Hacks That Bypass MultiFactor Authentication and How to Make Your MFA Solution Phishing Resistant Roger A. Grimes Data-Driven Security Evangelist rogerg@knowbe4.com About Roger Roger A. Grimes Data-Driven Defense Evangelist KnowBe4, Inc. e: rogerg@knowbe4.com Twitter: @RogerAGrimes LinkedIn: https://www.linkedin.com/in/rogeragrimes/ • • 30 years plus in computer security, 20 years pen testing • Consultant to world’s largest companies and militaries for decades • • • Previous worked for Foundstone, McAfee, Microsoft • Frequently interviewed by magazines (e.g. Newsweek) and radio shows (e.g. NPR’s All Things Considered) Expertise in host and network security, IdM, crypto, PKI, APT, honeypot, cloud security Written 13 books and over 1,200 magazine articles InfoWorld and CSO weekly security columnist 2005 2019 Certification exams passed include: • • • • • • CPA CISSP CISM, CISA MCSE: Security, MCP, MVP CEH, TISCA, Security+, CHFI yada, yada Background Bio • Penetration tester for over 20 years • Worked on dozens of MFA and MFA hacking projects • Wrote Hacking Multifactor Authentication book (Wiley) • • Delivered Many Ways to Hack MFA webinar for years • • https://info.knowbe4.com/webinar-12-ways-to-defeat-mfa Wrote free 12 Ways to Hack 2FA ebook • • https://www.amazon.com/Hacking-Multifactor-Authentication-Roger-Grimes/dp/1119650798 https://info.knowbe4.com/12-way-to-hack-two-factor-authentication Helped develop the Multifactor Authentication Security Assessment tool • https://www.knowbe4.com/multi-factor-authentication-security-assessment Roger’s Books 4 About Us • Provider of the world's largest integrated Security Awareness Training and Simulated Phishing platform • Based in Tampa Bay, Florida, founded in 2010 • CEO & employees are ex-antivirus, IT Security pros • We help tens of thousands of organizations manage the ongoing problem of social engineering • Winner of numerous industry awards Agenda • Examples of hacking MFA • Characteristics that make MFA easily hackable • US government recommendations for effective MFA • Features you should look for in a strong MFA solution • Which phish-resistant MFA you should be using • Why a strong human firewall is your best, last line of defense 6 This presentation may contain real and/or simulated phishing attacks. The trade names/trademarks of any third parties used in this presentation are solely for illustrative and educational purposes. Trademarks are property of their respective owners and the use or display of any mark does not imply any affiliation with, endorsement by, or association of any kind between such third parties and KnowBe4, if any. The bad guys don’t care about this and use them anyway to trick you…. 7 My MFA Statement • “People should use phishing-resistant MFA whenever they can to protect valuable data and systems” – Roger A. Grimes • I like MFA • Its protective value is just oversold to most people 8 MFA Reality • Anything can be hacked • Any MFA solution can be hacked • But some MFA solutions are far more resilient than others 9 Agenda • Examples of hacking MFA • Characteristics that make MFA easily hackable • US government recommendations for effective MFA • Features you should look for in a strong MFA solution • Which phish-resistant MFA you should be using • Why a strong human firewall is your best, last line of defense 10 Very Common MFA Hack Network Session Hijacking • Usually requires Man-in-the-Middle (MitM) attacker • Attacker puts themselves inside of the communication stream between legitimate sender and receiver • Doesn’t usually care about authentication that much • Just wants to steal resulting, legitimate access session token after successful authentication • On web sites, session tokens are usually represented by a “cookie” (a simple text file containing information unique for the user/device and that unique session) • Session token usually just good for session Very Common MFA Hack Network Session Hijacking Proxy Theft Network Session Hijacking 1. Bad guy convinces victim to visit rogue (usually a look-alike) web site, which proxies input to real web site 2. Prompts victim to put in MFA credentials 3. Victim puts in credentials, which bad guy relays to real web site 4. Bad guy intercepts victim’s resulting access control token 5. Bad guy logs into real site, and drops legitimate user 6. Takes control over user’s account 7. Changes anything user could use to take back control Very Common MFA Hack Kevin Mitnick Hack Demo Network Session Hijacking https://blog.knowbe4.com/heads-up-new-exploit-hacks-linkedin-2-factor-auth.-see-this-kevin-mitnick-video MFA Hacks Kevin Mitnick Hack Demo Network Session Hijacking https://blog.knowbe4.com/heads-up-new-exploit-hacks-linkedin-2-factor-auth.-see-this-kevin-mitnick-video Very Common MFA Hack Kevin Mitnick Hack Demo Network Session Hijacking 1. Phishing email contained URL to fake look-alike/sound-alike web site that was really an evil proxy 2. Email tricked user into visiting evil proxy web site 3. User typed in credentials, which proxy, now pretending to be the legitimate customer, presented to legitimate web site 4. Legitimate web site sent back legitimate session token, which Kevin then stole and replayed to take over user’s session • Kevin used Evilginx (https://breakdev.org/evilginx-advanced-phishing-withtwo-factor-authentication-bypass/) • One example hack out of the dozens, if not hundreds of ways to do session hijacking, even if MFA is involved Very Common MFA Hack News Stories Network Session Hijacking MFA Hacks Real-World Example Network Session Hijacking 1. x MFA Hacks Real-World Example Network Session Hijacking https://arstechnica.com/information-technology/2018/12/iranian-phishers-bypass-2fa-protections-offered-by-yahoo-mailand-gmail/ MFA Hacks https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born Endpoint Attacks Hacking MFA US Gov’t Has Said since 2017 Not to Use Easily Hackable MFA Digital Identity Guidelines, NIST Special Publication 800-63 (https://www.nist.gov/itl/applied-cybersecurity/tig/projects/special-publication-800-63) • States the “Use of the PSTN [Public Switched Telephone Network or a phoneline connection in humanspeak] for out-of-band [authentication] verification is RESTRICTED”. • This means any authentication, including MFA that relies on your phone or phone number as part of its authentication, is “restricted” [i.e., not that secure]. This includes all SMS- and voice call-based MFA. • In 2021, Presidential executive order (EO 14028) had a clarifying follow-up memo (https://zerotrust.cyber.gov/federal-zero-trust-strategy/#identity) that stated, “For routine self-service access by agency staff, contractors and partners, agency systems must discontinue support [emphasis added] for authentication methods that fail to resist phishing, such as protocols that register phone numbers for SMS or voice calls, supply one-time codes, or receive push notifications. [emphasis added]” 20 Hacking MFA US Gov’t 2022 • OMB Memo M-22-09 released on January 26, 2022 • https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf 21 Phone-Based MFA Summary of Phone-based MFA Hacking Methods Hacking • SIM Swap attack • I just get your phone number and SMS messaging switched to my phone • Deepfake voice calls • MitM proxy attacks often work • SMS Rogue Recovery Hack I like phone apps not tied to your phone number Rogue Recoveries Hacking Into Your Email Using Recovery Methods SMS Rogue Recovery SMS Rogue Recovery Hack • There is an inherent problem in that SMS message origination cannot be easily authenticated within SMS itself • Anyone can claim to be anyone To pull off hacker must have: • You email address and associated phone number Rogue Recoveries Hacking Into Your Email Using Recovery Methods SMS Rogue Recovery Steps 1. Hacker sends you a text pretending to be from your email provider asking for your forthcoming SMS PIN reset code Rogue Recoveries Hacking Into Your Email Using Recovery Methods SMS Rogue Recovery Steps 2. Hacker forces your email account into SMS PIN recovery mode Rogue Recoveries Hacking Into Your Email Using Recovery Methods SMS Rogue Recovery Steps 3. You get text from vendor with your reset code, which you then send to other number Rogue Recoveries Hacking Into Your Email Using Recovery Methods SMS Rogue Recovery Code from their email, bank account, or stock account being reset We can do this all day Hacking MFA Examples PushBased MFA I used to be a big fan!! Hacking MFA But What If… • USERS BLINDLY JUST APPROVE EVERY REQUEST • https://www.mandiant.com/resources/russian-targeting-gov-business 29 Agenda • Examples of hacking MFA • Characteristics that make MFA easily hackable • US government recommendations for effective MFA • Features you should look for in a strong MFA solution • Which phish-resistant MFA you should be using • Why a strong human firewall is your best, last line of defense 30 Hacking MFA 31 Hacking MFA Vulnerabilities often found in the transitions Vulnerabilities often found in the transitions 32 Hacking MFA Hacking Methodology Basic attack methods that work against most MFA solutions • Social Engineering (most popular and successful method) • Eavesdropping/MitM • Exploit Programming bug • Weak verification between components • Alternate recovery/bypass • Weak default configuration settings • Data/Network traffic malformation • 3rd Party Reliance issue (e.g., DNS, Active Directory, etc.) • Physical attacks • Others 33 Hacking MFA Let Me Threat Model Your MFA Solution KnowBe4 Multifactor Authentication Security Assessment (MASA) tool https://www.knowbe4.com/multi-factor-authentication-security-assessment • Asks you a series of questions and then tells you how I could hack it 34 Hacking MFA Try to avoid any MFA solution that can be easily social engineered or man-in-the-middle around Unfortunately, this is most MFA solutions 35 Resilient MFA Summary • Bare minimum bar – MFA solution should defeat MitM proxy attacks! • This is not true for 90%-95% of MFA today • Should contain enough features and information to help users defeat common attacks against that type of MFA • Should be MFA and not 1FA • Vendor should not oversell protection • Avoid any vendor saying it defeats “99%of attacks” or is “unhackable” 36 Resilient MFA Vendor Protections • Vendors developers should practice secure development lifecycle (SDL) • www.microsoft.com/sdl • https://wiki.sei.cmu.edu/confluence/ • • • • Vendor should have in-house code review and penetration testing Vendor should hire external pen testers Vendor should participate in bug bounties Vendor should aggressively respond to all hacking reports and not blow off bug reporters (who have validated hacking claims) • Vendor should educate buyers/users about common threats and how to defend 37 Resilient MFA Solutions My List of Good, Strong MFA • https://www.linkedin.com/pulse/my-list-good-strong-mfa-roger-grimes Don’t Use Easily Phishable MFA and That’s Most MFA! • https://www.linkedin.com/pulse/dont-use-easily-phishable-mfa-thats-most-rogergrimes US Government Says to Avoid Phishing-Resistant MFA and Why Is the Majority of Our MFA So Phishable? • https://www.linkedin.com/pulse/why-majority-our-mfa-so-phishable-roger-grimes and https://blog.knowbe4.com/u.s.-government-says-to-avoid-phishing-resistant-mfa 38 Resilient MFA Solutions Strong MFA Fast Identity Online (FIDO) MFA solutions • https://fidoalliance.org/ • It’s an open standard supported by over a hundred vendors, including Google, Microsoft, Yubico, etc. • Requires pre-registration of sites and services to token • Doesn’t respond to non-registered, MitM web sites • Publicly available threat model (only one I know of) • https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-security-ref-v2.0-id-20180227.html 39 Resilient MFA Solutions Strong MFA NIST 800-63-B AAL3-Level Solutions 40 Resilient MFA Solutions Strong MFA Smartcards • Most are AAL3 41 Resilient MFA Solutions Strong MFA Military CAC cards • Common Access Card • https://militarycac.com/ 42 Resilient MFA Solutions Strong MFA Google Advanced Protection Program • https://landing.google.com/advancedprotection • Requires FIDO-enabled security key • Has other checks, like secure downloads • Only works with Google sites, apps, and selected third party apps (e.g., Apple Mail, Mozilla Thunderbird, etc.) 43 Resilient MFA Solutions Strong MFA Various Selected Vendors 1Kosmos • https://www.1kosmos.com/ Beyond Identity • www.beyondidentity.com HYPR • https://www.hypr.com/true-passwordless-mfa/ 44 Resilient MFA Solutions Strong MFA Various Selected Vendors Transmit Security's BindID • https://www.transmitsecurity.com/bindid rfIDEAS • https://www.rfideas.com/ 45 Resilient MFA Push-Based MFA • Should include requirement that proves that approving user is actually logging on • Unfortunately, still does not stop MitM proxy attacks using this feature alone 46 Resilient MFA Solutions Strong MFA Do your own tests • Can your MFA beat a MitM proxy attack test? • Is it tied to a phone number? • Does it send a one-time password that you type in? 47 Resilient MFA Solutions Strong MFA What about biometrics? • Are biometrics strong authentication? • They can be • Is it 1FA or 2FA? • Easier to steal and replay 1FA • Is it phishable? • Depends on the application, most are for device logons and not as phishable • But, most solutions not nearly as accurate as touted • Is it allowed for remote logons? • But still perhaps good enough for most applications 48 Agenda • Examples of hacking MFA • Characteristics that make MFA easily hackable • US government recommendations for effective MFA • Features you should look for in a strong MFA solution • Which phish-resistant MFA you should be using • Why a strong human firewall is your best, last line of defense 49 Key Takeaways Parting Thoughts – Education is Necessary No matter which type of MFA you choose, educate everyone: • Buyers, Evaluators, Implementors, Users, Senior management Topics: • Strengths and weaknesses • How to correctly use the MFA solution • Including what might indicate a malicious attempt to abuse it • And what to do during rogue attacks • What MFA does and doesn’t prevent • The common possible attacks for that type of MFA and how to prevent • You wouldn’t give people passwords without warning them about common hacker tricks 50 KnowBe4 Security Awareness Training Baseline Testing We provide baseline testing to assess the Phish-Prone™ percentage of your users through a free simulated phishing attack. Train Your Users The world's largest library of security awareness training content; including interactive modules, videos, games, posters and newsletters. Automated training campaigns with scheduled reminder emails. Phish Your Users Best-in-class, fully automated simulated phishing attacks, thousands of templates with unlimited usage, and community phishing templates. See the Results Enterprise-strength reporting, showing stats and graphs for both training and phishing, ready for management. Show the great ROI! 51 Generating Industry-Leading Results and ROI • Reduced Malware and Ransomware Infections • Reduced Data Loss • Reduced Potential Cyber-theft • Increased User Productivity • Users Have Security Top of Mind 85% Average Improvement Across all industries and sizes from baseline testing to one year or more of ongoing training and testing Questions? Roger A. Grimes– Data-Driven Defense Evangelist, KnowBe4 rogerg@knowbe4.com Twitter: @rogeragrimes https://www.linkedin.com/in/rogeragrimes/ Tel: 855-KNOWBE4 (566-9234) | www.KnowBe4.com | Sales@KnowBe4.com
