Cybersecurity Mythbusters: Does MFA Stop Credential Theft?
Transcription
Patrick
Hello, and welcome to "Cybersecurity MythBusters." I'm Patrick McBride, the Chief Marketing Officer of Beyond Identity, and I'm joined today by Jasson Casey, our cybersecurity expert and the Beyond Identity CTO.
Jasson
Hello. Today's question comes to us from Alaina. "Dear Cybersecurity MythBusters, does multi-factor authentication stop credential theft?"
Patrick
Ooh. Great question, Alaina. We know that implementing MFA makes us more secure. But with the ultimate goal of preventing logins from unauthorized people, does MFA stop that kind of credential theft?
Jasson
Patrick, I know. Let's call Roger.
Patrick
Oh, Roger Grimes. That's a great idea. This is right up his alley.
Jasson
So does MFA stop credential attacks? Well, first we need to think about, what is a credential attack? So a credential is, let's think of it as a knowledge factor to start with, knowledge factor really just being a password. I have a password in my head. I'm gonna use that credential to log into a service. So I guess we can think of it as three ways of getting at the credential. Number one is you crack open my head and take it out. And clearly, that's not possible. But I have to put my credential in through a browser when I log into a site. So credential could be stolen from the machine that I'm using, right? Because it clearly ends up in memory. That memory can end up in the file system. That credential has to get transmitted across a connection to the service I'm trying to connect to. So the credential could be stolen along the way. It could be stolen out of the target site.
Additionally, what if an adversary could force me to disclose the credential in some way? Could it somehow trick me thinking that it is a legitimate service that I'm going to try and log into and essentially share my credentials? So that's one part of credential harvesting. So that's the problem. The problem is, when I have these symmetric secrets, not only can they be stolen, but they can be divulged because they have to travel around, and we're still relying on the human to kind of understand, are they going to a legitimate site or not? Roger, welcome back!
Roger
Well, thanks Jasson and Patrick for inviting me. I'm glad to be here.
Jasson
Roger, what can you tell us about MFA solutions stopping credential theft?
Roger
So what most people don't know is about 90, 95% of MFA and even passwordless options, if you hear passwordless, can be stolen or bypassed as simple as bypassing or stealing a password. So the whole reason we're supposedly moving from login name and password to something better like MFA or passwordless is because passwords are so easy to steal. But most of the solutions, most of the MFA and passwordless solutions, are as easy to steal and bypass as the passwords they were intended to replace.
And how does that occur? The most common way, and let me say, this is not a theoretical thing, it has happened millions of times over the last couple of decades, and today, most malware information/password stealing kits have the functionality to steal MFA credentials and passwordless credentials built into the kit, so it's the default to what the criminals are getting when they buy it. But the way that it works is that the victim is sent a phishing email that is attempting to get them to log on to whatever website it is that credential is related to: Facebook, Twitter, or Microsoft, Google, their company website, whatever. But the email is crafted to look like a legitimate email. And really, oftentimes, the only thing that's really different between between that and a real email is a rogue URL in it, and if the person, if the victim, potential victim, took the time to hover over that link, they would see that it's not taking them to the real place that they thought they were going to. Instead, if they get tricked and they click in on it, it goes to a hacker's what's called rogue transparent proxy website that then takes them to the real website.
So the user is actually seeing the website or the service that they thought they were going to see, but what they don't know is that the URL is indicating that they're actually directly connected to a rogue transparent proxy website. And that rogue transparent proxy website can now capture anything that the victim types in or sends or anything coming back from the real website. So what they're oftentimes capturing is that multi-factor authentication credential that is sent, that goes through the man-in-the-middle website to the real website. So if you're asked to type in a code, you know, a four-digit code or a six-digit code or something like that, when you send it, the attacker can get it.
Unless the MFA or passwordless solution has some technical mechanism that can prevent or detect that man-in-the-middle attack, well, that man-in-the-middle website is getting all that information. And another thing that that man-in-the-middle website will do is say, hey, I don't care how you authenticate. I don't care if you're using one-factor, two-factor, 10-factor, fingerprint, eye retina scan, whatever. They don't care how you authenticate. If the man-in-the-middle attackers look in that connection string, they'll just wait for you to successfully log on in, and anytime you successfully log in to a website, that website will send back to the victim's browser what's known as an access control token cookie. It's just a text file, it usually has a randomly generated identifier in it, but essentially, that's kind of like the passport for that user on that website. It says that this is who you are. You've successfully logged on in it. Now, you can move across the website.
Well, the attacker, if they had that man-in-the-middle website enabled in the connection, they will steal that access control token cookie on the way to the legitimate victim, disconnect that victim, take over the victim's session, and then change things so they can stay in control. They'll change the password or the PIN or the phone number, whatever they need. And unfortunately, somewhere around 90, 95% of all multi-factor authentication, most of the passwordless solutions you'll see, are susceptible to this man-in-the-middle attack. So when I talk to people about, hey, you should use an MFA option that is phishing-resistant, this is what I'm talking about is that it should try to resist from being able to be successfully attacked by a man-in-the-middle attacker.
Jasson
Well, that was really helpful. Thanks a lot, Roger.
Roger
Well, thanks so much for having me. It's always a pleasure.
Patrick
So Jasson, what did we learn with this one?
Jasson
Well, symmetric secrets like credentials that move are almost impossible to defend, and we have to protect the victim against accidental signing, or in technical parlance, a confused deputy. So we need to introduce a software authenticator that's executing the client side of the authentication protocol, taking what is fundamentally a computer problem away from the person, and only sign challenges that are actually being issued from the domain that's assigned that key and nothing else.
Patrck
Take the user back out of the loop.
Jasson
Take the human out of the computer's problem.
Patrick
Right. There you have it, Alaina. When it comes to whether or not MFA stops credential theft, the answer is, it depends on specifically what type of MFA you're using. It depends.
Jasson
Definitely depends.
Patrick
Thank you all for joining us for this episode of "Cybersecurity MythBusters." If you have any rumors, questions, or myths you want us to test, be sure to let us know. We'll see you next time.
Jasson
Explosions?