Getting your Trinity Audio player ready...

Authors: John Farley Stephen Ramey

null

Multifactor authentication (MFA), a longstanding bedrock of cyber defense strategy, has come under attack. While MFA remains a key and effective requirement to preventing many cyberattacks, we're seeing evidence that threat actors are beginning to develop tactics that may defeat it in certain circumstances.

MFA defined

MFA is a security process that requires authorized users to provide multiple forms of identification prior to gaining access to a system, application, or network. They are designed to prevent social engineering attacks that manipulate victims into transferring large sums of money or other sensitive data to criminals. Typically, MFA combines at least two of the following factors:1

  • Something you know: A password, an answer to a security question or a PIN
  • Something you have: A mobile device, security token or a smart/chip card
  • Something you are: Biometric data

MFA bypass: The latest emerging threat

Despite the robust cybersecurity that MFA may provide, it's not 100% effective at all times. According to Steve Ramey, CEO of leading cybersecurity firm IronGate, organizations need to be aware of emerging criminal tactics that aim to defeat MFA:

Malware: End-user devices are infected with malware to remotely control the device. This malware can be delivered through phishing emails, malicious links or compromised websites. Once compromised, adversaries usually have full control of the device. Their objectives are multiple:

  • Key log passwords and steal session tokens.
  • Intercept one-time passcodes.
  • Stealthily transmit information.
  • Gain remote access connectivity.
Malware infects and then remotely controls devices.

Used with permission.

Man-in-the-middle (MITM) attack: In a MITM attack. the adversary intercepts the victim's transmissions. Phishing emails are used to deliver the malicious URL, and adversary websites appear as legitimate sites with typical branding (most are cloned from real sites). Objectives include:

  • Obtain passwords and one-time passcodes.
  • Alter communications.
  • Obtain MFA codes, cache login credentials and revisit accounts.
  • Impersonate the victim.
MITM intercepts the victim's transmissions.

Used with permission.

"Phishing resistant" MFA

Organizations can deploy several strategies to counter the MFA bypass threats. IronGate's Steve Ramey outlines these three strategies:

Use of strong authenticators: Phishing-resistant MFA involves using authentication factors that aren't easily intercepted or duplicated by attackers. These factors can include hardware security keys or biometric identifiers like fingerprints or facial recognition.

Direct communication: The authentication factor communicates directly with the authentication server or service. For example, a hardware security key might use a physical connection (like USB) or a wireless protocol (like NFC or Bluetooth) to authenticate directly with the service, without the user having to enter any information that phishers could capture.

No reusable passwords: Unlike traditional MFA methods that might still rely on a password as one factor, phishing-resistant methods avoid any credentials that could be reused or intercepted. Even if a phisher tricks a user into attempting a login on a fake site, the phisher can't capture the necessary information to replicate the login elsewhere.

Leveraging Cyber insurance

Cyber insurance and other insurance policies may help organizations transfer risks associated with losses stemming from social engineering and many of the latest emerging cyber threats.

Many policies provide access to crisis services, including breach coaches, IT forensics investigators and several other breach response experts. Those with cyber insurance should be mindful of claim reporting obligations, requirements to use insurance panel breach response vendors, evidence preservation and issues that may impact attorney-client privilege.

Cyber insurance applicants should be prepared for underwriting scrutiny around several cyber security controls. For more information around how to prepare, see our Cybersecurity Controls Checklist.

Mitigating a social engineering financial loss

If your company has been attacked successfully, and a financial transfer was completed, there are a few ways to mitigate risk and exposure.

  • Immediately notify the remitting and receiving banks and seek to freeze funds if possible. If the transfer is caught within 48 hours, the bank may be able to recover some or all of the funds. Also, engage experienced legal counsel as soon as possible to maximize the chance of freezing the funds.
  • Compile copies of the emails documenting the fraud with details of the fraudster's account receiving the funds.
  • Report the incident to local law enforcement agencies as soon as possible, particularly in the receiving jurisdiction. These authorities often have the power to freeze funds, helping the victim avoid costs for obtaining court orders on their own. These crimes can be reported to the joint FBI/National White Collar Crime Center — Internet Crime Complaint Center (IC3) website at ic3.gov.
  • Initiate civil action against the criminal. It's likely the recipient of the funds won't answer the civil action, enabling the victim to enter a default judgment on its full claim by default. However, recovering the funds could be difficult.
  • Hire an independent forensic investigator to identify the extent of the network intrusion. These investigators can tell what information may have been accessed and give advice on actions to take to add security features as appropriate.
  • Determine through legal counsel whether you have any reporting obligations to regulators, business partners or other affected individuals.

Additional resources

Author Information

Stephen Ramey

Stephen Ramey

CEO, IronGate


Source

1"Use Two-factor Authentication to Protect Your Accounts," Federal Trade Commission, Sept 2022.