Header Ads

Breaking News

Amid the pandemic, MFA's shortcomings are clearer than ever


Due to you-know-what (if I have to type “corona” or “COVID” again, I’ll scream), enterprises have been forced to send a massive number of employees into makeshift home offices within just a few days. That means that there was no time for the security niceties, such as properly processing RFPs for apps that were thoroughly vetted. Given the emergency, employees and IT teams worked with what they could, figuring that they would improve security on the fly as soon as circumstances permitted.

That brings us to MFA. Multifactor authentication is supposed to be just that, but it’s typically deployed in the least secure manner — sending straight numeric texts to a mobile device, a tactic that is well-known to be susceptible to man-in-the-middle attacks. So, are there better ways to deploy MFA, something that can be easily executed under today’s far-less-than-ideal conditions? Let’s dig in.

First, though, it’s worth noting that numeric texts can be undermined by quite a few things other than man-in-the-middle attacks.

“There is documented fact that SMS as a 2FA delivery channel has been consciously targeted and successfully compromised by [cyberthieves] exactly because they know it is used for 2FA delivery and by highest-target-value apps/services such as banking and PayPal,” said John Herrema, senior vice president of product management at BlackBerry, which today works on security software and systems. “Successful compromises include a combination of technical compromises based on interception and socially engineered compromises, such as bribing someone to port a specific target’s mobile number so a malicious [cyberthief] receives codes. Or using a phishing attack to trick a user into entering credentials and [one-time passwords] into a fake site, which is then used to access the actual site. It is true that any form of 2FA is better than nothing, so the question is not whether some form of 2FA is better than nothing, but rather whether there is a better state-of-the-art option available, particularly for highest-target-value use cases. How you secure access to a bank account doesn’t have to be and probably shouldn’t be the same as how you secure access to a YouTube account.”

It’s interesting that Herrema mentioned PayPal, because PayPal quietly deploys two very different MFA approaches, although they look almost identical to the end user. I discovered this last month when looking into some European security researchers’ published report that PayPal MFA was susceptible to man-in-the-middle attacks. The researchers shared their exact methodology (complete with screen captures), but a pen tester we worked with couldn’t successfully replicate the attack. After multiple screen-sharing real-time discussions, it became clear that the attack only worked if the MFA option was turned off.

Huh? Yep, it was then that we realized that PayPal had a rather robust MFA text deployment for any user who activated the MFA option — which, for what it’s worth, really should be everybody. But for users who declined MFA, PayPal gave them one anyway, but it was a lower-security offering. Kudos to PayPal for trying to protect all of its users, including the stupid ones who decline MFA.

Copyright © 2020 IDG Communications, Inc.

Source Link

No comments