an article written by Zak Doffman, founder & CEO of Digital Barriers
Even though companies worldwide are struggling to protect systems and data from incessant waves of business email compromise attacks—with losses doubling year-on-year to $26 billion, the latest warning from the FBI still comes as a surprise. One of the primary defences against such cyber attacks is multi-factor authentication (MFA), the use of a secondary token or one-time code to assure the identity of staff. But the FBI has now warned that it “has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks.”
Why is this a surprise? Because attacks on MFA are so rare. According to Microsoft, they block a staggering 99.9% of enterprise account hacks. “MFA is the least you can do if you are at all serious about protecting your accounts,” the company advises. “The rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.” Despite this, the use of MFA is still worryingly uncommon, Microsoft sees “less than 10% of users per month” using MFA on their enterprise accounts. And so a warning that cautions in any way against the security of MFA is unexpected.
But according to the FBI, this use of secondary tokens or one-time codes to back-up usernames and passwords still isn’t enough. Unless companies employ “biometrics or behavioral information—such as time of day, geolocation, or IP address,” there is a risk that an attack can either trick a user into disclosing a multi-factor authentication code or use technical interception to create one for themselves.
And it’s this accelerating sophistication of employee manipulation, so-called social engineering, that’s prompted the warning. In September, Proofpoint offered a stark warning that social engineering is getting out of hand, as criminals exploit “human interaction rather than automated exploits to install malware, initiate fraudulent transactions, steal data, and engage in other malicious activities.”
According to the research, 99% of cyberattacks now rely on a person taking an action—clicking a link, opening an attachment, falling for a scam. “The instincts of curiosity and trust,” Proofpoint says, “ lead well-intentioned people to click, download, install, open, and send money or data—instead of attacking systems and infrastructure, threat actors focused on people, their roles within an organization, the data to which they had access, and their likelihood to ‘click here’.”
In its Private Industry Notification (PIN), the FBI offered examples of tools and techniques used to defeat MFA, including web hacks, cyberattack tools—like Muraen and NecroBrowser—and straightforward SIM swapping. An issue with MFA, it seems, is that it is a misleading comfort for the institution itself. Once established, a user is likely to be afforded more privileges than would be the case without it.
While the risks remain rare, the argument runs that a growing reliance on MFA will lead to growing attacks on MFA, and that has implications for millions of us as we become reliant on a (vulnerable) secondary form of verification. Nowhere is this more the case than with mobile phone numbers used to verify individuals—the recent hijack of Twitter CEO Jack Dorsey’s account did more to publicise the weaknesses with such verification than any number of other warnings.
The best advice to companies, over and above an increasing level of user training, is to deploy biometrics to assure user identities. That is not entirely risk free—but it’s close enough. And if the capture and storage of biometric information, and the architecture within which it’s deployed are first tier and secure, then it’s as good as it gets.
“Multi-factor authentication,” the FBI says, “continues to be a strong and effective security measure to protect online accounts.” In other words, companies should still deploy this second layer of defence wherever possible. But those companies should also “take precautions to ensure they do not fall victim to these attacks.” In other words, not all multi-factor authentication solutions are the same and the use of such defences does not mitigate the need for user training.
In the meantime, despite this latest warning, given that MFA blocks nearly all attacks, and anything over and above a simple username and password deters all but the most determined and capable of attackers, you should use it wherever possible.
About the author
Zak Doffman is the Founder/CEO of Digital Barriers—a company providing advanced surveillance tech to the defence, national security, counter-terrorism and critical infrastructure sectors. I write about the intersection of geopolitics and cybersecurity, as well as breaking security and surveillance stories.
„For more than a week now, ScoreRise enrolls daily hundreds of users through an innovative facial recognition interface. Enrollment takes less than a minute and it does not require presence of a human operator or video recording. And, of course, it stays fully GDPR compliant with help from Reff & Associates and Deloitte Romania.”