Podcast
Root Causes 48: Weaknesses in MFA Authentication
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
October 31, 2019
A recent FBI warning cautions of attacks that circumvent Multi-Factor Authentication (MFA). Join us as we describe contemporary attacks against MFA and how to defend against them.
Podcast Transcript
Lightly edited for flow and brevity.
Tim CallanSo, today, this was a Jay picks the topic day and you chose a recent FBI warning about attacks that bypass multi-factor authentication.
Jason SorokoA long time ago, feels a long time ago, I did a lot of talking publicly about the idea that not all multi-factor authentication is equal.Tim CallanSure.Jason SorokoAnd it seems - - when it's stated just like that, it might seem obvious, especially to those of us who are in the security industry but, unfortunately, to everyone else they may not get it. Right?Tim CallanYeah.Jason SorokoThey know that it's a - - it's a way to go beyond username and password. Maybe the average user has an intuitive understanding that that's what's being attempted here. It's another layer. The usability of some MFA is good. Some of it's not. Is it always picked up? Well, if you look at how long it took even on things like Twitter and social media.Tim CallanYeah.Jason SorokoFor people who use that to start using it, it took a lot of very high-profile hacks of accounts before MFA became, you know, a little more widespread. So, it had its uptake. And, we have vendors in the space that have done a pretty good job. But it we've also had situations where things like SMS, as example, as a form of MFA has been deprecated by NIST and I applaud that because even years before NIST deprecated SMS, I was showing examples of here is at least five reasons why you don't want to use it, and you should use something else. And it highlights this idea that not all are created equal. So, Tim, I think I want to dive into what the FBI said a little bit because that beyond that headline about just a warning about MFA in general, one of the things very specifically that they were warning about was in fact with regards to SIM swapping.Tim CallanYeah.Jason SorokoSo, I could go - - I could probably go at length about what it's about here but it really comes down to a form of social engineering, isn't it? Which is your identity is as such, and it can be represented in a lot of ways? Well, one of the main people who provision you as an individual is your carrier. It's ubiquitous. In fact, I heard an interesting statistic that I think at least in parts of Canada, more people have a cell phone account number in their name than people who have bank accounts.Tim CallanOk.Jason SorokoAnd that's not just because of the population of children. It's just there are it's - - there's more unbanked people than people who are un-cell-phoned.Tim CallanYeah, yeah.Jason SorokoWhich is interesting, right? And so, it's, it's so ubiquitous, to have, you know, essentially, so many people in the world walking around with a SIM chip in their pocket with that SIM card provisioned against themselves. And the process of say changing your phone number and saying, hey, you know, I’d like to put a different phone number on this card, in many cases, just requires a phone call.Tim CallanRight?Jason SorokoAnd if you can convince that, typically human on the other side of that phone, who can do the SIM swap, then you're probably capable of doing a lot of bad things. Why would you do it?Tim CallanAnd the SIM swap once it's accomplished, then what happens, of course, is when I dial in, a lot of times they'll auto identify me, right? They'll say, I can tell from your phone that you are blah, blah, blah, is that correct? And I say, yes, and then the other thing is that they'll send the confirmation code - - they'll text me the confirmation code, and it doesn't go to my phone, it goes to the bad guys.Jason SorokoThat is exactly right. What the bad guy is really trying to accomplish is, hey, if I need a one-time code, if I need a one-time symmetric token essentially to complete a transaction to prove that I'm somebody I'm not, then a SIM swap in many cases is all that's necessary and this is this is the underlying root cause of what's causing the FBI to issue this warning.Tim CallanWell, and this is also where, you know, we say MFA multi-factor authentication because it sounds very strong, right? Well, if break down the etymology of that word, right, it used to be called two-factor authentication two-FA and we changed somewhere along the line to account for the fact that maybe it's more than two, but how often is it more than two? Right? Almost never. And so, one of them is username, password and the other one is this, you know, this thing we just talked about. So, if I stole your username and password, and I did a SIM swap, that's it I'm done and that's the long and the short of what is multi-factor authentication.Jason SorokoLet's then consider, Tim, because this is - - you know, at the heart of this podcast is PKI and the one thing that I think people forget is this whole symmetric token idea - - this whole shared secret idea, the short-lived one-time passwords for an example, even if that one time password came off of a hard token, which many of you might carry around in your daily jobs in order to log into ERP systems and stuff like that, you're still typically typing that into your browser at some point, and therefore, that one-time password can be intercepted. I mean, we had a podcast very recently talking about the browser techniques still being used to this day.Tim CallanYeah.Jason SorokoWell, imagine if your browser has been compromised and you merely type in that one-time password into the browser and you authenticate into the session and yet somebody has intercepted that and has become you and has been able to authenticate as you. That's a problem. But what we're talking about here is even worse. You might be just working with your phone, you're logging into your banking system and essentially what it is, is just a very quick one-time password that's sent to you either by text message or perhaps it's even by its seeded into an app and again, you'll be typing that one-time password or copying and pasting it into a form, which it can also be compromised. Or, in the case of SIM swapping, that TAN or one-time password is sent to the bad guy directly.Tim CallanRight?Jason SorokoSo, the thing is, remember, you know, it's what would be a better idea is if to be able to authenticate yourself you had to utilize some form of an asymmetric secret, which only you possess, as part of, say, the private key, right?Tim CallanRight.Jason SorokoWith a user certificate such as that that piece of collateral, that piece of key material needs to be compromised, needs to be actively stolen by the bad guy. That's a heck of a lot harder.Tim CallanYeah. There's not there's not a social engineering attack, or there's not a way that you call up the phone company and get them to change something on their end and suddenly, there just isn't an equivalent of that if we're talking about a public private key scenario.Jason SorokoSo, therefore, PKI as an overlay, you know, I think there's many, many, many use cases in which a shared secret is probably sufficient because it's cheap and it's cheerful and it's easy to engineer and people have been using it for years and everybody's happy.Tim CallanRight. And there are circumstances where PKI might just be impractical. Right?Jason SorokoThat’s right.Tim CallanAnd how am I ever going to get a cert onto your device? But there are plenty of circumstances where it is practical.Jason SorokoThat's right. And when you enter the realm of non-human authentication scenarios, let's talk about IOT and let's talk about DevOps.Tim CallanSure.Jason SorokoWell, unfortunately, we've talked about this before at length the Mirai Botnet showed us all the reasons why shared secrets for non-human scenarios is a bad idea.Tim CallanYeah.Jason SorokoIt's not like that device wasn't something you had control of at least at the point of manufacture. The DevOps container was something that you had control of because you're the one that provisioned it. So, therefore, those use cases, IOT and DevOps specifically, those are the ones that really call out for PKI is the solution for it. Don't use anything less because it just doesn't make sense.Tim CallanYeah, and so it sometimes surprising to me, Jay, that this is a conversation that we even need to have. So, I'm going to go off script a little and I'm going to just ask you, why do you think it is that there are still people who haven't gotten the memo on this?Jason SorokoYou know, it's, we're deeply ensconced in it.Tim CallanYeah.Jason SorokoAnd it's pretty obvious to us.Tim CallanRight.Jason SorokoWhat I will tell you is there was a big eye-opening experience I had recently just reading through DevOps forums where people were just discussing their daily work life and setting up systems and asking questions to amongst their peers and many of them were like, hey, I've got to set up the CA for my Kubernetes Cluster.Tim CallanWhat do I do?Jason SorokoWhat does that mean and, you know, I know I need this thing called a certificate and to make things connect, it's kind of like, you know, a key that opens a door, I get that, but this whole, the management of that of that key is like I don't get it, but I don't care. Can I just run it? Just give me the Linux Command so I could just run this thing.Tim CallanRight.Jason SorokoAnd when I was reading this repeatedly, these are active professionals in the IT industry asking those questions. I think, Tim, to put it in a nutshell, PKI over the past 20 years plus has done such an incredible job of hiding in the background of your daily life, that you don't realize the underlying technology that is securing these things. I think that even amongst technology professionals it's background noise.Tim CallanRight. I have a flavor of that conversation all the time, which is I explain to people how every single aspect of their digital life bar none is enabled by PKI, and we walk through and it's all these things they haven't thought of. Everybody thinks about, oh, log into my bank account, I get that. You turn around and you start talking about all the things. Your phone wouldn’t work, your commuter train wouldn't work, your airplane wouldn’t work, your streaming service wouldn't work, your satellites that you use wouldn't work and they sort of - - it's an eye opener and you're like, it's pretty much everything with ones and zeros won't work and PKI is sitting everywhere and all that stuff. You're right as the sort of baseline piece of functionality that most of us never even have to touch because it's just part of the stack.Jason SorokoThis is a little bit of a diatribe here. But what the heck, I don't - -Tim CallanWhat the heck. Go for it.Jason SorokoI don’t do the name and shame too often, but here we go.Tim CallanOk.Jason SorokoI'm a Canadian and I have a Canadian bank account. By law, there's only six chartered banks in Canada. There definitely are some other options in this country but there are only six chartered banks. So, competition is not quite what it is in the United States or other parts of the world and that's decreed by the government. The Canadian government loves monopolies. And that's one whole political problem. One of the issues that it has caused is those six Canadian banks don't offer MFA, even for simple bank account logins for consumers.Tim CallanJust because there isn't the competitive motivation to do so?Jason SorokoYep. And the Canadian government insures Canadian bank accounts. So, when you when you complain to your local bank and say, hey, can you offer me MFA? What they'll say to you is, well, if your money gets stolen just give us a call, it's insured. So, you know, what's your problem?Tim CallanOk.Jason SorokoAnd as a consumer, look, you know, that's like, I hate to say it, but that's like Soviet Era thinking of just to put up with it because there is no competition. You are peon and we can afford lobby groups and lawyers and you can't, so to heck with you. The reason I'm going down this road, Tim, is not so much to blast the bank, it's to show you the levels of which you think you might be protected or are or are not because this FBI news release that they put out it really is saying to you look if you get down to the root cause of why the FBI had to issue that report, it is simply this, many forms of MFA are actually quite weak.Tim CallanRight.Jason SorokoAnd those weak forms of MFA are weak because they're shared secrets and they're shared secrets that are vulnerable to very simplistic social engineering.Tim CallanSure. You’re right. And the point, like at the end of the day, it seems like the point of the FBI is warning is not to tell us not to use MFA and, in fact, they're quite explicit on that. We say, we're not telling you not to use MFA, but they do want to make people aware of the fact that this thing that you might think of as ironclad and foolproof - is not.Jason SorokoYeah, and what the conclusion that that clicked into my head very quickly after I read the article, Tim, and one of the reasons I flipped it over to you to have a look at was like guys, you know, stop looking into your belly button about the weaknesses and strengths of MFA and start taking a look at the strengths of technologies that have actually been around for 20 years plus.Tim CallanYeah.Jason SorokoThat are far, far, far, stronger than this. Especially when you're talking about non-human use cases.Tim CallanAnd agreed. Like as we, to reiterate what we said before. There are use cases like if you kind of use the I'm some random person out in the world and I sign up for a bank account for the first time ever you don't see where you have a lot of surrogates for the sort of MFA approach, but there are lots of other circumstances where you do control the whole ecosystem or the whole process, right, and you can do much better and under those circumstances, let's do much better.Jason SorokoTim, that's exactly my whole point here, which is look, I think the FBI has done us all a service saying, hey guys, some MFA is not good, so protect yourselves. That to me should be a call to the industry going look there are solutions to this and what I did with my little diatribe was to try to show, look, there's some of us who do very sensitive online transactions where there's not even MFA offered to us. So, that's how bad the world still is.Tim CallanYeah. All right. So that's maybe a good place to leave it today. I think it was an illuminating notice from the FBI.Jason SorokoYeah.Tim CallanAnd something that deserved to be talked about and as always, thank you, Jay for a nice conversation.Jason SorokoAppreciate it, Tim.Tim CallanThank you, Listeners. And this has been Root Causes.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
