Are all multi-factor authentication systems secure? How to hack an SMS MFA system for $16
Vice magazine, popular for its alternative journalism and extreme reporting, published an article last March about an experiment that caused a stir in the cybersecurity community: journalist Joseph Cox paid a hacker to try to break into his accounts without having any of his physical devices, such as his mobile phone, in their possession. The hacker succeeded very easily, and it only cost him the $16 to do so, which was the cost of a legitimate, off-the-shelf tool.
The hacker, named Lucky225, managed to do this without hacking the SIM card, which is the most common method in these cases. Instead, he took advantage of multi-factor authentication (MFA), which clearly wasn’t secure enough. How did he do it? He simply used a marketing campaign tool called Sakari, which allows companies to send bulk SMS messages to lists of mobile numbers for commercial purposes. Lucky225 sent Sakari a Letter of Authorization filled out with false data and claiming that he was the owner of the journalist's phone number. As a result, SMS messages to the victim of the experiment started to be diverted to the application and the journalist no longer received them on his mobile phone. The hacker was able to access many of the victim’s online accounts: all he had to do was to ask for new passwords and the SMS sent by the portals with the new passwords were sent directly to the hacker.
This incident demonstrates the insecurity of some of these systems. However, it is important to note that not all multi-factor authentication systems are the same, as Alexandre Cagnoni, WatchGuard director of authentication product management, explained in a Dark Reading article.
In this case, Lucky225 took advantage of the SMS-based OTP (One Time Password) multi-factor authentication methods still used by many companies, but as Cagnoni reminds us, this method creates a false sense of security for users. Moreover, as we discussed in our Secplicity blog, recent studies show that they carry many risks of identity theft or authentication fraud and shouldn’t be used.
Instead, there are alternative methods that minimise risk, such as WatchGuard's AuthPoint multi-factor authentication solutions. Its mobile authentication service generates a unique encrypted key, contains an internal clock to ensure they are temporary, and uses “mobile DNA” to verify each user's phone when granting access to systems and applications: this will block any attacker cloning a user's device if they try to access a protected system, as the device's DNA would be different. In addition, the mobile app offers three types of authentication:
Secure authentication with one-step/touch approval. Allows you to see who is trying to authenticate and where and can block unauthorized access to resources.
QR code-based authentication
The mobile camera is used to read a unique, encrypted QR code, with proof that can only be read with the application. To complete the authentication, the response must be typed in.
Time-based, one-time password (OTP)
The dynamic time-based, one-time password is received as displayed and entered during login.
WatchGuard also offers another method among its AuthPoint solutions, Hardware Tokens. These sealed electronic devices generate secure one-time passwords (OTPs) every 30 seconds. Companies can use this method as an alternative to mobile tokens to authenticate protected resources.
In addition, the advantage of all these solutions for organizations is that each user's tokens, permissions and logins can be managed in a Cloud portal, based on WatchGuard Cloud. They will then have a full, detailed user access report and can deny access when a cybersecurity risk is perceived. This will enable organizations to minimize the risks of situations generated by insecure MFAs, such as the one featured in the article in Vice.