I’m sure we are all interested in the latest Twitter hack. As the author of the soon to be released Wiley book called Hacking Multifactor Authentication, I have to laugh at the “experts” recommending for Twitter and people to use Multi-Factor Authentication (MFA) to prevent this type of social engineering and phishing attacks.
It's likely that everyone else involved already was. MFA will not save you!
In my book, I cover over 50 ways to hack different types of MFA solutions. I can hack any MFA solution at least 5 different ways…many times in ways that the MFA vendor or victim cannot stop. MFA can stop many types of hacking, especially the general, broadcasted, phishing attacks for logon credentials sent to millions of potential victims all at once. But MFA is far less successful at stopping targeted attacks and it oftentimes cannot stop many forms of general, broadcast attacks.
How Do I Know?
Well, history and science. The world is full of vendors who implemented MFA as a way to decrease hacking attacks, and while it did temporarily decrease them, ultimately, in every case the hackers just learned how to attack and circumvent the MFA protection.
It even happened in the latest Twitter hack. Likely, all the employees accounts involved were already using MFA . It would be a dereliction of duty if they were not. And Twitter is a good company with good security processes. Likely all the VIPs accounts involved were also using MFA. VIPs accounts are constantly under attack and have been for years. They likely moved to MFA-protected log-ons as soon as Twitter offered it.
And it did not stop Twitter or those celebrities from being hacked.
Welcome to the real world. If you didn’t already know this, all MFA can be hacked. Anyone telling you any different is lying to you to sell you something or naïve. Yes, MFA can significantly reduce some forms of hacking, and for that alone you should use MFA to protect your most critical accounts and information when and where possible.
But there is a difference between saying that MFA makes some hacking scenarios harder to accomplish and that MFA is unhackable or makes your account unhackable. A dangerous myth has evolved around MFA…the idea that using MFA means you can worry a lot less about being hacked. That isn’t true. That’s bad education. It’s like telling people who have self-driving cars right now that they don’t have to worry about being awake and paying attention while the car is driving. It works most of the time, and then other times the car drives into the side of a firetruck.
I wrote Hacking Multifactor Authentication (Wiley) precisely because I was coming across a ton of people, including security experts, that thought MFA was the Holy Grail of authentication. It isn’t true, no more than biometrics are going to save us. It’s good to have MFA to protect you, but it’s not a solution that means you no longer need to worry about hacking, because I can send you a normally looking phishing email and get around your MFA solution like it wasn’t even there. Here’s an example demo of that.
And sometimes, it’s easier to hack you because of your MFA solution than if you just had a strong password that you didn’t get phished out of. Ask the early MFA-adopting cryptocurrency guys who lost millions and are now back to using passwords to protect their currency holdings. Here’s an example: https://krebsonsecurity.com/2018/08/florida-man-arrested-in-sim-swap-conspiracy/. Ask the hundreds of companies who used MFA to protect their admin log-ons who ended up being breached anyway. An example is listed here. There are literally hundreds and hundreds of companies and tens of thousands of people who relied on MFA to protect them and it did not work.
Ignoring the fact that passwords aren’t going anywhere anytime soon, misrepresenting the protection provided by MFA is dangerous and wrong. Because if you think MFA makes you far less likely to be hacked, then it changes your behavior. It makes you more likely to ignore typical warning signs and perhaps engage in unwise, more risky, online behavior than if you simply kept your same outlook on online risk.
The appropriate message to push to anyone using MFA is that MFA can significantly reduce the risk of some hacking scenarios, but that you still have to keep the same vigilance and secure cybersecurity practices as you did before you had MFA. MFA is just one tool and there are a lot of ways to hack.
Plus, I’m going to go on our prediction limb and predict that a Twitter API was involved. The employee’s accounts were protected by MFA, but MFA doesn’t apply to Application Programming Interfaces (APIs). Usually they are protected by “API keys” and normal logon password credentials. Most backend admin tools are consoles which work directly with the APIs to do their management work. Credential stuffing attacks have been highly successful against large organizations over the last few years, and 75% of those attacks have been against APIs and not normal logon portals. I could be embarrassed by making this prediction without knowing most of the facts, but by what little I know (i.e. that the employees’ accounts were protected by MFA) that would be my first guess. I could be wrong. We will see.
Either way, just be careful about your messaging around MFA. MFA is good to use in many use case scenarios, but as the Twitter hack demonstrates, it won’t save you when you become targeted by attackers. MFA is good in most cases, but it doesn’t mean you can leave your guard down.
This article was previously written on LinkedIn.
You will learn more about:
