Many health care organizations use multifactor authentication (MFA) to help prevent breaches, but one expert said these systems are less secure than most people realize. Therefore, organizations should use MFA but augment it with significant security awareness training that takes into account how the system can be hacked.
“The most secure [MFA] can be hacked at least five different ways,” said Roger Grimes, data-driven defense evangelist at security firm KnowBe4 LLC. “Most of them can be hacked probably 10 different ways.”
Grimes, who spoke at a recent webinar,[1] said that education of everyone using the system is key: “Educate yourself and your end users to the strengths and the weaknesses of your type of MFA solutions. Make sure they’re aware of the different types of attacks against that MFA solution. Just educate them a little bit so they’re less likely to be phished.”
MFA is used to prevent unauthorized access to websites, applications or systems by requiring users to present two or more pieces of evidence to an authentication mechanism. One of the most common uses is by financial institutions, most of which require users to input a code sent to their phone or email before allowing them to log in to their accounts with their user name and password. MFA also may use biometric evidence—such as a person’s fingerprint—in combination with a user name and password. Many vendors who provide advanced systems also use contextual clues, such as looking at whether the log-in attempt is coming from a known device and/or known usual location.
“All things considered, MFA is usually better than one-factor authentication,” Grimes said. “We all should strive to use MFA wherever it makes sense and then whenever possible. But MFA isn’t unhackable.”
The top hack—a so-called “man in the middle” attack involving phishing and a fake website log-in page—works against 80% to 90% of MFA systems available, Grimes said. “If an attacker can send you an email and trick you into clicking on the wrong link, they can steal the information that you type in, including your log-in name, your password, a pin [code], or even if you’re sending any kind of MFA code, they’ll capture that. It’s known as network session hijacking, and it’s been around for decades.” Once hackers steal credentials, they can take over the user’s account and change anything that the user could use to take back control, Grimes said.
The “man in the endpoint” attack uses malware that the hackers have tricked the users into installing, usually via social engineering or unpatched software. “It hides, and then it monitors where you go on your browser,” Grimes said. “Most of them are coded to look for 100 to 200 different URLs. Suppose you go to Bank of America. That Trojan will wake up and let you log in, and no matter how you log on—whether it’s through your bank app or through using your multi-factor authentication token—[the malware] starts a second hidden browser session that you can’t see and transfers all your money. So you think you’re just checking in to check on your bank balance or to pay a bill or transfer money to your kid, and it’s robbing you blind. And they typically change your phone number and your email address while they’re in there.”
In a SIM-swapping attack, the attacker transfers SIM card information from the victim’s phone to another phone, allowing the attacker to get any codes sent by text messages, Grimes said. The old phone stops working, but silently: “All that happens is your cell phone gets an out-of-network little icon.”
This attack usually is accomplished via social engineering hacking involving the cell phone vendor’s support technicians or using a compromised insider, he said, and it’s often done using cell phone network login information the attacker has previously phished out of the victim using another precursor phishing attack. This method has been used successfully in many of the world’s biggest personal attacks, and the National Institute of Standards and Technology (NIST) SP 800-63 Digital Identity Guidelines does not accept text message codes as valid authentication because of how easy it is to hack, Grimes pointed out.
Finally, social engineering tech support leverages human interactions to trick tech support into changing passwords and emails on accounts, Grimes said. He described a case where a researcher challenged a hacker at a convention to hack into the researcher’s cell phone account. The hacker accomplished this by pretending to be his wife, with a crying baby in the background, and persuaded the tech support representative to give her the researcher’s email address and PIN code, Grimes said. The hacker also ordered herself a new phone on the researcher’s account, he said.
To guard against these types of attacks, Grimes said, employees need to be trained to recognize them. [2] “Whatever MFA solution you have, you should understand the strengths and the weaknesses of it,” he said. “Lots of people can hack any solution. Learn the different ways that your preferred MFA solution or solutions can be hacked, and then train people in the ways an attacker may try to compromise them.”
