The Internet is all atwitter, pun intended, about the recent Private Industry Notification from the Federal Bureau of Investigation. This notification reviews a series of cyber attacks that occurred over the past three years. Key takeaways from the article include:
- The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks
- FBI reporting identified several methods cyber actors use to circumvent popular multi-factor authentication techniques in order to obtain the one-time passcode and access protected accounts.
At first glance, this notification’s ominous title is absolutely frightening: “Cyber Criminals Use Social Engineering and Technical Attacks to Circumvent Multi-Factor Authentication.” Multi-factor authentication, or MFA, was supposed to save us all from account takeover.
What are we to do now that it’s been found to be vulnerable to the simplest of attacks?
Fortunately, the simple answer is to use true multi-factor authentication. The multi-factor authentication referred to in the FBI’s notification, is actually two-factor authentication, or 2FA. The notification also refers to poor application security design that exposed the risk of only providing authentication at login. Fortunately, iovation LaunchKey was designed to solve these challenges. We’ll go over the cases outlined in the notification, discuss how the attacks were perpetrated and explore how LaunchKey can be utilized to thwart such attacks.
Website Flaws Leads to Login Vulnerability
Login Bypass Attack
In the recent FBI notification, one scenario involves an attack where the authentication method for a banking website is bypassed, allowing the attacker to wire transfer large sums of money out of their victim’s account. They were able to bypass the the bank’s two-factor authentication by finding a flaw where they could enter a manipulated string into the web URL. This set the computer as one recognized by the account- allowing them to bypass the PIN and security question pages and initiate the wire transfers from the victims account. The number of factors for bypassing this authentication would not have mattered as the website itself was flawed.
The LaunchKey Solution
LaunchKey provides a methodology for out-of-band transactional authorization requests that allow for contextual data to be sent with the request itself. Even if the user bypassed the website login, adding transactional authorization to wire transfers would not only have prevented the transfers, they could have identified that the account in question was compromised and fraudulent requests were being processed in real time. A LaunchKey authorization request for a wire transfer, including details of the transfer, would be sent to the banking customer’s mobile device. While denying the transfer request, the user would be prompted with a list of reasons for the denial. Simultaneously, this would be returned to the banking system identifying the compromised account in real time and prevent the account takeover attempt.
Mobile Device Hostile Takeover and Session Hijacking
SIM Swap Attack
In the recent FBI notification, one scenario involves an attack where a fraudster took over a banking customer’s account via a SIM swap attack. It all started with the fraudster convincing the customer’s mobile carrier to move the victim’s phone number to their phone via social engineering (the use of deception to manipulate the sharing of confidential or personal information). With the SIM swap complete, the attacker changed the passwords and PINs of the victim’s bank accounts through the bank’s call center. The call center verified the account holder by phone number and the identity of the account holder by a PIN sent to the account holder’s phone number via text message.
Session Hijacking Attack
Session hijacking attacks are accomplished by proxying the victim’s banking web traffic through an intermediary device or system. The goal of this process is to intercept the victim’s session cookie. Session cookies are used to keep a user logged in between web page requests. The attacker would then utilize the stolen session cookie to begin interacting with the banking site directly, impersonating the victim’s session, in order to alter the users contact information and credentials.
The LaunchKey Solution
LaunchKey is very effective at preventing account takeover, just add authorization before allowing a customer’s account information to be changed, regardless of medium. ATM, call center, website, or branch use the same method to verify an account holder’s identity with a LaunchKey authorization request sent to the customer via the bank’s mobile app. When denying the authorization request to alter their account data, the customer would be prompted with a list of reasons for the denial. The user identified reason would be returned to the bank with their denial response. Having been immediately alerted of a customer confirmed account takeover attempt, the bank would be able to react in real time against the fraudster.
Sophisticated, Deceptive Phishing Scams
Phishing attacks are more sophisticated today than ever before and often incorporate deceptive emails that look real but instead prompt consumers to click a link in an email, SMS, or chat message that directs the unsuspecting victim to a website that mimics the website they were expecting. These sites can be used to capture account credentials or knowledge based authentication (KBA) data. It can also be utilized to directly hijack user sessions.
The LaunchKey Solution
True omni-channel authentication with rich authentication context is the best method for protecting users against phishing attacks. When consumers can use the same authentication method across all channels, they will become suspicious when a different method is presented during a phishing attack. Providing users with rich authentication context will prevent confusion and inadvertent acceptance of a website login or wire transfer. As LaunchKey was designed from the start to be omni-channel, it empowers financial institutions to provide that rich context with every authentication request across all possible channels for authorization requests. Combined with proper user education, it can be an effective measure to reduce the risks from phishing attacks.
Friction Prevents Adoption
The largest blocker for organizations to provide true multi-factor authentication on one channel, let alone every channel, is friction. Strong multi-factor authentication often requires the purchase a separate hardware device or installing additional software while requiring a disjointed, and often frustrating, authentication process. Making it more difficult for users to perform an action can reduce risk. It can also negatively affect the bottom line with abandoned shopping carts and unhappy users.
The LaunchKey Solution
LaunchKey provides a streamlined and usable risk-based multi-factor authentication option for every industry. It extends the authentication capabilities of mobile devices that end-users already own. The user performs authentication within a company’s existing mobile application. There is no hardware to buy or additional app to download. LaunchKey also allows for risk based authentication policies. When a company uses its unique insight around user behavior and mixes in device intelligence from iovation, a proper risk level can be assigned to any transaction. Once the risk level has been assessed, a decision can be made to require an authorization request for an action. That decision can also determine the number or types of factors they wish to require to mitigate that risk. LaunchKey allows you to do this real time and vary the authentication requirements for each authorization request. Dynamically altering authorization requirements based on real time risk analysis provides friction only when necessary to simultaneously prevent fraud and delight users.
Learn more about LaunchKey