We, humans, have become the preferred cyber-attack vector. We click on links, we fall for scams, we unknowingly provide our credentials to attackers. With passwords or less protecting 40% of our assets and 81% of breaches involving weak or stolen passwords, attackers are simply walking in the front door. Many are in a rush to deploy 2FA, but a growing number of methods are being bypassed by attackers.
In this webinar, we outline an identity security strategy that negates the use of credentials and focuses more on hard-to-hide user characteristics like device, location, IP address, behavior, and account/access type.
Protecting the organization from phishing scams and not relying on error-prone humans is simply a better way.
Below are links to cases cited in the presentation where 2FA failed & attackers were able to bypass:
- One Time Passcode (OTPs):
- Real-time Phishing Attacks — IBM Security Intelligence first reported on real-time phishing in 2010 - https://securityintelligence.com/real-time-phishing-takes-off/.
- This technique was already being used in 30 percent of attacks against websites using 2FA. FireEye recently released a tool called ReelPhish - https://www.fireeye.com/blog/threat-research/2018/02/reelphish-real-time... - to help organizations assess their vulnerability to real-time phishing attacks.)
- Malware — In the 2014 Emmental - https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/wh... - attacks on Swiss and German banks, attackers leveraged malicious code to scrape SMS OTPs from customers’ Android devices and gain access to their bank accounts.
- More recently attackers used the Bankosy Trojan - https://www.pindrop.com/blog/bankosy-android-trojan-defeats-voice-2fa/ - and call forwarding to obtain voice-based OTPs.
- SMS and Voice Call Interception — Signal System 7 (SS7) weakness; Attackers in Europe - https://www.wirelessweek.com/article/2017/05/ss7-vulnerability-allows-ha... - used this method to obtain access to victims’ bank accounts.
- The SS7 weakness was a driving force behind NIST’s original proposal - http://fortune.com/2016/07/26/nist-sms-two-factor/ - to phase out SMS-based OTPs.
- Phone Number Porting Fraud:
- Attackers use social engineering to obtain a victim’s personal details; then they use that information to convince a cellular company to either issue them a new SIM card or move the victim’s phone number to a SIM card they control. T-Mobile recently warned customers to be vigilant about the increased use of this attack vector - https://motherboard.vice.com/en_us/article/gy8bxy/t-mobile-text-warning-....
- Watch an attacker get a phone carrier to switch an account to her control in less than 2 minutes - https://www.youtube.com/watch?v=lc7scxvKQOo&feature=youtu.be
- Push-to-Accept is a popular 2FA method where users simply hit “Accept” or “Deny” on a smartphone app David Kennedy (popular white hat pen-tester) claims at Def Con 22 that he got legitimate users to hit “Accept” 6 out of 6 times - 100% success rate! Even though none where authenticating at the time, the consensus is that users just want the notification to go away from their screens - https://www.youtube.com/watch?v=vcA6dLl5Sa4&feature=youtu.be&t=30m38s