Check Point Email Security | Blog

MFA Is Not The Cure-All

Written by Jeremy Fuchs | November 11, 2020

According to official Microsoft guidance, multi-factor authentication can solve everything. Seriously. Read on:

By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. 

This sounds amazing. One solution to stop everything.

If only.

As Brian Krebs reminded us, MFA is not a panacea. Sure, it can block off an avenue for hackers to infiltrate. But it doesn't block off every avenue. MFA is another form of perimeter security, but the cloud has no perimeter. People often think that because they have MFA, they’re immune to phishing attacks. To be clear, MFA is not designed to stop attacks not related to logins. It only secures online accounts at the perimeter, when the user logs in to gain access.

MFA specifically cannot stop BEC attacks, spoofed login pages, CEO impersonation or embedded malware. 

Now, attackers are adjusting and finding new ways to bypass MFA. The latest method? SIM Swapping and Vishing.

Recently, two men were charged with hijacking accounts using "vishing" and SIM swapping attacks. Vishing is essentially voice-based phishing, and it's been seen in an uptick in recent months when new hires come on-board. Working remotely, it can be a pretty effective tactic. Malicious actors will begin with a call saying that they are from the IT department. Many of these calls tend to focus on new hires, a perfect target given that they are onboarding remotely. Sometimes, these phishers will even create LinkedIn profiles that say they work for the company. If you've never been in the office, you have no real way of knowing that they aren't real.

SIM Swapping happens when a bad actor is able to convince a cellular network that they are you. That gives them access over the SIM card and control over someone's text message and phone calls. 

But, you may be thinking, I have MFA. Shouldn't that be an extra layer?

Sure. But not if there's workarounds. If someone has your SIM card, MFA is an entry right into your account. And as Krebs mentioned, if you're using your phone for MFA, you're in trouble. When bad guys get your email, they can often get your phone number, since it's attached to account details.

When a bad guy has an email and a phone number, they can use it for MFA spoofing, or other vishing or "Smishing" scams, which utilizes text messaging. (That's why we recommend removing your phone number from all accounts and never using it for MFA.) 

And now, in a slight change of turn, Microsoft has started to release guidance stating that relying on SMS or voice-mail based MFA means relying on the "least secure of MFA methods," updating their guidance to what we've been saying for a few years now.

Implementing MFA is great, and an essential step for all companies. Relying solely on it? Not so much. MFA does not solve the phishing problem. Attacks can automate the login to happen at the same time as capturing their own login. Instead of authenticating a login, users are essentially approving the attacker's attempts to infiltrate the system. Cloud Access Trojan attacks require just one login and create a permanent backdoor.

In September, an attack that used both social engineering and the exploitation of authentication protocols led to a breach of more than 46,000 veterans' personal information held by the Department of Veteran Affairs, leading them to think about how they can implement protocols beyond MFA to help their security posture. 

Targeted malware like EventBot, which lives in Android, can literally steal SMS messages, thus invaliding MFA through text message. 

Or think about the Marriott breach in 2018, which exposed the data of millions of customers. Marriott relied solely on MFA to protect cardholder data. But it wasn't applied perfectly or across the entire network. So the attacker was able to easily walk in.

MFA helps. But it's not perfect. It's why we've implemented a new MFA anomalies engine, which detects login operations that failed the MFA stage.

And it's why we implement state-of-the-art phishing and BEC defenses.

We talk a lot about defense in depth. About having layers of security. MFA is one layer.

But the best defenses require multiple layers. And that's where Avanan comes in.