A recent Akamai Security blog post, Massive Campaign Targeting UK Banks Bypassing 2FA, written by my colleague Or Katz, is a great insight into how attackers used very simple techniques to bypass two-factor (2FA) authentication security to obtain access to U.K. consumers' bank accounts.
The attack started with an SMS message to the victim's phone saying that there was suspicious activity on their account; for example, a suspicious payee had been added to their account or there had been a suspicious transaction on their account. The SMS linked to a fake bank login page that allowed the attacker to grab the victim's username and password, which the attacker used to log in to the legitimate login page. That log-in sent a genuine one-time password (OTP) to the victim's phone. Once the victim enters the OTP, the attacker has full access to the bank account.
As we have seen with other consumer-focused attack techniques, these can quickly and easily be adapted to be used to attack enterprises. For example, last year's Twitter hack used a very similar technique to the banking credential attack, but this time the target was the account takeover of high-profile victims. Once the attackers gained access to an employee's account, they were able to move laterally and get access to the tools used to manage Twitter user accounts. This gave them the means to hijack the public Twitter accounts of high-profile celebrities.
But the fact is, it can be even simpler to bypass 2FA, and there's no need to bother luring the victims with a fake login page.
Let's imagine my username and password for Acme Corporation have been compromised and are available for sale along with hundreds of my colleagues' credentials. But Acme Corporation's security team has implemented an additional login security step that means every time an employee logs in to the network they must authorize the login attempt on their phone -- in other words multi-factor authentication (MFA).
Then, at 9 AM on a Monday, the attacker uses an off-the-shelf toolkit to launch a credential stuffing attack on Acme Corporation. As in the case with the banking attack, the login attempts to Acme Corporation's network will then create second-factor challenges to employees' phones.
Now, I don't know about you, but I'm seldom at my best so early on a Monday morning -- the weekend has been too short and I'm starting to think about what the busy week has in store for me. Faced with that kind of challenge on a phone, such as a push notification, would I stop and wonder if this challenge is real? I'd probably think: Well, it must be real because it's the same as when I log in, and maybe I forgot to accept the last one... or maybe IT is doing something? I think I will just click yes to be on the safe side.
All it takes is for one employee to click yes and the attacker now has full access to that employee's account, enabling them to steal sensitive data and start to move laterally and identify targets of interest.
So, what steps can enterprises take to ensure that their employees' accounts are not taken over using a simple MFA phishing attack or the more sophisticated phishing attack detailed in the Akamai Security Blog?
The weak spot in both these scenarios is the same: people. And good people can make bad security decisions even without meaning to. Don't get me wrong: I'm a big advocate of ongoing and continuous security training for all employees, including and up to the CEO. But, clearly, it's necessary to eliminate the employees' decision-making regarding accepting or denying that push notification. What is needed is an MFA approach that takes the human decision-making process out of the equation.
FIDO2 is a strong authentication standard that detects illegitimate MFA challenges and never presents them to the employee -- replacing the "almost certain" decision-making of a human with the "always certain" decision-making of technology. FIDO2 uses end-to-end cryptography to ensure that only a legitimate user can trigger that second-factor challenge and eliminates the possibility of an attacker bypassing MFA to gain access to an account.
To eliminate the security risks associated with current MFA approaches, enterprises should consider enhancing their authentication by deploying an MFA solution that is based on FIDO2 standards.
To learn more about Akamai's phish-proof MFA solution, visit akamai.com/mfa.