Cyber-attacks against MFA: how to protect yourself from them
In 2018, Businesses and Organisations around the world were found to be the targets of over 2 million cyber-attacks. According to a survey conducted by the Online Trust Alliance, an organization that promotes good practices in Internet security and privacy, the cost of a single attack can reach over $45 billion(1).
These two figures spotlight the major security issues facing public and private players in the digital ecosystem. In Europe, the GDPR regulations enforces the implementation of defensive binding regulation in terms of behavior, data security, and information in the case of an attack. In the United States, the FBI closely monitors the strategies developed by hackers and their targets. The public and private players in the digital ecosystem are therefore faced with a major security challenge. In Europe, with the RGPD, defence is organised around the implementation of binding regulations on behaviour, data security and information in the event of an attack. As such, the US Federal Police has just sent an alert to all US economic players. This Private Industry Notification points out that multifactor authentication solutions (MFA), main defence against cyber attacks, are now themselves the target of attacks.
As an authentication specialist, this alert confirms long-standing values that we have brought to the market for numerous years. inWebo strongly believe that the existence of a second and even a third authentication factor is not enough in itself. The factors used themselves also need to be truly secure. Let’s see how this is reflected from the FBI’s findings.
Attacks identified by the FBI and the solutions recommended to counter them
The FBI alert gives five examples of recent cyber attacks and the authentication process involved.
The following is a summary table of the 5 cases:
Type of protection
Type of attack
1. 2019 – an American banking institution
Login/password + 2nd factor with PIN and security question
2. 2016 – clients of a US banking institution
3. 2018/2019 – Findings of the Internet Crime Complaint Center (IC3)
Login/password + 2nd factor with code received by SMS
4. February 2019 – Cyber Security Expert Demonstration at RSA Conference
5. June 2019 – demonstration at the Hack-in-the-Box conference
In all these cases, we observe that the bypassing of security mechanisms or MFA (multifactor authentication) is made possible either by the implementation of these mechanisms (case 1), or by the now known weaknesses (cases 2 and 3) of the SMS, or finally by phishing techniques, MITM (man-in-the-middle) and accounts theft (cases 4 and 5). In the latter case, the weakest link is first and foremost the user.
As diverse as these attacks may be, their analysis reveals that not all MFA solutions are equal and that many of those currently deployed do not protect against the different attacks. Besides, cyber security experts are unanimous; there is a soaring rise in these attacks.
It is nowadays accepted that the authentication, even when reinforced by the OTP SMS, is doomed as is it now easily by-passed. In the United States, the NIST has been advocating its depreciation since 2016 as well as, more recently in Europe, the PSD2 in the payments sector. But most other solutions, more sophisticated, remain, however, also vulnerable to phishing attacks / MITM / reverse proxy.
What exactly is the problem?
Phishing-type attacks like Man-In-the-Middle, involves misleading the user into entering his connection information in an environment that the hacker has mastered in order to steal his identification data.
Whether software or hardware, all solutions that require the user to re-enter a previously generated OTP are particularly vulnerable to phishing or MITM attacks. In fact, those that offer only a second factor, typically in a 2-step scenario (2SV or 2-step verification), inevitably expose the user IDs entered in the first step.
To date, only two types of MFA solutions offer protection against phishing and MITM attacks: token-based FIDO U2F and inWebo. However, FIDO solutions are based on hardware tokens, which poses availability problems, and are not currently compatible with the Apple environment.
Why and how the inWebo solution helps to fight against the main cyber-attacks on MFA
inWebo was the first player to provide security against phishing by consistently verifying, in accordance with Zero Trust’s principle, the legitimacy of the calling page ensuring that the user was not diverted to enter his credentials and / or his second authentication factor (usually the OTP) on a compromised site.
Thanks to inWebo, the user cannot be asked to enter a PIN code on another authentication page than the legitimate page. This approach has a double advantage: user’s PIN cannot be “phished” and no OTP are generated. Thus, there is no way for an attacker to intercept and use this information.
In addition, our solution is natively multi-factor whereas other solutions only provide a second factor and therefore enroll the user in a so-called two-step authentication scenario (2SV). As a reminder, in a 2SV scenario, the user first provides his usual login/password and then, in a second step, proof of something he owns (OTP generated by a device or a software, smart card, etc.).
inWebo allows you to carry out multi-factor authentication in a single step. This is a crucial requirement that enables to optimize not only the authentication process but also the users experience, while protecting the user’s credentials. Thus, for inWebo customers, the combination of very high security and a seamless user experience is a reality.
The FBI’s memo is a timely reminder, in a context of strong pressure to generalise multi-factor authentication to all players in the digital world, that MFA covers very different technologies, offering varying levels of security.
The US federal agency is in fact alerting on a fundamental point: to effectively guarantee the security of its internal tools and/or its general public applications, it is better to choose a specialist whose solution has proven its solidity through its longevity on the market, its installed customer base, the multiple audits it has successfully passed and the certifications it has obtained. Especially since, contrary to what the FBI indicates, this choice is not made at the expense of the user experience. With passwordless and the automatic recognition ofOTP without manual re-entry, we can even speak of a major improvement in the user experience, encouraging the rapid adoption of this technology by the general public.