Jasson Casey, CTO at Beyond Identity, explains the importance of moving to phishing-resistant multi-factor authentication and discusses why companies are still using inadequate authentication methods.
As the threat of ransomware continues to grow and impact companies, public utilities, hospitals and state and local governments, cybersecurity is now an issue of national concern. Following the recent increase in the frequency of attacks, the National Cyber Security Centre (NCSC) unveiled new services to coincide with the latest phase of its Cyber Aware campaign. It has also urged firms to take protective action to bolster their resilience against ransomware threats, issuing guidelines that provide certification schemes and offer access to specialist assistance for affected companies.
However, a recent declaration by NCSC founder Ciaran Martin that Britain is at the forefront of global cybersecurity efforts could mistakenly give UK firms a false sense of confidence. Britain’s current security advice effectively leaves the welcome mat out for cyber attackers to enter through a business’ front door, as and when they please.
Legacy multi-factor authentication is now easily bypassed
Recent press coverage has highlighted the devastating impact of ransomware attacks. In February an attack on Ion Trading UK effectively paralysed the company’s operations and disrupted a number of European and US banks. Meanwhile, earlier this year, the much-publicised LockBit ransomware attack on Royal Mail caused significant delays to overseas mail and parcel shipments.
Against this backdrop, a new study of online banks identified a number of serious security issues that potentially put their UK business customers at risk. As part of its analysis, the report called out the continued dependence of banks on traditional SMS-based security protocols to deliver access to accounts.
While multi-factor authentication (MFA) has long been considered good practice for securing online access to resources, the legacy MFA utilised by many UK organisations is no longer fit for purpose. Indeed, the continued reliance on ineffective MFA is the equivalent of simply tying a piece of string across a doorway and expecting cybercriminals to view this as a deterrent.
Indeed, research shows that the use of stolen or phished credentials is the primary delivery method for ransomware attacks, with 83% of UK businesses targeted with phishing in 2022. Attackers are logging into remote access tools to deposit the malware. This process is made possible by the theft or hijacking of credentials. Unfortunately, the legacy multi-factor authentication that was supposed to fix the password vulnerability is now very easily bypassed.
Access controls must be tightened
As the recent attacks on Uber and Twilio show, cyber adversaries are now turning to readily available tools and techniques to bypass legacy MFA and they are perpetrating these attacks at scale.
In July 2022, Microsoft reported on a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing techniques to steal passwords, hijack a user’s sign-in session, and skip the authentication process. Even if a user has enabled traditional MFA.
These types of attacks are not the sole preserve of highly skilled attackers. The process employed in the phishing campaign reported by Microsoft can easily be automated with the help of several open-source phishing toolkits. Meanwhile, other large-scale phishing attacks are making use of bots to target big brand names like Apple Pay, PayPal, Amazon, and Coinbase, as well as many high-street bank accounts.
Aside from the very real risk of exposure that reliance on first-generation MFA poses, organisations should rethink their authentication methods fast. Because cyber insurance providers are becoming increasingly stringent about their requirements when it comes to issuing cover and will likely soon demand the implementation of ‘phishing-resistant MFA’ that contains factors that cannot easily be spoofed, copied, or altered.
Not all multi-factor authentication is created equal
Not all emergencies are heralded by lights and sirens. Attackers have been quick to learn how to bypass legacy MFA security measures and are utilising new phishing and social engineering tactics to get all the information they need to get past access controls.
Attackers can gain access to MFA challenges like security questions and one-time codes using social engineering techniques. Multi-factor authentication based on mobile push notifications are easily defeated with ‘prompt bombing’ where attackers sent multiple requests in rapid succession and unsuspecting users end up tapping yes to the prompt. Lastly, multi-factor authentication based on one-time passwords sent through insecure channels like email and SMS are easily captured with attacker-in-the-middle techniques that steal the codes or the session token. This makes it all but impossible to assure that the person logging in is who they say they are.
For UK organisations that currently rely on phishable MFA factors such as passwords, one-time passwords (OTP) and SMS push notifications, or magic links that can be intercepted or phished, transitioning to a modern, phishing-resistant MFA should be considered a matter of urgency. At a minimum, this means implementing passwordless solutions that use cryptographic FIDO passkeys as one factor and secure identity features built into modern devices like facial recognition or fingerprints or local pin codes to provide a second factor for proof of identity. In other words, removing all weak factors such as passwords and legacy MFA eliminates the risk of password-based attacks and multi-factor authentication bypass which are the biggest cause of data breaches.
Following the US’ example
The US Federal Administration has set a strong precedent for security by requiring phishing-resistant multi-factor authentication for all government agencies and entities that work with the government. In January 2022, the Executive Office of the President issued a memo setting out the zero trust architecture that federal agencies should plan to deploy phishing-resistant MFA for internal systems and to implement a phishing-resistant option for citizen-facing systems by the end of 2024. It is an ambitious strategy designed to transition all US Government digital infrastructure to zero trust security measures.
The memo explicitly states that agencies “must discontinue support for authentication methods that fail to resist phishing, including protocols that register phone numbers for SMS or voice calls, supply one-time calls or receive push notifications.”
Unambiguously stating that phishable MFA factors should not be used, the framework already looks set to the gold standard that all US bodies – private and public – will be expected to use to protect access to resources. Indeed, a recent ruling by the Federal Trade Commission against the alcohol delivery platform Drizly is proof that phishing-resistant multi-factor authentication is quickly becoming established as the new norm.
In the US, organisations are already preparing to deploy modern and phishing-resistant MFA approaches in readiness for when regulators and auditors to take the US Government’s lead and make passwordless and phishing-resistant multi-factor authentication a requirement rather than a nice to have.
Zero trust should be made a mandatory requirement in the UK
Here in the UK, mandating the use of phishing-resistant MFA would go a long way towards stopping cybercriminals from using compromised credentials to subvert the authentication process and gain access to networks and accounts.
If the UK Government wants to get serious about protecting the nation’s security, then zero-trust approaches like phishing-resistant MFA will need to become more than just an advisory requirement. Ideally, 2023 should be the year in which public and private sector organisations are required to upgrade their identity systems to support the implementation of phishing-resistant multi-factor authentication on a variety of internal and external resources – email systems, file servers, remote access systems, and more.
In the meantime, organisations should look to take the initiative and implement phishing-resistant MFA sooner rather than later. Doing so will elevate how they protect their systems, their users, and their customers from unauthorised activities by external attackers.