MFA Strategies: Not All are Created Equal
This week Reddit disclosed a data breach, the result of account-takeover attacks targeting Reddit employees with access to user data. The attack worked because these Reddit employees used SMS-based Multi-Factor Authentication (MFA). This exposed them to a popular social-engineering attack where the assailant is able to intercept text messages by fooling the target’s cell phone provider.
In these types of attacks, the perpetrator does not need to be particularly sophisticated or even technical. We often imagine hackers as elite programmers exploiting arcane knowledge of operating-system-level weaknesses to infiltrate servers and breach networks. In practice, an account takeover attack can be completed by someone with little or no technical skill through a process we broadly refer to as social engineering. The attacker uses deception and cunning instead of technical prowess; they're more like a con artist than a stereotypical hacker. Once the assailant has access to an administrator's account, they simply log into administrative interfaces and download swaths of data. This can be very tricky to detect: is this Sally in marketing downloading the quarterly email list as usual or some black hat exfiltrating all our customer PII? A good defense against these attacks involves prevention, not detection and response.
Luckily, we have a great and easy-to-use tool to help prevent account takeovers: Multi Factor Authentication (MFA). MFA requires users to provide an additional piece of information (usually time based and single-use) in addition to their password when authenticating. Unfortunately, not all varieties of MFA are created equal. This is where Reddit went wrong and made themselves vulnerable to an attack (although, to their great credit they published their error to help spread awareness).
Reddit depended on SMS-based MFA. In this strategy, a user is required to enter a one-time password that was texted to their phone, in addition to their password, when they authenticate. The weakness in this approach is that SMS is extremely susceptible to interception (even by security-conscious cell phone users). These attacks are so well-chronicled (especially by Brian Krebs) that NIST deprecated SMS based MFA. In a nutshell, the attack is perpetrated by calling the targets cell phone company and convincing them to direct calls/texts to a new number or device.
A better MFA strategy makes use of applications like Google Authenticator or Authy to generate TOTP tokens. This approach depends on having physical access to the account owner's device, so the weaknesses in cell phone cloning above don't apply.
This is precisely why TrueVault only offers MFA via TOTP tokens for our account admins and end users. While the SMS-based method is sometimes viewed as convenient, it simply doesn't provide the additional security that users of MFA are trying to achieve. As Krebs says "relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security".
TrueVault's internal policy is to use MFA whenever it is available, and to always prefer TOTP-based methods or physical security keys (which have been working great at google). We strongly recommend doing the same for all logins, especially for your TrueVault account!
It's important to note that MFA, even TOTP-based, isn't a silver bullet. There are still documented attacks that can only be prevented by having a well-trained and constantly vigilant workforce.