• XRATOR
  • Our Experts
  • Contact Us
  • Privacy & Policy
Conquer your risk
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
Conquer your risk
No Result
View All Result
Home Cybersecurity

Your Multifactor Authentication Is Not Phishing-Resistant

CISA released two fact sheets to highlight threats against accounts and systems using certain forms of multifactor authentication (MFA).

Gwendal SmithbyGwendal Smith
November 9, 2022
in Articles, Cyber Attacks, Cybersecurity, Risk Management, Vulnerability & Weakness
0
CISA released two fact sheets to highlight threats against accounts and systems using certain forms of multifactor authentication (MFA).

Recently, threat actor leverage MFA fatigue to breach into Uber, Microsoft and Cisco. The cybercrime gang Lapsus$ is very keen of this technic.

The Cybersecurity and Infrastructure Security Agency (CISA) has published two fact sheets that describe the dangers of accounts and systems that use multi-factor authentication (MFA) in certain ways. CISA recommends that all organizations use phishing-resistant multi-factor authentication to prevent cyberattacks such as phishing.

If an organization that uses mobile push-notification-based multi-factor authentication is unable to provide phishing-resistant multi-factor authentication, CISA suggests using number matching as an alternative. Although number matching is not as secure as phishing-resistant multi-factor authentication, it is a good option for organizations that cannot immediately implement phishing-resistant multi-factor authentication.

The risks of using Multifactor Authentication 

A cyber threat actor who has obtained a user’s password can enter it into an identity platform that uses mobile push-notification-based MFA to generate hundreds of prompts on a user’s device over a short period of time. This obviously irritates the user, who might accidentally or due to MFA fatigue accept the prompts to stop them. The user may be confused by the prompts, which might lead them to believe that one of them is genuine and approve it. As a consequence, the user unintentionally grants the cyber threat actor access to their account.

Threat actors have employed multiple tactics to obtain MFA credentials:
  • Push bombing (or Push fatigue): Threat actors bombard users with push notifications until they press the “Accept” button, gaining access to the network.
  • SS7 protocol vulnerabilities: It is possible for cyber attackers to obtain mobile multifactor authentication (MFA) codes via SMS or voice to a phone by exploiting the SS7 protocol used in telecommunications networks.
  • SIM Swap: An attacker can gain control over a victim’s mobile device by persuading a mobile provider to switch the victim’s phone number to a SIM card controlled by the attacker.
  • Phishing: Cyber threat actors use email or malicious websites to deceive victims into giving up sensitive information. Phishing, for example, is a social engineering tactic where a malicious website impersonating a company’s official login portal is used to fool a target into giving up their username, password, and mobile phone’s 6-digit authenticator code.
CISA suggests that if an organization that employs mobile push-notification-based MFA cannot implement phishing-resistant MFA, MFA fatigue can be prevented by enabling “number matching” on MFA configurations. With number matching, the user is required to enter identity platform numbers into their app to approve an authentication request.

Secure MFA Implementation

The WebAuthn protocol, developed by the FIDO Alliance as part of FIDO2 standards and now maintained by the World Wide Web Consortium (W3C), is the only widely available phishing-resistant authentication. Major browsers, operating systems, and smart phones all support WebAuthn. FIDO authentication can be used in addition to a FIDO device to provide various other types of factors, such as biometrics or PIN codes. FIDO2-compliant tokens are available from several vendors.
PKI-based MFA is a less prevalent type of phishing-resistant MFA that is used by enterprises to authenticate users to their computers. A PKI-based MFA method using smart cards is a common form of PKI-based MFA used by government agencies to authenticate users. PKI-based MFA offers strong security and is well-suited for large and complex organizations. However, implementing PKI-based MFA requires extensive identity management capabilities. PKI-based MFA is not as widely supported by common services and infrastructure, especially when SSO technologies are unavailable. PKI-based MFA utilizes a security chip on a smart card to store the user’s credentials, and the card must be directly connected to the device in order for the user to log in (with the correct password or PIN).

Advises to deploy Multifactor Authentication

Organizations frequently encounter issues when they begin to deploy phishing-resistant MFA. It is recommended for IT decision-maker to consider several factors to reduce MFA deployment obstacles:
  • No phishing-resistant multi-factor authentication: The vendor may not have prioritised the development of phishing-resistant MFA or the product may no longer be supported. Organisations should then start with the services that do provide phishing-resistant MFA, such as most hosted mail and SSO systems that support FIDO. FIDO is a good starting point because data is valuable and the vendors are likely to support it.
  • Try to deploy all at once: Due to operational considerations, the organization might not be able to roll out phishing-resistant MFA to all groups at the same time or train, enroll, and support all users. Which groups might be suitable for an initial phase, such as help desk and IT system administrators? Lessons can be learned from previous phases and applied in later phases.
  • User resistance to change: The IT security team should present the dangers associated with using or maintaining potentially vulnerable MFA to the company’s senior leadership for approval. If senior management believes that using phishing-resistant MFA is too risky, they are best positioned to handle cultural and communications issues.

The key of success when deploying MFA into an organization is to prioritize the implementation for the resources that the organization really want to protect. It is requiring a good knowledge of its infrastructure and an appropriate risk management.

Tags: Best PracticesCrown JewelsMFAPhishingPreventive SecuritySecurity BaselineSecurity PostureSim SwapSocial Engineering

Categories

  • Cybercrime
  • Malware
  • Vulnerability & Weakness
  • Threat Intelligence
  • Cyber Attacks
  • Cybersecurity
  • Offensive Security
  • Risk Management
  • Cyberdefense
  • Cyber Insurance

Popular News

  • The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    0 shares
    Share 0 Tweet 0
  • Understanding and Mitigating the Risk of Computer Memory Exploitation

    0 shares
    Share 0 Tweet 0
  • Three Social Impacts of Ransomware Operations

    0 shares
    Share 0 Tweet 0
  • Methods to Conduct an Insider Threat Risk Assessment

    0 shares
    Share 0 Tweet 0
  • Why Lockbit does fake cyberattacks ?

    0 shares
    Share 0 Tweet 0

"Conquer Your Risk" is a corporate blog for Cybersecurity and Risk Management executives and specialists, sharing XRATOR experts' views on Cybersecurity, Threat Intelligence, Risk Management and Cyber Insurance.

Categories

  • Articles
  • Cyber Attacks
  • Cyber Insurance
  • Cybercrime
  • Cyberdefense
  • Cybersecurity
  • Malware
  • News
  • Offensive Security
  • Research
  • Risk Management
  • Scams
  • State of the art
  • Threat Intelligence
  • Vulnerability & Weakness

Quick Links

  • XRATOR
  • Our Experts
  • Privacy Policy
  • Contact Us

XRATOR® – copyright 2020-2021

No Result
View All Result
  • Contact Us
  • Homepages

© 2018 JNews by Jegtheme.

Manage Cookie Consent
We use cookies to optimize our website and our service.
By closing this windows, you automatically deny non-functionals cookies.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}
Manage Cookie Consent
We use cookies to optimize our website and our service.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}