Even With Common 2FA/MFA Services, You're Not As Safe As You Think.
Sarah is a Senior Security & Network Administrator for InsurYu Inc. a multinational Insurance company. She has been working at InsurYu for the last 3 years, steadily rising up the ranks and gaining a respectable reputation as a strong cybersecurity leader. She has just been assigned a new task to lead a team to integrate and onboard all 1200 InsurYu employees on to a new Multi-Factor Authentication (MFA) service. InsurYu’s security and architect team have spent the past number of months evaluating a variety of solutions, weighing different attributes, scalabilities, reputations; and it’s now come down to one vendor that fits the bill. Or so it seems.
As part of the integration and set up for the MFA’s Identity Access Management (IAM) solution While going through the onboarding process, Sarah has a deeply unsettling feeling from handing over key PII of herself and all her fellow employees to a 3rd party service provider. As an astute security leader, she questions the security morals of this required step in the authentication service. A few months go by post-installation of the MFA service, and Sarah is reflecting back. She is still troubled with having handed over first and last names, corporate email addresses, personal mobile numbers, and in some cases, corporate provisioned mobile numbers.,Sarah and the team are required to onboard all InsurYu’s 1200 employees to the new IAM service. She and her team have to register first and last names, emails and mobile phone numbers of all employees directly with the MFA service provider. This registered information will enable the MFA service provider to identify each user by name and follow through with sending them the correct authentication protocols as elected by the end-user. Authentication methods can include SMS text messages containing One-Time-Passcodes (OTP’s), emails containing OTPs, OTPs contained in an MFA app (aka ‘soft-tokens’), Voice Response (VR) phone calls that relay OTPs to the end-user, or push notifications sent to the MFA’s mobile app.
She questions - How are ours and other clients’ PII being handled, stored, managed, and even accessed?! What if there is a rogue employee(s) within the company that leaks the data or opens a backdoor for further attacks?! Do all 3rd Party services to the MFA company have secure connections to the What if the MFA company gets hacked and breached from the outside? Threat Actors surely would find this to be a jackpot… All that PII up for grabs!
It’s true. Almost all Two-Factor Authentication (2FA) and Multi-Factor Authentication companies ask for registered information of your user base. This includes first and last names, corporate email addresses, mobile numbers; and in more recent cases, captured information of biometric information, such as facial recognition/fingerprints. Sarah and others like her have every right to question the absurdity of expecting 3rd party service to have complete immunity from Threat Actors, cyberattacks, all while still protecting your network, key data assets, and your key PII.
Imagine one of your worst security nightmares coming true - Your company has fallen victim to a data breach. Upon post-attack forensics, it was identified that there were very well-orchestrated 2-levels of attacks! Level 1 - An employee of your MFA service provider was hacked! A Threat Actor cleverly bypassed their own MFA service by doing an SS7 attack, which allowed them to steal an SMS text message containing the MFA OTP. The Threat Actor useda phished (stolen) set of login credentials of the MFA employee to sign in to the provider’s network, then applied the stolen OTP to gain undetected unauthorized access. The Threat Actor spent some amount of time surveying that network, traffic, and critical-level applications, whereupon the data breach then took place. All of your key corporate PII - first and last names, corporate emails and mobile numbers - were copied and stolen. Level 2 - Not only did the Threat Actor breach your MFA provider with yours and many other clients’ key corporate PII, but now the Threat Actor exploited some of your high-level corporate PII, gaining unauthorized access to your own corporate network. The Threat Actor changed some mobile numbers and email addresses of your high-level (PAM-level) employees from the MFA Admin Panel, which allowed them to get all the authentications sent to them. The Threat Actor surveyed your own network, traffic, and critical applications and then breached your employee and customer databases, which contained first and last names, home addresses, date of births, credit card numbers, driver licenses, and payroll details (for employees).
The purpose for using any form of 2FA/MFA services is to ultimately protect access to customer and or employee accounts/profiles/services, networks, system applications, and ultimately safeguard PII. So while the ultimate purpose is to prevent unauthorized access to PII and corporate (sensitive) data, leading authentication service providers ironically require the registration, storage, and usage of the very PII that also needs to be protected. In short, your employee information, such as first/last names, corporate emails, and mobile phone numbers are residing on servers and network domains of your 3rd party service providers.
As you process the realization of the aforementioned, it’s important you also process the following too. Over the last decade, we have seen countless cyberattacks where Threat Actors have proven time and time again there is no immunity. Throughout the world, we have continuously seen small businesses, large organizations, institutions of all types, all the way to government agencies, all fall victim to cyberattacks. Threat Actors have gained fearful credibilities of breaking and hacking into any environment. The old adage of “Where there’s a will, there is a way” certainly holds true for the mind of a Threat Actor. If you understand and agree with the proven narrative thus far, you can then appreciate why Sarah, in the first part of this written piece, had very reasonable and sound doubts, concerns, and suspicions on why valuable (key) employee PII is handed over when it can be compromised and exploited through a rather absurd security model of protecting data by giving them away.
So, even with common 2FA/MFA services, are you and your data still really safe? We think not, and there is a good chance you might agree.