Two-Factor or Not Two-Factor? Why is This a Question?
Two-factor authentication, or “2FA” as the cool kids call it, is a common form of Multi-factor authentication, or MFA. These are not new concepts. In fact, they have been around in one form or another as part of human culture for likely as long as humans started talking to each other. Some examples are asking additional questions or for additional actions being taken to properly determine whether you are who you say you are, also someone vouching for you or sponsoring your entry into some activity.
Technology companies have been slowly introducing these methods to combat online identify theft for many years. Not all forms of MFA are equal by any sense, as NIST has suggested that SMS based 2FA is not sufficient to thwart sophisticated attacks as opposed to security tokens (think Google Authenticator or Duo Mobile) and physical keys.
The link between SE and 2FA
How does this relate to social engineering, you ask? Well, social engineering can be used to both learn the additional authentication factors you may or may not use, and the details needed to bypass them if they are in place. While SMS is not recommended as an MFA option by NIST, stronger implementations of MFA can be a decent form of defense against otherwise successful social engineering attacks.
Where would a social engineer get details about your methods of authentication? Well, one possibility is Facebook. The collection of personal information, as described in the Cambridge Analytica stories in the news, was performed via Facebook surveys. Before that was trending, that same mechanism has been used by attackers to learn respondents’ popular security questions. Once an attacker has a bit of your personal information they may be able to leverage that to gain access to your other accounts. This further emphasizes the need for MFA on all accounts since your security questions may not be as secure as you may think.
As a defensive mechanism, friends have told me about working mothers who rely on friends to pick up their kids from school or after-school activities using human-based MFA. These moms establish a code word that only they, their kids, and the proxy know so when someone approaches the children without knowing the code word, the children know not to trust the person. I use a similar technique when I send links to people I regularly communicate with by adding in special key words we have discussed in person to verify the link I am sending is actually from me. If those words are not in the message, I am not the one sending it. It is very effective form of MFA and simple once all parties understand the purpose.
As a security professional, I try to convey security best practices to my family and friends, but I cannot force the methods on anyone that is not willing to listen. Now, I don’t send a lot of messaging to family members online, as I don’t participate in a lot of social media and any that I do is not connected to family members. So, when I announced my participation in a charity to my family via a group SMS chat, I didn’t think twice about the message I was sending until after I sent it. It was basically written as “Hey I’m doing this thing, I wanted you to know. Check out this link.” Right after I sent it I thought to myself, “well that’s looks phishy, am I really expecting my family to just follow this link?” As I was typing out a second message explaining the weird post, to my surprise and delight, one of my siblings reached out me not in the chat and asked if I had just sent them a link. I was pretty happy that a couple of seconds of effort seemed worth it to my family, just to be sure it was ok to follow the link. That is human-based MFA at work.
MFA really works
Professionally, it is clear that some forms of MFA are effective against social engineering attacks that result in credential theft. This point is illustrated when comparing two recent engagements SECOM performed.
In both cases, phishing emails were sent to targeted users and, in both cases, one or more users clicked the phishing link, filled out the login form, and disclosed valid network credentials. What happens next clearly shows the value of MFA. In one case we successfully accessed email, online shared storage accounts, and sent additional phish from compromised user accounts to gain even more credentials and access to sensitive information. In the other case, we were prompted to insert “our” Ubi key to verify who we were. We didn’t have the necessary key, so no additional access was gained. Without MFA enabled we fully compromised the target, with MFA enabled we were left with credentials we could do nothing with in that moment. Back to the drawing board for us, big props to that client.
The people I talk to about enabling MFA that are not in the computer industry seem intimidated by the process to enable and use, but once they are setup it fits in with normal online activity pretty quickly. If you are curious whether the services you use have MFA options, you can typically find the setup in your account settings, usually under the security or login sections. Also, you can check this site to see which services have MFA options, and which don’t, so you can choose your services based on your desired security preferences. Once most people are accustomed to, and regularly use, MFA for all their accounts, it is much harder for a social engineer to gain access to resources via credential theft. This means attackers will have to work much harder than they need to now to access accounts.
Written By: Ryan MacDougall