Multi-factor Authentication and can we depend on that method for our protection?
Until recently, Multi-factor Authentication and notably, Two-factor authentication (2FA) were appealing to all of us as a prevalent practice to protect us from the nuisance of varieties of phishing attacks.
After AT&T patented it for the first time in late 1995 and later implemented by Twitter in 2013, Multi-Factor Authentication methods used for defense from the nuisance of phishing attacks initiates a very positive notion throughout the information security professional community.
Unfortunately, just a few years later as early as late 2016 were published reports about different flows and weaknesses of Multifactor Authentication practices.
In 2017 the white hat hacker Kuba Gretzky published on his invention of “Evilginix — Advance Phishing with Two-Factor Authentication Bypass” (Gretzky, K. 2017)[i], where he in detail describes a method to use “man in the middle” approach, by using a server to bypass the Two-Factor Authentication, for Google accounts, a method that works as well, for any other website as demonstrated and claimed by the author.
Furthermore, later this year in early October 2018 as reported by CERFA: “The Return of The Charming Kitten”,(CERFA, 2018)[ii], they review a reported by Twitter user — MD0ugh, targeted cyberattack against the US Financial Infrastructures by a group of Iranian hackers.
The report made by CERFA concluded, that the core of the attack was again, bypassing the Multifactor-Authentication Authorizations, by utilizing a combination of a phishing attack, spear-phishing attack methods combined with social engineering, to scan, target, research and attack the targeted individuals and organizations.
In summary, of CERFA thorough investigation, they issue a set of recommendations directed towards tech companies, policy makers, civil society, and individual users, for defense methods and practices that would help prevent those types of cybercrime attacks in the future.
Additionally, the summary of those conclusions are directed toward reducing the uses of Two-Factor Authentication by text messages (SMS), and instead encourage the use of Security Keys such as Yubikey for 2 factor authentication, usage of company or institutional email account instead of private email account for work, use of authenticator mobile app like Google Authenticator or similar.
Furthermore, we as a user’s, must restrain from clicking on unknown links or respond to emails that required account credentials check, update or similar, and always notify your security department or verify with the real organization if that account update, or changes from you were requested in the first place.
More importantly, based on those reporting’s, we can conclude that once again the foundation of establishing a secure and dependable defense against phishing cybercrime attacks, is the correct actions and behavior of the human.
That is the weakest point of the described above cases, if the targeted individuals, did not respond to the phishing attacks, and did not act by impulse after receiving the fishing messages for updating or changing their account information, those attacks could be stopped in their tracks.
In brief, the secret weapon of cybercriminal is to influence the targeted individual for acting by impulse and urgently, that eliminates plausibility to stop such attacks, and it is the main weakness for every organization and individual today.
More importantly, it is essential to underline in the organizational security policies as well in the employee training that no one should act upon receiving electronic messages (emails, SMS, and even phone calls) that are asking for any form of account update, account change, personal or account information, billing or other type of account requests before the source of that notification is verified.
Always contact first your security department or call the organization claiming to send that message to verify did they really send it, a plain approach, yet too often ignored by most of today’s technology users.
In conclusion, the cybercrime is here to stay and will continue to exploit our weaknesses. There will be no panacea method or tool to help us in the fight against those types of destructive attacks. It is up to us to be vigilant and proactive.
In most of the cases a basic common sense and “trust but verify” approach could help us to make a difference we need to protect ourselves.
[i] Gretzky, K. (2017). Evilginx — Advanced Phishing with Two-factor Authentication Bypass. Retrieved from https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/
[ii] Lab, C. (2018). The Return of The Charming Kitten — CERTFA Blog. Retrieved from https://blog.certfa.com/posts/the-return-of-the-charming-kitten/