Organizations have big expectations for multi-factor authentication (MFA). We hear on a regular basis from customers that they believe bots can’t complete account takeover attacks in their environment. The same story creeps in. Bots can try, but attacks will fail because we have MFA.
Let’s first take a look at MFA. KnowBe4, a security awareness training company, has gone as far as to say that no MFA solution is unhackable. Visit their website and you’ll find an in-depth review of MFA, including how to hack it. Leading the charge is Kevin Mitnick, KnowBe4’s Chief Hacking Officer, who is currently writing a book on the topic and has documented close to 50 ways to defeat MFA.
As a digital authentication solution, MFA judges the legitimacy of a user through three common factors:
- Things You Know (password, mother’s maiden name, etc.)
- Something You Have (dongle, USB token, phone, etc.)
- Something You Are (fingerprint, facial recognition, etc.)
To verify these factors, MFA is typically deployed in the least secure manner. Examples of this include, sending straight numeric texts to mobile devices, which is a commonly known tactic, making it susceptible to man-in-the-middle attacks. During these attacks, the malicious actor sits between two devices and intercepts or modifies communications between the two. In the case of MFA, if one authentication method fails, a code is sent and then intercepted, granting access to the fraudster, rather than the legitimate user.
Taking advantage of the usual cell weaknesses isn’t the only way to bypass the authentication. Recent reports detail a myriad of creative methods of MFA defeat. One notable account was phishers trying to bypass Microsoft Office 365 MFA via rogue apps. To access the Office 365 data on behalf of a user, the applications do so through Microsoft Graph authorizations. Beginning with obtaining an access token from the Microsoft Identity Platform.
According to Cofense researchers, “This is where OAuth2 and OIDC come in. The latter is used to authenticate the user who will be granting the access, and if authentication is successful, the former authorizes (delegates) access for the application. All of this is done without exposing any credentials to the application.” The attacker never has to know the victim’s login credentials, yet with the tactic they can gain full access to the victim’s account.
Account Takeover Still on the Rise
MFA really isn’t all bad. It is widely agreed that MFA does reduce account takeover. The problem is that account takeover is still on the rise because it is big business for criminals. Especially when they use bots and breached data and turnkey tools widely available on the dark web.
Account takeover almost always begins with credential stuffing. Bots make it easy for fraudsters to do this by quickly ticking through countless username/password combinations as the first step of authentication. During the credential stuffing process attackers can also see if MFA is in use on a specific account and how best to defeat it. By automating parts of the process, account takeover can be completed at scale for greater gain.
According to NuData, 65% of a company’s accounts are targeted at least once every month. As account takeover attacks become stronger, companies need to assess whether asking for a “user” to authenticate is the right approach. If fraudsters are building scripts to bypass these tools, defenders must consider adopting additional security measures that evaluate the user such as passive biometrics. By doing so, bots aren’t lured in to solve the authentication puzzle. Instead, they are being judged on their legitimacy in silence so they cannot adjust their tactics to get past the protections.
Passive Biometrics: Stronger Security on Websites and Mobile Applications
As humans, when navigating the online world, we leave little clues of our humanness. On computers we input keystrokes and mouse movements. And on smartphones we zoom, apply different pressures to the screen, and have built-in sensors like accelerometers. Stitched together, these passive biometrics form user profiles that allow security providers to distinguish between bots and humans.
As bots evolve at a breakneck speed to mimic human behaviors and gather breached credentials, organizations should expect more account takeover attacks. This is why it will be key to continually add parameters and layers to the analysis process to suss out illegitimate behavior.
Even if bots are able to defeat MFA, continuously authenticating throughout full session will allow organizations to prevent fraud even after the log-in phase. At BotRx, we use Moving Target Defense to not only fingerprint bad bots, but to prevent bots by dynamically transforming the attack surface before they can infiltrate your website and mobile apps to conduct fraud. To learn more, read our blog Turning the Tables on Bots With Moving Target Defense.