illustrated in a GitHub toolkit that automates the MitM process. The researchers who published this code did it for educational purposes, but it highlights how readily available malicious toolkits have become to the public. Simply go to your friendly neighborhood app store rather than having to search around on the Dark Web.
Malicious OAuth Apps
These attacks leverage the pervasiveness of the OAuth standard for access delegation. Every cloud service lets users access websites or third-party authorization applications without continuously having to sign in with their username and password, giving those sites and apps account access through OAuth tokens. However, because the process of granting permission is so quick, easy, and convenient, people can be (and are) easily tricked into authorizing malicious apps.
To read the complete article, visit Dark Reading.