Social engineering attacks exploiting legacy Multi-Factor Authentication (MFA) technology have been successful in compromising Twilio, Cisco, Intuit, and other enterprises, this summer. Even as CISOs and IAM Architects supplement passwords with MFA, hackers are finding new ways to exploit the human element of security. Out of 4,110 breaches studied in the 2022 Verizon DBIR, the human element was the root cause of 82%.[1] Clearly securing authentication would be much easier “if it weren’t for the damned users.”
Recent Human-Driven Breaches
Here are the details of these recent, high-profile MFA social engineering attacks:
- In August, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. Current and former employees reported receiving text messages purporting to be from Twilio’s IT department. Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controlled. The URLs used words including “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page.[2]
- Cisco’s Security Incident Response team was alerted to an attacker who was able to escalate to administrative privileges, allowing them to log in to multiple systems in May. The Yanluowang ransomware group leveraged a compromised employee’s Google account, and MFA spoofing attacks allowed the attackers to run the company’s VPN software as the targeted Cisco employee. The attackers used a multitude of techniques to bypass the multifactor authentication, including voice phishing and MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving. Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN, researchers wrote.[3]
- In August, Intuit’s Mailchimp discovered an unauthorized actor accessing tools used by customer-facing teams for customer support and account administration. The incident was propagated by a fraudster who conducted a social engineering attack on Mailchimp employees and obtained access using their compromised credentials. It appears that 214 Mailchimp accounts were affected, focused on users in industries related to cryptocurrency and finance. [4]
- Detailed forensic analysis of the LastPass breach has not been announced, but it is highly likely that this breach also exploited MFA. LastPass detected unusual activity within portions of the LastPass development environment in early August 2022 and determined that an unauthorized party had gained access through a single compromised developer account. The hacker took portions of source code and some proprietary LastPass technical information. [5]
Solving for the Human Element
Authentication is approaching a fundamental change: after 61 years of passwords, we are now focused on eliminating them with cryptographic FIDO2 Passkeys, which bind authentication to a user’s devices. While replacing “something you know” with “something you have” will undoubtedly be an improvement, shortcomings remain. In the case of the Cisco breach, once the hackers compromised the user’s credentials, they enrolled and redirected step-up to new devices — device authentication was now something the hackers had, not the user.
authID’s Verified™ binds identity to the Passkey on the user’s device by capturing a reference biometric selfie when we first enroll the use. This means with typical use, Identity Assurance as well as Authentication Assurance, go hand in hand. When the user needs to elevate privileges to conduct a high-risk transaction, when signals of account takeover are detected, or when a user needs to add or recover a new device, Verified steps the user up to an auditable biometric MFA available on any device, creating a chain of trust to the user’s biometrically authenticated identity.
authID’s Verified augments “something the user has” with “something the user is,” their unique face. The human element is the problem in 82% of breaches, so the human element — biometrics — is the ideal solution. We’ve designed Verified with a frictionless user experience available on any machine or through any messaging technology that’s easier to use and more secure than legacy one-time pin codes.
authID’s Verified authenticates the human factor.
#ciso #biometricauthentication #socialengineering #mfa #passkeys
[1] https://www.verizon.com/business/resources/reports/dbir/
[2] https://www.twilio.com/blog/august-2022-social-engineering-attack
[3] https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html
[4] https://mailchimp.com/august-2022-security-incident/
[5] https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/