Hacking Multi-Factor Authentication [ML B-side]

Multi-Factor Authentication (MFA) is usually considered a better solution for authentication than just using passwords. But Roger Grimes, a veteran security professional, and a Data-Driven Defense Evangelist claims that the sense of security current MFA solutions provides us - is false.

Hosted By

Ran Levi

Exec. Editor @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 15 million downloads as of July 2022.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Roger Grimes

Data-Driven Defense Evangelist at KnowBe4

My career professional goal in life is to get more people and companies to use data and the scientific method to improve their computer security, and I do so as the Data-Driven Defense Evangelist at KnowBe4, a security awareness education company. I am a 30+-year senior computer security consultant and cybersecurity architect specializing in general computer security, identity management, PKI, Windows computer security, host security, cloud security, honeypots, APT, and defending against hackers and malware. I have also written 13 books (9 solo, 4 co-written) and over 1,100 national magazine articles on computer security. I was the weekly computer security columnist for InfoWorld/CSO magazines from 2005 to 2019. I frequently get interviewed for radio shows (including NPR's All Things Considered), podcasts, magazines (including Newsweek) and television. If I leave this world without having made the Internet a safer place for all people to compute, I have failed.

Hacking Multi-Factor Authentication [ML B-side]

Hi and welcome to Cybereason’s Malicious Life B-Sides. I’m Ran Levi.

If you’ve been following cybersecurity news for the past, I don’t know, 20 years, I don’t need to tell you that passwords are not a great solution for authentication. Most people choose weak passwords or reuse their passwords across different services, and even if you follow all the best practices, your password might still be compromised by a data breach. 

The basic problem with passwords is that they are but a single piece of evidence that you are who you say you are, evidence based on what you know, that is, the assumption is that you are the only one who knows your password. Reused, easy to guess or compromised passwords all negate this basic assumption. 

Multi-Factor Authentication tries to solve this problem by providing the user with other ways to prove he or she is indeed who they say they are, with something they have, like a USB security token for example, something they are, like a unique fingerprint or somewhere they are, like using a GPS to verify your location. Combining two or more such authentication factors greatly increases the likelihood that you are indeed who you claim to be, which is why MFA has become so popular.

But this episode’s guest says that this sense of security is false. That many, if not most, current implementations of Multi-Factor Authentication, and in particular SMS-based authentication, are not nearly as secure as we’d like to think they are. 

Roger Grimes has been fighting malware and malicious hackers since 1987. He was Microsoft’s principal security architect for 11 years and has written no less than 13 books and 1100 articles on computer security. He is currently a data-driven defense evangelist at Know2B, a company providing security awareness and simulated phishing training. Grimes spoke with Nate Nilsson, our senior producer, about the weaknesses of multi-factor authentication.

Enjoy the interview.


[Nate] How does multi-factor authentication really work under the hood?  Like whether I use my phone, an email, whatever, what’s going on underneath the surface?

[Roger] In almost all cases, once you have successfully authenticated, you get sent back this, what’s

called an access control token. If you’re logging into a website or service, web-based service, it’s going to send you this access control token as a cookie, a text file cookie to your browser. And then your browser’s automatically submitting that or allowing it to be accessed by the website that you’ve logged into. So then when you’re on that website or service or program, you’re getting what’s called authorization to access different resources based upon that access control token that you’ve been given.

[N] And that token that’s generated varies depending on what kind of second factor I use or not?

[R] Yeah, and that’s kind of an important point. Like in Windows or on a website, no matter how you access the website, let’s say whether it’s a login name and password or a multi-factor authentication token or your retina scan or your fingerprint, however you log on in, typically that access control token is identical and it’s no better protected whether you’re using a password or you’re using five factor fingerprint biometric scan.  

So to be clear, no matter what kind of second factor I use, whether it’s more or less secure, if the hacker can get to the token, it doesn’t matter. I’m sure there’s some systems around the world, military systems that would say within the access control token, okay, Roger logged in with something with more assurance and so he can access something greater. But most of the time in almost every application, every service in Windows and Linux and Macs, it’s the same access control token.There is literally no difference whether you logged in with something that was highly assured that had a bunch of authentication and whether you logged in with a login name and password. 

[N] Why is that though? and it seems like it should be a relatively easy thing to fix, no? 

[R] Yeah, you know, and let me say we’ve known for decades what to do. There are systems when you log on in, they’re just very few that have different assurance levels and you’ll get a different, at least the information within the cookie itself will be different. The problem is that even if it has that information, if the hacker can get access to your access control token, they can use it even if they don’t have your fingerprint. Once that driver’s license is submitted, driver license like access control token, it’s like a bearer bond. Whoever has it is that person and has that authority. So then the differences between a lot of kinds of MFA are largely superficial.  

You know, I guess I used to think when I was logging into a network like an Active Directory network with my fingerprint, I think in my head I thought my fingerprint was being submitted all around the network and, you know, hey, you know, it’s using, it’s verifying, I really am Roger. The fingerprint is read and authenticated during the login. And then after that, that acces control token and Windows and Active Directory network could be Kerberos ticket in a lot of cases. It’s identical whether I used MFA or not.

[N] What is the means by which a hacker would gain that initial access to your token? 

[R] So there’s a, you know, there’s a bunch of different ways. I mean, the simplest one is they could be in on your endpoint and they’ve compromised your PC, you know, so you’ve got malware or the hackers on your computer and they can get your access control token there. 

[N] Give me an example. How might that look? 

[R] So a big example, again, this is back in 1980s, 1997, 1998. There’s a big thing called Banco’s Trojan. So these appeared in Spanish, they’re kind of targeting Spanish and Portuguese Brazilian banking websites. What they would do is break into a person’s computer, just normal way, social engineering, unpatched software, something like that. Someone gets tricked into installing it. And then it kind of monitors your browser looking for what URLs that you’re going to. So they’ll monitor your URL and then they kind of come awake when, you know, when you’re going to one of the sites that they’re predefined to look for, they’ll wait for you to log in. They don’t care how you log in, whether it’s a password or MFA. But then when you log on in and you’re successfully in and they’ve detected that, they will usually open a second hidden browser session that’s invisible to the end user. So the end user’s in and behind the scenes, this malware thing is transferring all or a lot of your money to some other bank account and the bank doesn’t know it isn’t coming from you because it’s coming from your device that they’ve recorded as being the device you’ve used before. It’s coming from your browser. The operating system has the same characteristics that you get from your login. And then it doesn’t know that it isn’t you performing those tasks. 

[N] Okay. But then at that point, surely your transaction activity would start to look quite suspicious to your bank.

[R] They actually have predefined in the Trojans how much money they can transfer without it kicking off an additional, oh, are you sure you want to do this? But sometimes the Trojans have that built into it and they will even change your email address and phone number so that if someone tries to send an email going, you sure you want to transfer all your money to this Russian bank account? Yes. And that’s been around since the late 1990s and it continues to be a very popular attacking method today. There are literally hundreds of gangs around the world, hundreds of malware programs stealing billions of dollars doing man in the end point attacks like that. 

[N] Is that then the most common way to defeat multifactor authentication? 

[R] Probably the most common way that it’s accessed is by doing what’s called a man in the middle attack is that they’ll send you a phishing email that contains a rogue link. And so the victim is tricked into clicking on this rogue link. They think they’re going to Microsoft or Google or their bank or whatever. But if they were to hover over that link, that URL link, they would see that it isn’t going, if they knew what they were looking for and knew how to read a URL, they would see that it’s not really going to where they think it is. It takes them to this what’s called man in the middle, transparent proxy website or service. All it is, is this service that gets in between them and then that service then connects their connection to the real website or service that the victim thought they were going to in the first place. And so now that man in the middle website or service is in the middle, man in the middle between everything that the client types to the server and everything that the server sends back to the client. So from the client side, this man in the middle website can steal the login name, the password, any digits. A lot of people get these six digit codes from MFA can steal those codes and then login as the user. If the website sends back any confidential information, you know, so you’ll, you know, your social security number or your credit card number or that cookie, that cookie token is sent back. This man in the middle website can get it.

[N] Are man in the middle attacks really as easy for hackers as you’re making it sound now?

[R] Sadly, 90, 95% of MFA can be tricked by this man in the middle website. It’s a really common type of attack. For example, most malware, most password stealing malware today is enabled to look for instill MFA credentials.  

[N[ So that’s a couple of different kinds of computer hacks that could lead to defeating MFA. What about my phone? Because I know I use that for multi factor authentication more often than not. 

[R] Hackers many times will socially engineer victims and they’ll act like the phone company and they give them their login name, password, and many times pen to the telephone company to the mobile phone company. The hacker will then take that and get that person’s phone number transferred to their phone, to their burner phone, and then they’ll reset the victim’s, you know, different password accounts at their bank, their stock account or something like that. And that, and usually those resets will generate an SMS short message service that is sent to the person’s phone number and they have it transferred to the person’s phone or to the hacker’s phone and the victim doesn’t know anything. Their phone is just maybe unusually quiet and if they actually look, they would see that it had an out of network sign at the top, but most people don’t notice it. They’re just like, oh, my phone’s not working. And at first they don’t think anything of it. But after an hour or two goes by, they start thinking something’s wrong, but their phone’s not working. They’ll usually eventually use somebody else’s phone, call the phone company, the phone company is like, oh, we transferred your number to your new phone. 

[N] These SIM swaps, they’re popular among hackers?

[R] Very, very popular. Many people, especially if you’re a crypto investor, they, you know, with cryptocurrency, many people have had all of their cryptocurrency stolen. There was this one guy that had, I think it was $20 million stolen, there was a really popular case a year or two ago, Reddit, Reddit’s admins used SMS based MFA to authenticate their admins. So they were SIM swapped and had their information, had their MFA taken and then the attackers broke in to Reddit and stole their customer databases and I think even installed a Trojan somewhere in the network.

[N] Yeah. And I mean, we can talk about this story or that, but in the end, it still is a second layer of protection on top of your password, right? That’s why we keep MFA around. Even if it’s not perfect, it’s something. Well, you have all these people going, well, it’s okay, it’s hackable. But you know, it’s better than a password. 

[R] I don’t know. I don’t know about that. I personally don’t trust SMS based authentication as much as I trust my password. 

[N] I mean, if it’s really as bad as you’re suggesting, are there people out there doing something about this? 

[R] The US government has been saying not to use SMS based MFA since 1997 and the digital identity guidelines that’s NIST special publication 800-63. It is literally the US government five years ago said it’s hacked so much, don’t use it. But many times you don’t get to choose whether or not you use it, the slider service you belong to uses it and they like it because they send it to your phone number and everybody’s got a phone and, oh, it’s great. It’s not so great. It’s easy to hack. 

[N] You know, where different types of MFA are concerned, our show, not too long ago, covered a story that really was about this, even if we didn’t focus on it so much. The story of the 2011 RSA breach, right? That’s an example of a second factor authentication company that got severely breached and led to supply chain hacks. 

[R] And let me say, you know, great solution, the RSA secure ID, and that’s where you get this little round, rounded token and it would put six digits on there. And any of that, you know, anytime you get these, they call them one-time passwords, you know, this RSA secure ID token updates the number, you know, it’s called time-based one-time passwords and that, you know, every 30 seconds, every minute, that number updates. Well, the way that it does it is that there is this pre, this shared seed number, this shared seed value. And then that seed value is usually then used in an algorithm, multiplied, acted, subtracted, divided in an algorithm to, along usually with your, some type of individual instance. So it could be the device ID or it could be your login name. And then it’s put into this algorithm and then it’s put against the current time to generate this number. 

And whenever you get a one-time password device, so Google Authenticator, Microsoft Authenticator, RSA secure ID, whatever this number is generated, that’s got to be stored in an authentication database somewhere that’s used to verify, are you putting in the right number? And if somebody can get access to those seed databases, then they can create an unauthorized additional instance of your MFA that gives you the same one-time code. The big attack was probably a decade ago, the RSA company was broken in and the attackers, which were eventually identified as Chinese APT, Advanced Persistent Threat, found that there was a server that backed up everybody’s seed values. RSA had this, it was supposed to be offline or heavily secured server that had a backup of all the seed values. So that if somebody lost their seed value, lost their seed value database, RSA could kind of rescue you without you needing to update all your tokens. The hackers got to that, found it was online, downloaded all the seed values, and then proceeded to use those seed values to break into different companies, including Lockheed Martin, and they stole some information from Lockheed Martin. 

And then the same maybe can be said about the more modern authenticator apps, right? The other ones that generate those six-digit one-time codes. A lot of authentic, like if you install Google Authenticator, those instances of Google Authenticator are typically, if you’re at a company, you have a server at your company that is running Google Authenticator, and that’s where the seed values are. And if somebody gets ahold of the Google Authenticator seed values of your company, there is software out on GitHub, out on the internet, that anyone can download that will allow them to make additional Google Authenticator instances. And it has been used to rob people. There are lots of people on the internet, Coinbase users and Byance users, a lot of times the poor cryptocurrency people get attacked a lot, that are like, oh my God, I thought I was protected by MFA, but it got stolen, and all they did was maybe accidentally leave their QR code. When you set up Google Authenticator, a lot of times it’ll send you this QR code. The wild thing is it stays good forever. So if a hacker ever finds that QR code, even if you deleted it, but you haven’t emptied your mailbox, they can then create an additional instance of your Google Authenticator codes, and you would know nothing about it.

[N] All right. Are there any other common types of MFA, types of MFA that our listeners might be using now, that are hackable besides the ones that we’ve already mentioned? 

[R] Yeah. So a really common MFA solution today is what’s called push-based authentication, where you get this code, or you get this alert that’s sent to your phone or your other device going, hey, is this you logging in? And sometimes it will include the city that you’re in, your physical location. They might include your IP address. They might tell you, oh, you’re using Windows or what your browser is. And they’ll say, is this you logging in? And you say, yes. And you get logged on in. It’s pretty, it’s actually, when I wrote my Hacking Multi-Factor Authentication book for Wiley a year or two ago, I actually said, I like push-based MFA. It’s great. What I didn’t know at the time, because it was push-based MFA, which was relatively new, and now it’s used by Google and Microsoft people and duo people left and right, is that about 30% of people that use push-based MFA will say, yes, is this you logging on in when it is not them logging on in? 

[N] Wait, why would they do that?  

[R] I was involved in a case where a company lost $20 million to ransomware. And the person that had allowed the logins over 80 times was the CIO. And we were interviewing the CIO and we said, hey, why did you allow these 80 rogue logins? Because the location said Russia. And this was located in Texas. And the person’s, listen, you just told me, I was just told that if I got this prompt just to say, okay, just to say yes. And so hackers and ransomware people routinely come up these organizations of push-based MFA and we’ll hit the people and the people will approve it. Sometimes they’ll do it late at night and the people will be trying to sleep. And so they’re getting this push-based authentication where they’re like, no, no, no. And the person like so tired, one o’clock in the morning, yes. They think it’s like an errant batch file or something. And they finally say yes and go back to sleep, you know?

All right. And before we finish up this part of the conversation, there are some other, even in my view, more interesting ways to hack MFA  that maybe aren’t as common or as realistic, but are much more fun and interesting from a technical perspective. Yeah. So these are real world attacks, but not necessarily super common. But if you haven’t, you know, most MFA devices have a private key, a private encryption key or some type of private, you usually have multiple private keys that are stored on them. And people, you know, probably the most out there attack is that if you have an electron microscope and I used to think an electron microscope, oh, it takes, you know, cost $10 million. You can buy a used electron microscope for a couple of hundred to a couple of thousand dollars and every, you know, certainly every, you know, college that wants one has one. But it’s, you know, and certainly nation states have them. But there actually is open source software that if you have an electron microscope, you can download this open source software and it’s made to work with particular multi-factor authentication solutions or Microsoft BitLocker where you can actually, they’ll actually use electron microscope. Look at the memory chip or firmware that’s, you know, related to that MFA device. And they can actually at the molecular level, identify the molecules that are used in the memory storage system to identify. There’s actually a particular pattern of those molecules where it’s a secret key and they can actually identify the secret key at the molecular level using a USB key. 

But forget using electron microscope, do you have 10 bucks for canned air? Use memory chips today, if you’re using any type of product that has a memory chip, again, that has these secret keys, it turns out they can actually use canned air, spray it on the memory chip for like a minute till it gets all frosty white, then take that memory chip to a system and look for your private keys.  And again, there’s open source software and that’s called a memory freeze attack. It’s been around for well over a decade. I’ve seen it done in real life against one of my systems. It works quite well.

Or let’s say USB key, there’s like a thousand or thousands of people on this planet that if you give them a smart card, they can actually plug in that smart card and wirelessly use the signals that emanate EMI, the wireless signals that emanate from the chip on the smart card, they can actually identify your private key and steal it. And it’s, there’s like, it’s a subculture, there’s, you know, there’s a whole subculture of people. That’s what they do is strip your USB cards and then activate them and still the private key stored on the smart cards, you know? So if someone gets your device physically, just know there are thousands of people trained in this world, nation state, and just hobbyist that can steal your secret key in a multitude of different ways. And by the way, you’re talking about the, you know, we’re going through different ways that I’ve come up with over 60 ways to hack MFA, you know, different, different types of MFA. So you can hack the average MFA solution at least five ways and most of them 10, 11 ways at least.

[N] So with all of the risks that you’ve described just now in great detail and all of the risks that we didn’t have time to get to in this episode, the obvious question for me becomes, should we stop using MFA?

[R] No, good question.  I think everybody should use phishing resistant MFA wherever they can to protect valuable data and systems because good phishing resistant MFA does stop a large percentages, percent of attacks and you should, for that reason alone, you should use phishing resistant MFA when and where you can. 

[N] Which kinds of MFA count as phishing resistant?

[R] Yeah, you know, so there’s a lot of different ways that your MFA can be phished, but primarily I’m talking about that initial example, that man in the middle attack where they could, you know, steal your access control token. If I can send you an email and if you click on that rogue link, if it bypasses or hacks your MFA, that’s easily phishable.  

[N] What’s one good example of one of those phishing resistant MFA solutions?

[R] And then, you know, it’s kind of interesting, like if you get a YubiKey, a Yubico YubiKey, you know, USB key that you stick in the side of your laptop is really an awesome device and it can be implemented in what’s called FIDO, which is fast identity online, which is a non-phishable, phishing resistant MFA standard called FIDO. Well, when you get that YubiKey, you can implement it in FIDO mode that stops easy phishing or you can implement it in non-FIDO mode. Most people just don’t know, and it’s almost, it’s just as easy or hard, depending on how you look at it, to implement FIDO versus non-FIDO mode. And most people just don’t know that there’s a difference and they haven’t heard of the term FIDO or it scares them, and so they implement the non-FIDO mode and then they end up with something that’s easily fishable.

[N] Roger, that just about does it. Is there any last word that you’d like to leave us with? 

[R] Yeah, no matter what type of MFA you’re using, whether it’s phishing resistant or easily fishable, everybody should be educated about the types of common attacks against their particular MFA solution and taught to look out for them and then how to avoid them. Like with a lot of the fishable stuff, it’s simply, hey, just be aware if you get tricked in clicking on a rogue link, it can bypass your MFA or steal your MFA option. So just be aware that if you click on something that’s rogue, it can get around your MFA. Simply just teaching somebody that you still have to pay attention to the URL will help protect some percentage of the people.