Multi-factor authentication (MFA) is becoming a standard requirement to obtain cyber insurance. But just as your clients are improving their insurability, cybercriminals too are designing their attacks around MFA.
“It’s kind of like a game of Whack-a-Mole,” said Neal Jardine, global cyber risk intelligence and claims director with BOXX Insurance. “You put MFA on and then they start designing their business email compromises around that.”
MFA requires users to provide two or more verification factors to gain access to a resource such as an online account.
For example, in addition to providing a password, users may also scan their fingerprints or enter codes from mobile devices when accessing accounts or apps. The benefit is MFA can alert users that somebody is trying to access their account; the downside is cybercriminals are adapting fast.
“What they’re actually doing is sending social engineering emails out saying, ‘Hey, I’m with your bank. Please log in here and then give us a call so that we can verify your MFA code is correct,’” Jardine said. “And funny enough, we’re actually getting claims for that.”
Cybercriminals know they need to adapt or risk no longer being a profitable criminal organization, Jardine said. “To do this, most cybercriminals focus on social engineering to overcome MFA, since they already know the password but can’t overcome the secondary factor.”
One technique Jardine’s seen is cybercriminals sending an email to a client asking them to call ‘technical support’ because their email has been compromised. Once the client calls, the cybercriminal may even provide the client’s password to reassure them it’s legitimate. The criminal then asks the client to log into the system and verify the MFA code over the phone.
“The client, unsuspecting of the social engineering at play, will provide the MFA code to the cybercriminal as the final piece they need to gain access.”
Another way criminals are beating MFA is through phone-number spoofing. Text message or SMS-based authentication is the most popular form of MFA, but it relies on security software sending a code to a phone number stored on file.
“The weakness of this method of MFA verification is that there is no verification for the device the phone number is connected to,” Jardine said. “The texted message is sent to any device which appears to be registered with that phone number. With the right tools, cybercriminals can spoof a phone number/SIM card, intercepting the [text-based] MFA code.”
To protect against attacks, Jardine recommends employee training in combination with new security controls. Companies also should consider social engineering and other forms of cyber training quarterly, and for new employees as part of onboarding.
In the future, there will likely be more controls around the types of MFA that can be used, requiring clients to use a token-based authentication for non-phone users and an authenticator app on a biometric-secure phone, Jardine said.
“Some companies have already implemented this, as there was a push from Microsoft to use their authenticator application. Sending the MFA code to a verifiable device is likely the next step in security for MFA.”
This article is excerpted from one that appeared in the June/July edition of Canadian Underwriter. Feature image by iStock.com/dem10