How Threat Actors Bypass Today's Authentication Services.
It’s a Tuesday evening and Darren, a Sr. Architect Systems Engineer for Globinational Inc., just got home from a long day at the office and a heavy rainy drive home. He now steps into ‘Dad’ role as he helps out with dinner and getting his 2 young children ready for the evening ahead. While he’s occupied at home, a bad actor from an unknown location is attempting to log into the Acme Inc. network, via the company VPN, using his Darren’s credentials!
The bad actor enters in the stolen username and password but is challenged with a step-up authentication request via a multi factor authentication (MFA) service. The bad actor sees one of the MFA options is to authenticate via SMS text message that will deliver an One-Time-Passcode (OTP). However, the bad actor needs to get Darren’s mobile number. It doesn’t take too long before the Darren’s number is found on a professional social media site. With the mission in mind, the bad actor spins up a malicious program that runs SS7 script attacks. This attack specifically targets and intercepts SMS text messages before intended recipients can get them. Deviously ingenious! After a few keystrokes the bad actor intercepts the SMS along with its OTP. Success! The bad actor is now inside of the network. As far as Globinational Inc. is concerned, Darren appears to have logged in again via the company VPN. However, Darren is actually reading bedtime stories to his children.
This attack goes undetected for many many months until somebody discovers a large amount of leaked data on the deep web that points back to Acme Inc. Upon investigation, Globinational Inc. had fallen victim to a network intrusion and a severe data breach. Turns out that Darren was one of few targeted victims within company. The bad actor hacked all the way in, exploiting security level credentials of multiple users and superusers until they gained (unauthorized) access to critical system infrastructures and several ‘crown jewel’ applications.
Thirteen months after the initial intrusion attack and data breach, Globinational Inc publish a press release stating they suffered a massive data breach with millions of personal and financial accounts being compromised.
We hear about these security incidents all too often. But how did this happen?! Like many organizations, Acme had reasonable security postures, systems and tools in place, They even used an identity access management (IAM) solution, from a reputable MFA provider. However, the fact is, bad actors are always looking for the weakest link and it’s proving to be not so difficult, particularly with outdated technologies. If you consider Two Factor Authentications (2FA) or Multi Factor Authentications (MFA), these two security protocols commonly use OTP methodologies. The problem is, OTP authentication methods were a prime solution at the time it was developed - decades ago - and it’s no match for today’s increasingly sophisticated attacks! Hackers are able to easily and successfully bypass 2FA and MFA that use OTP's. Below are some attack forms that bad actors use to hack OTP's:
SIM SWAP ATTACKS -
Bad actors often call up mobile carrier services of target victims and ‘claim’ to the account holder. They request the mobile company to update the registered device on the account to a new device. By doing this, the hacker will receive all cellular services, calls and text messages to their device and not the target victim. With already having the stolen username and password, they can now also prompt 2FAs and MFAs alike for that SMS text message with the contained OTP's. Similarly, this also applies for MFA services that offers VR authentication call services - where automated voice responses relay security OTP tokens over the phone, to the bad actor! SIM Swap Attacks are very low technology based attacks, very inexpensive, no borders, easy to do, and yield the best bang for the buck. It’s vastly growing in popularity amongst the bad actor communities.
SS7 ATTACKS -
Several years ago, a unique hacking script emerged among the hacker community. This script was created with a purpose to target and intercept SMS text messages before intended recipients could receive them. The script also enabled bad actors to eavesdrop on calls as well as track geo-locations of target victims. This attack was named after a specific cellular communications protocol called SS7 or Signalling System 7 that allows global mobile carriers use to transmit SMS messages from one mobile carrier to the other. Today, the SS7 Attack is being widely used as it enables bad actors to remain stealth. After the bad actor has entered the target victim’s username and password on the login page, they would prompt for the SMS OTP authentication method in either the 2FA or MFA offering. The SS7 attack tool would sniff the cellular network looking for the SMS tied to that target mobile number and intercept it before it is able to complete the transmission to the intended recipient. The bad actor would simply complete the login by adding the intercepted OPT to the login page - and they’re in! This also is a low-tech attack, very inexpensive, immediate results, and allows the attack to go undetected.
COOKIE SESSION HIJACKS -
Another very important OTP vulnerability and attack to note are cookie session hijacks. Cookie sessions are created from logins, visiting websites, and in some cases users moving around on the internet. In the case cookie session hijacks, when a user signs in with their username, password and OTP, a cookie is generated. These cookies are being targeted and stolen, which allows the bad actor to impersonate the target victim without ever needing to enter the username, password and OTP. Once exploited, bad actors are granted unfettered access until the browser’s or applications cookies sessions are cleared - a practise that is very much poorly kept by users. Stealing cookies sessions is a low-mid tech range, inexpensive and relatively easy to do. This attack also allows bad actors to remain very stealth and undetected.
CROSS-SITE SCRIPTING ATTACKS -
Another way bad actors can sabotage user authentication sessions is by setting up Cross-Site Scripting Attacks, also referred to as XSS Attacks. Here, malicious websites and login pages are created to impersonate the legitimate webpages, where users unknowingly enter their username, password and OTP. These entered credentials and security tokens end up in the possession of bad actors who then uses this information to gain unauthorized access to networks, accounts, make fraudulent transactions, etc. This attack is mid-tech range, some costs and time involved as fake web pages are created, but very effective for the time it goes undetected.
Authentication service providers that offer OTP’s with their Two Factor Authentications or Multi-Factor Authentications are putting their customers at great risks. As proven, OTP’s are highly flawed and full of holes! Your end users, superusers and or customers are at threat of falling victim to fraud incidences, identity theft and account-takeovers. Further, organizations also face the risk of having their trusted infrastructure and systems applications compromised and fall victim to potential data breaches…!
Two Factor Authentications - Reinvented!
At IAmI Authentications, we recognize that many authentication methods, including those that involve OTP’s are simply failed or highly risky solutions. It’s not difficult to bypass or hack the widely offered OTP authentication method. Unfortunately, the impact of an OTP bypass or hack is disastrous for businesses, customers, users and superusers alike, as they unknowingly remain in total darkness. IAmI has identified alternative ways to securely authenticate users - with purpose and intent.
With keeping focus on offering greater user experiences, privacy by design, integral security, data encryption, IAmI offers a highly innovative enhancement for Two Factor Authentications - Intelligent 2FA solutions. IAmI’s Intelligent 2FA solution is developed with a sound architect build that is adaptable for modernization and digital transformational changes. In addition, IAmI can be used in a vast range of use applications. With IAmI, there are no OTP's, SMS text messages, emails, soft or hard tokens. IAmI is designed with purpose to: enable businesses, users, superusers and customers alike to self-identify attacks in real-time; and empower them to prevent (and disable) attacks - also in real-time. IAmI achieves this through optimizing a sequence of technologies where it pushes authentication requests to the user through dedicated app functionalities. Users are prompted to either “Confirm” or “Deny” online access, activities or sessions, all with one touch, before anything is granted or completed.
IAmI strongly believes that humans are not the weakest link. In fact, if properly equipped, humans are indeed the most effective line of defence against cyberattacks. With present outdated technologies, methodologies and solutions, humans are severely disadvantaged to combat highly modernized and sophisticated attacks. IAmI’s goal is to bring modernized intelligent solutions to combat modernized attacks.
For more information, please visit https://www.useiami.com