This article was co-authored by Issie Edwards, Legal Assistant, Taunton.
Multi-Factor Authentication (MFA) is widely recognised as a powerful and cost-efficient way for any business to prevent unauthorised access to sensitive data, whether that is stored within a mailbox account, a client database, a banking account or otherwise.
But will MFA always prevent unauthorised access to the data you are trying to protect?
The global cyber team at Kennedys has seen a growing trend in data breaches arising from the bypassing of MFA by cybercriminals who are finding novel ways to circumnavigate what was once thought to be a near fail-safe way to protect sensitive data.
In this article, we share what we have seen so far, detail the potential repercussions, and provide recommendations on how best to avoid falling victim to this latest trend.
The trends: methods used to bypass MFA so far
To recap, MFA adds an extra layer to a sign-in process, requiring the user to input their username and password (factor one), and then an additional identity verification via text, phone call or app-based push-notification to a device which only the user should have access to (factor two).
So, how are cybercriminals successfully bypassing MFA without access to the device used for ‘factor two’ verification? We have set out below some of the targeted and sophisticated methods currently being used.
Assuming the cybercriminal has the password associated with an account they are trying to gain unauthorised access to (whether that be through a ‘brute force’ attack, from a sale/leak on the dark web or otherwise), they will send a flurry of push-notification requests to the user’s registered verification device. If the user inadvertently accepts the request, then the cybercriminal can successfully gain access to the user’s system, often without detection.
The volume and timing of the push-notifications can vary. We have seen users bombarded with push-notifications over the course of an hour, but also, seemingly in an attempt to appear less suspicious, less frequent requests, once or twice a day. We have also seen push-notifications sent at a time which is likely to increase the chance of the user accepting the request, for example, around 9am, or just after lunch, and even in the middle of the night when the user has ‘hazily’ unintentionally accepted the notification.
‘Pass the cookie’
Without getting too technical, once a user has logged on with MFA, a browser cookie (effectively a small block of data) might store the user’s authentication information so that they do not have to repeatedly enter their credentials to sign in. A sophisticated cybercriminal can take advantage of this.
Firstly, they will need to access the user’s system using a method such as a phishing attack. Phishing emails will often contain a link to a malicious website that looks exactly like a legitimate logon web page (so take extra care even when the website looks legitimate!). If successful, the attacker can then extract the cookie, pass it to their own browser, and use the stored information to maintain access to the account in question.
“Safe” IP addresses
Whilst not strictly ’bypassing’ MFA, it is worth noting that cybercriminals can take advantage of the fact that many organisations do not require MFA when a user is logging in from a known location, such as an office. In a lot of cases, guest WiFi uses the same IP address as the secure connection and therefore, if they are geographically close, an opportunist cybercriminal could take advantage of vulnerabilities within a network without having to overcome MFA.
Legacy authentication protocols
Legacy authentication is a catch-all term for ‘basic’ authentication protocols that do not support modern mechanisms, like MFA. Disabling these legacy protocols and transitioning to modern protocols, including MFA, can be complex. If the process is not followed correctly, the legacy version may remain accessible. A by-product of certain legacy protocols is that, once accessed (legitimately or otherwise) the entire mailbox can be synchronised (i.e., downloaded) to the device used to access the mailbox. This means a cybercriminal could have a permanent, offline snapshot of that mailbox data.
Why is all of this so important?
If a cybercriminal successfully accesses your systems, then there is a good chance that a personal data breach might arise (depending on the way in which that personal data is stored). Following a personal data breach, the clock can start ticking with respect to the associated regulatory notification requirements - including to the Information Commissioner’s Office (ICO) as well as any global notification requirements outside of the UK - within a very short timeframe.
As a result of the many global regulatory data protection notifications that Kennedys’ cyber team has dealt with, we understand that a data breach can be an extremely stressful and worrying time. While we leave the technical recommendations for the IT specialists, these are the top three tips we have identified from a legal/regulatory perspective.
What can you do to prepare?
- Knowledge is power - Employees are the first line of defence and whilst most businesses now provide data protection training for new joiners, this should be continually reviewed and updated to factor in prevalent risks.
- Prepare for the worst, hope for the best - According to a survey by the Department for Digital, Culture, Media and Sport earlier this year, 39% of UK businesses identified at least one attempted cyber-attack in the 12 months prior to March 2022. No one likes to imagine things going wrong, but our advice is: be prepared! We can help you formulate a bespoke breach response plan, so that your company can respond effectively and recover quickly from a cyber-attack, if (/when) one occurs.
- Keep up to date - Cybercriminals are constantly trying to find new (as well as pre-existing) vulnerabilities to expose, and so whether it’s looking out for software patching releases or researching the latest trends, keeping up to date with cyber security news and taking advice from the specialists is essential.
There is no doubt that MFA is an effective incident prevention tool, and by no means are we suggesting it should not be used. In fact, some cyber insurers will not offer insurance policies to businesses without MFA.
However, as we’ve touched upon here, cybercriminals are continuously developing methods to bypass MFA and this means a real and ever-present threat of a data breach arising, even with MFA in place.
If you have been impacted by any of these issues or wish to know more, then please do not hesitate to contact us.