Multi-factor authentication (MFA) is an authentication method that requires two or more factors to verify the user's identity and grant access to a system, account or other online resource. Often, this is something you know, like a password, and something you have, such as a security code sent by SMS or push-based mobile app. These common implementations of MFA with passwords and codes have always had the critical vulnerability of someone intercepting that security code or getting it from the user via phishing.
It is now well understood that usernames and passwords alone are insecure forms of authentication. Because it can potentially stop an attacker from accessing important data and accounts, MFA has become a requirement for organizations. Further, it is increasingly a minimum expectation for underwriters to sign off on cyber insurance policies.
“It is now common practice to require that insureds have MFA in place (especially when it comes to email access) before providing a quote for most accounts,” wholesale broker CRC reported. “Without MFA, clients risk non-renewal or a retention hike of 100% or more.” Unfortunately, over the past several years, attackers have quietly caught up with legacy MFA solutions. This silver bullet is not working like it used to, especially in the light of AI-driven phishing attacks that organizational education and training cannot entirely prevent.
“We are seeing attackers start to get around MFA with phishing and SMS-based attacks more and more frequently, but there is not the same awareness among the majority of underwriters yet,” said Dan Burke, national cyber practice leader at Woodruff Sawyer. “While the insurance industry is traditionally reactive, this has the potential to be very important as we see more claims data showing how MFA was bypassed for the attack.”
According to research by Microsoft’s Threat Intelligence team, new tactics such as adversary-in-the-middle attacks (AitM) are the most recent version of phishing to bypass MFA. In these attacks, a cybercriminal intercepts and modifies communications between two parties, such as a user and a website or service, to steal data. A new platform named Typhoon 2FA makes AitM attacks even easier for cybercriminals and has been observed in thousands of phishing attacks.
In a survey by the incident response team at Kroll, 90% of organizations investigated for business email compromise incidents last year had MFA in place. Last September, a multi-year phishing campaign leveraged AitM tactics to compromise over 8,000 Office 365 accounts, according to a report by cybersecurity firm Group-IB. Law firms and schools have also been targets of phishing attacks that bypassed legacy MFA implementations. To combat this growing and pervasive threat, organizations and their insurers need to start asking hard questions about how MFA is deployed and if they are utilizing phishing-resistant forms of MFA to protect their most critical accounts, data and systems.
Humans are the constant weak link in any cybersecurity program, and phishing is not going away anytime soon, so organizations must figure out how to regain the upper hand. While any MFA is better than just a username and password for authentication, different types of deployments come with different levels of risk. The security industry has been aware of that for a while, though change across enterprises has been slow.
In 2020, hackers breached Twitter’s network and seized control of dozens of Twitter accounts assigned to high-profile users, and ultimately stole over $118,000 in bitcoin. In its report on the incident, the New York Department of Financial Services noted, “MFA is critical, but not all MFA methods are created equal. Twitter used application-based MFA, which sent a request for authentication to an employee’s smartphone. This is a common form of MFA, but it can be circumvented. During the Twitter hack, the hackers got past MFA by convincing Twitter employees to authenticate the application-based MFA during the login. The most secure form of MFA is a physical security key, or hardware MFA, involving a USB key that is plugged into a computer to authenticate users. This type of hardware MFA would have stopped the hackers, and Twitter is now implementing it in place of application-based MFA.”
Seeing the growing effectiveness of attackers bypassing legacy MFA, the Cybersecurity Infrastructure and Security Agency (CISA) released a blog post written by Senior Technical Advisor Bob Lord about a new defensive tactic: phishing-resistant MFA. “Unlike regular MFA, phishing-resistant MFA is designed to prevent MFA bypass,” he explained. “Phishing-resistant MFA can come in a few forms, like smart cards or security keys. Since only the key owner has physical access to their device, phishing scams do not work, and even weak passwords have an extra layer of protection.”
As cyberattacks continue to evolve, legacy security methods have become less and less effective. New methods like phishing-resistant authenticators can help organizations better protect themselves from the latest cyberthreats.
“Give every employee a set of security keys and mandate that they use it for access to all internal services,” Lord said in the CISA blog post. “After suffering from an MFA bypass attack, what do victim companies do? Many report that they deploy security keys, so the same attacks will not work again. Why learn the hard way?”