Multi-Factor Authentication is NOT a Silver Bullet

As hackers got better, so did developers. Multi-Factor authentication, a technique which requires something that you know, like a password and something that you have, like an SMS message on your phone, makes the lives of crooks harder, but far from impossible to attack and here is why.

One way this is done is via social engineering. In this situation, the hacker who wants to take over an account contacts the user and spins a story about something – maybe they are from the user’s cell carrier and there is a problem, but first I need to authenticate you, so I am going to send you a text message. Unfortunately, users sometimes fall for this and when they do, what is really happening behind the scenes is the hacker gets the user on the phone, gets them committed and at that point, logs on to the user’s account. The system sends the user a one time SMS password and the user gives that password to the hacker who logs in and does whatever.

One fairly effective way to thwart this is to literally hang up on the supposed phone company or law enforcement or whatever caller, look up the correct number for the organization securely – DO NOT use any number the hacker gives you – and explain the situation when you call them. Note that you do not want to try and reason with the hacker or explain what you are doing. JUST. HANG. UP! Not perfect, but improves your odds a lot.

Another way to get around multi-factor authentication is to use what are called “legacy protocols”. These are older protocols that do not support MFA. For example, let’s say you use Office 365 and require MFA. Hackers can get around this requirement by using older protocols such as POP, SMTP or MAPI or older applications such as iOS Mail for iOS 10 and older. Since these apps and protocols don’t support MFA, if the hacker has your password, he or she can get in and send or receive data.

IF POSSIBLE without crippling the business, disable these older protocols and older apps. Every platform is different in terms of if or how this disabling works.

Some platforms, like Office 365, have a feature specifically designed to block these older protocols and apps. For Office 365, this is called Conditional Access, but even that is not perfect.

The best way to disable these feature is IF YOU CONTROL THE SERVER, turn off the protocol. You can’t do this in the case of most cloud applications.

Still, understanding the issue and potential options to protect your company is important. Work with your vendors and suppliers to understand the risks and potential responses. Read Abnormal Security’s blog post for more information.

Leave a Reply

Your email address will not be published.