MFA is Not The Holy Grail of Security?

While Multi Factor Authentication (MFA) does provide greater security than using passwords alone, it still is not perfect. The purpose of this article is not to discourage you from using MFA. It is to show you that no single security control alone is foolproof. A good security strategy should incorporate a mix of technical security controls, event monitoring, user training, and clearly documented processes for handling security events. With that being said, this week, I’m going to show popular ways attackers get around MFA to drive that point home.

This attack exploits the same weakness as a concert wristband. When you first try to enter a concert security verifies your identity by looking at your driver’s license and then scans your concert ticket to make sure you’re allowed to be at that show. Once you pass all the checks they give you a wrist band to wear. In this scenario, an attacker simply waits until you get a wristband then steals it from you. Now, the attacker just shows security the wristband to get into the concert without having to provide an id or the concert ticket.

A pass the cookie attack works the same way. An attacker steals the session cookie ( or wristband) your browser is provided after you’ve successfully authenticated. A session cookie is nothing more than a string of characters that the website uses to identify you and your account. The attacker takes this cookie and presents it to the website, and is then allowed to access your account without needing to go through the MFA process.

Exploiting Email Forwarding Rules

Attackers can also get around MFA by first exploiting your email account. Providing one-time passcodes to you via email is a popular MFA method used by many banking and healthcare web portals. This MFA process can also be exploited by attackers. The first step is for an attacker to add a forwarding rule to your email account. They can choose forward all emails or write a custom filter that only forwards emails that contain passcodes.. Attackers have also been known to add additional rules that send these emails to obscure folders in your account like the rss or junk folder so that you don’t see them in your inbox.

Once the email rules have been set up, they simply try to logon to the site and then wait to receive the forwarded passcode email. If the attacker doesn’t know your password, they can just use the forgot password link and wait to receive the forwarded email with instructions for resetting your credentials to anything they want.

This attack is very effective because lots do not have MFA enabled on their email accounts. Do you have MFA or two-factor authentication enabled on your work and personal email accounts?

Application Logic Errors

In these attacks the weakness is not MFA itself but in it’s implementation. Attackers look for ways around the entire MFA authentication process. For example, I once performed a security assessment for a client who had a custom application with a very robust MFA process. It required you to have a special physical key that you needed to gain access, in addition to answering security questions and providing a passcode sent to your mobile device. It seemed like an impenetrable fortress, at first. Upon further inspection, I was able to find a workaround. If you went to the forgot password screen, there was a hidden input field where you could type in any user’s id and it would let you login as that user. This had been implemented by the developers who were tired of having to authenticate every time while they were building the application. This backdoor was only supposed to exist in their development environment but somehow made it to production; and it had been there for at least a year, even though they were running nightly vulnerability scans of their code.

Attackers look for logic errors like these to get around MFA all together.

Using a Legacy Application

We all want to ensure our customers have the best experience when accessing our sites. For ease of use, some web sites and applications will allow users with out of date versions of client applications and web browsers to access their sites. Most of the time these legacy applications and browsers do not have modern security features and protocols. Attackers take advantage of this. By using a legacy application or browser they face a reduced set of security controls that are not supported by older browsers or applications. For example, email protocols POP (Post Office Protocol) and IMAP(Internet Message Access Protocol) do not support MFA with non-interactive applications. So, attackers can write scripts using these protocols and not have to worry about MFA at all.

Summary

As you can see, MFA is not a set and forget technique. You may have also noticed that most of these techniques don’t actually break the MFA process. They focus on getting around MFA altogether by either bypassing it altogether or waiting until the user authenticates and then stealing the resulting access at the end. While these techniques are not the only ones out there, most of the others take advantage of these concepts.

Do you think I missed anything? Let me know in the comments.

Written by

Gene Wright

When I'm not tanning in the glow of my monitor, I'm outdoors. Running, hiking, MTB, camping, and swimming are my favorites,