By Roger Grimes, KnowBe4's Data-driven Defense Evangelist. I’ve been in computer security for over 30-years and I’ve been giving presentations nearly as long. And in that time, no talk has been as popular as my 12 Ways to Hack MFA. I’ve given the presentation dozens of times to many thousands of viewers.
It was a standing room-only crowd when I gave it at Blackhat USA in Las Vegas this year, and I’m giving it again at this coming year’s RSA. If you’re interested in seeing it before then, do an Internet search on ’12 Ways to Hack 2FA Grimes’ and you are sure to get lots of opportunities to view one of the many previous presentations.
It seems to have hit a digital nerve with computer defenders and end-users alike. I think the reason it is so interesting is that it is surprising to many people that multi-factor authentication (MFA) does not protect you from hackers (including simple phishing) as much as you would think. If you don’t think understand how MFA can’t be easily phished around, please watch the video of Kevin Mitnick phishing around one of today’s most popular MFA solutions: https://www.youtube.com/watch?v=xaOX8DS-Cto
MFA Users Can Easily Be Phished
This fact is continually reinforced by news story after news story as we head into the New Year, including this one: https://www.amnesty.org/en/latest/research/2018/12/when-best-practice-is-not-good-enough/.
In this article, it reveals how hundreds, maybe thousands, protectors of human rights were targeted by phishing campaigns, and even their two-factor authentication did not protect them. It’s a great article and includes a nice assortment of example screenshots showing the “look-alike” domain names that the attackers registered and used to perform their phishing attacks. It shows how MFA isn’t much of a roadblock and is easily bypassed. Several other articles, including this one (https://boingboing.net/2018/12/19/sms-text-two-factor-authentica.html) reveal the same fact.
Again, phishing being able to bypass MFA isn’t a surprise to anyone who follows digital authentication closely, and it certainly isn’t to me. It was a surprise to me that most people didn’t know that two-factor authentication (2FA) or MFA didn’t protect you against phishing. The fact that it doesn’t was especially made murkier when news stories announced that physical security devices had 100% protected all of Google’s 85,000 employees (https://www.businessinsider.com/none-of-googles-employees-get-phished-because-of-yubikey-security-key-2018-7).
While it is probably true that none of Google’s employees using the security keys got phished out of their work accounts using their Google applications during the time period reported, it’s a far cry from saying that Google’s employees can’t be phished. And I’m ignoring the fact that Google’s security devices appear to be 1FA, not 2FA. You put the security device into the USB slot of your laptop and hit a button. I don’t think they are prompted for a 2nd factor. I could be wrong, but so far from what I’ve read, it seems I’m reading it right. And that means if you lose your security device and someone else picks it up, they can easily become you online.
MFA Can Be Hacked
But even if these devices were MFA, it doesn’t mean they can’t get hacked. In fact, I know they can and will be. How do I know? Because everything can be hacked. Every authentication solution can be bypassed. Every MFA device can be hacked. Anyone telling you any different is either naïve or trying to sell you something. This isn’t to say that MFA devices can’t provide you more security. They can. They usually do.
But there’s a huge difference between saying that MFA devices provide MORE security and that they can’t be hacked. The problem is that too many people believe the latter and don’t understand the difference between the former.
In my 12 Ways to Hack 2FA presentations, which really should be called 18 Ways to Hack MFA, I show a dozen plus ways to hack different MFA solutions. I originally came up with 11 Ways to Hack 2FA (https://www.csoonline.com/article/3272425/authentication/11-ways-to-hack-2fa.html) for one of my unrelated CSO columns, and then I realized that what I was talking about could get around three-factor authentication (3FA) and other “more-factor” solutions, so I renamed it Hack MFA to be more inclusive. And the number of hacks went from 11 to 12 to 18 in just a few weeks. I don’t have the time to cover them all because it would take 2 hours and no one, not even my mother, wants to hear my voice that long. But suffice to say, there are more than a dozen ways to hack MFA.
Not all hacks apply to all MFA solutions. On average, only 5 to 8 of the methods could even been applied to any MFA solution. But most of the hacks I cover have not only been used against MFA solutions in real life attacks, but most have been successfully used against hundreds of thousands if not millions of relying end users. And when the world moves even more to MFA solutions (as logon name and password solutions start to get minimized), attackers will just attack MFA more and more. It’s not like the hackers are going to give up. They are already being highly successful with bypassing MFA today. Why would they give up?
Defense Against MFA Hacks
Hackers are bypassing MFA solutions in the real world, AT SCALE. That’s a big deal. That means we all have to pay attention. I can give you two defense tips. First, is to recognize that MFA solutions can be easily bypassed and most of the real-world attacks start from a phishing email that sends the user to a look-alike web site. As a defender you must include this understanding in your existing security awareness training.
End users (and management) must understand using MFA is not a Holy Grail of protection. You can’t just think that your end users will never be hacked just because you are using MFA. Google’s example was a limited time example that covered only a limited number of applications. It wouldn’t be so successful over the long-run or if it covered more applications. It’s just a fact.
Second, you must keep blocking, using technical solutions, as many bogus web sites and rogue emails as you can. You’re already doing this. But we all know that some percentage of bogus web site links and rogue emails make it through your technical solutions, which leads you back to advice number one: education and training.
MFA is a good thing.
I don’t think we’ll get rid of all passwords anytime soon, but I do think that the use and requirement of using MFA will continue to increase over time. And that’s a good thing. But don’t get stuck (or management or end users) into thinking that using MFA means our security hacking problems are over. Because current news stories show you that clearly isn’t the case, and it will never be the case. Everything can be hacked. So, we still need to be just a vigilant in our defenses, both technical and training.