Redirecting you to
Podcast Oct 31, 2019

Root Causes 48: Weaknesses in MFA Authentication

A recent FBI warning cautions of attacks that circumvent Multi-Factor Authentication (MFA). Join us as we describe contemporary attacks against MFA and how to defend against them.

  • Original Broadcast Date: October 31, 2019

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    So, today, this was a Jay picks the topic day and you chose a recent FBI warning about attacks that bypass multi-factor authentication.

  • Jason Soroko

    A long time ago, feels a long time ago, I did a lot of talking publicly about the idea that not all multi-factor authentication is equal.

  • Tim Callan

    Sure.

  • Jason Soroko

    And it seems - - when it's stated just like that, it might seem obvious, especially to those of us who are in the security industry but, unfortunately, to everyone else they may not get it. Right?

  • Tim Callan

    Yeah.

  • Jason Soroko

    They know that it's a - - it's a way to go beyond username and password. Maybe the average user has an intuitive understanding that that's what's being attempted here. It's another layer. The usability of some MFA is good. Some of it's not. Is it always picked up? Well, if you look at how long it took even on things like Twitter and social media.

  • Tim Callan

    Yeah.

  • Jason Soroko

    For people who use that to start using it, it took a lot of very high-profile hacks of accounts before MFA became, you know, a little more widespread. So, it had its uptake. And, we have vendors in the space that have done a pretty good job. But it we've also had situations where things like SMS, as example, as a form of MFA has been deprecated by NIST and I applaud that because even years before NIST deprecated SMS, I was showing examples of here is at least five reasons why you don't want to use it, and you should use something else. And it highlights this idea that not all are created equal. So, Tim, I think I want to dive into what the FBI said a little bit because that beyond that headline about just a warning about MFA in general, one of the things very specifically that they were warning about was in fact with regards to SIM swapping.

  • Tim Callan

    Yeah.

  • Jason Soroko

    So, I could go - - I could probably go at length about what it's about here but it really comes down to a form of social engineering, isn't it? Which is your identity is as such, and it can be represented in a lot of ways? Well, one of the main people who provision you as an individual is your carrier. It's ubiquitous. In fact, I heard an interesting statistic that I think at least in parts of Canada, more people have a cell phone account number in their name than people who have bank accounts.

  • Tim Callan

    Ok.

  • Jason Soroko

    And that's not just because of the population of children. It's just there are it's - - there's more unbanked people than people who are un-cell-phoned.

  • Tim Callan

    Yeah, yeah.

  • Jason Soroko

    Which is interesting, right? And so, it's, it's so ubiquitous, to have, you know, essentially, so many people in the world walking around with a SIM chip in their pocket with that SIM card provisioned against themselves. And the process of say changing your phone number and saying, hey, you know, I’d like to put a different phone number on this card, in many cases, just requires a phone call.

  • Tim Callan

    Right?

  • Jason Soroko

    And if you can convince that, typically human on the other side of that phone, who can do the SIM swap, then you're probably capable of doing a lot of bad things. Why would you do it?

  • Tim Callan

    And the SIM swap once it's accomplished, then what happens, of course, is when I dial in, a lot of times they'll auto identify me, right? They'll say, I can tell from your phone that you are blah, blah, blah, is that correct? And I say, yes, and then the other thing is that they'll send the confirmation code - - they'll text me the confirmation code, and it doesn't go to my phone, it goes to the bad guys.

  • Jason Soroko

    That is exactly right. What the bad guy is really trying to accomplish is, hey, if I need a one-time code, if I need a one-time symmetric token essentially to complete a transaction to prove that I'm somebody I'm not, then a SIM swap in many cases is all that's necessary and this is this is the underlying root cause of what's causing the FBI to issue this warning.

  • Tim Callan

    Well, and this is also where, you know, we say MFA multi-factor authentication because it sounds very strong, right? Well, if break down the etymology of that word, right, it used to be called two-factor authentication two-FA and we changed somewhere along the line to account for the fact that maybe it's more than two, but how often is it more than two? Right? Almost never. And so, one of them is username, password and the other one is this, you know, this thing we just talked about. So, if I stole your username and password, and I did a SIM swap, that's it I'm done and that's the long and the short of what is multi-factor authentication.

  • Jason Soroko

    Let's then consider, Tim, because this is - - you know, at the heart of this podcast is PKI and the one thing that I think people forget is this whole symmetric token idea - - this whole shared secret idea, the short-lived one-time passwords for an example, even if that one time password came off of a hard token, which many of you might carry around in your daily jobs in order to log into ERP systems and stuff like that, you're still typically typing that into your browser at some point, and therefore, that one-time password can be intercepted. I mean, we had a podcast very recently talking about the browser techniques still being used to this day.

  • Tim Callan

    Yeah.

  • Jason Soroko

    Well, imagine if your browser has been compromised and you merely type in that one-time password into the browser and you authenticate into the session and yet somebody has intercepted that and has become you and has been able to authenticate as you. That's a problem. But what we're talking about here is even worse. You might be just working with your phone, you're logging into your banking system and essentially what it is, is just a very quick one-time password that's sent to you either by text message or perhaps it's even by its seeded into an app and again, you'll be typing that one-time password or copying and pasting it into a form, which it can also be compromised. Or, in the case of SIM swapping, that TAN or one-time password is sent to the bad guy directly.

  • Tim Callan

    Right?

  • Jason Soroko

    So, the thing is, remember, you know, it's what would be a better idea is if to be able to authenticate yourself you had to utilize some form of an asymmetric secret, which only you possess, as part of, say, the private key, right?

  • Tim Callan

    Right.

  • Jason Soroko

    With a user certificate such as that that piece of collateral, that piece of key material needs to be compromised, needs to be actively stolen by the bad guy. That's a heck of a lot harder.

  • Tim Callan

    Yeah. There's not there's not a social engineering attack, or there's not a way that you call up the phone company and get them to change something on their end and suddenly, there just isn't an equivalent of that if we're talking about a public private key scenario.

  • Jason Soroko

    So, therefore, PKI as an overlay, you know, I think there's many, many, many use cases in which a shared secret is probably sufficient because it's cheap and it's cheerful and it's easy to engineer and people have been using it for years and everybody's happy.

  • Tim Callan

    Right. And there are circumstances where PKI might just be impractical. Right?

  • Jason Soroko

    That’s right.

  • Tim Callan

    And how am I ever going to get a cert onto your device? But there are plenty of circumstances where it is practical.

  • Jason Soroko

    That's right. And when you enter the realm of non-human authentication scenarios, let's talk about IOT and let's talk about DevOps.

  • Tim Callan

    Sure.

  • Jason Soroko

    Well, unfortunately, we've talked about this before at length the Mirai Botnet showed us all the reasons why shared secrets for non-human scenarios is a bad idea.

  • Tim Callan

    Yeah.

  • Jason Soroko

    It's not like that device wasn't something you had control of at least at the point of manufacture. The DevOps container was something that you had control of because you're the one that provisioned it. So, therefore, those use cases, IOT and DevOps specifically, those are the ones that really call out for PKI is the solution for it. Don't use anything less because it just doesn't make sense.

  • Tim Callan

    Yeah, and so it sometimes surprising to me, Jay, that this is a conversation that we even need to have. So, I'm going to go off script a little and I'm going to just ask you, why do you think it is that there are still people who haven't gotten the memo on this?

  • Jason Soroko

    You know, it's, we're deeply ensconced in it.

  • Tim Callan

    Yeah.

  • Jason Soroko

    And it's pretty obvious to us.

  • Tim Callan

    Right.

  • Jason Soroko

    What I will tell you is there was a big eye-opening experience I had recently just reading through DevOps forums where people were just discussing their daily work life and setting up systems and asking questions to amongst their peers and many of them were like, hey, I've got to set up the CA for my Kubernetes Cluster.

  • Tim Callan

    What do I do?

  • Jason Soroko

    What does that mean and, you know, I know I need this thing called a certificate and to make things connect, it's kind of like, you know, a key that opens a door, I get that, but this whole, the management of that of that key is like I don't get it, but I don't care. Can I just run it? Just give me the Linux Command so I could just run this thing.

  • Tim Callan

    Right.

  • Jason Soroko

    And when I was reading this repeatedly, these are active professionals in the IT industry asking those questions. I think, Tim, to put it in a nutshell, PKI over the past 20 years plus has done such an incredible job of hiding in the background of your daily life, that you don't realize the underlying technology that is securing these things. I think that even amongst technology professionals it's background noise.

  • Tim Callan

    Right. I have a flavor of that conversation all the time, which is I explain to people how every single aspect of their digital life bar none is enabled by PKI, and we walk through and it's all these things they haven't thought of. Everybody thinks about, oh, log into my bank account, I get that. You turn around and you start talking about all the things. Your phone wouldn’t work, your commuter train wouldn't work, your airplane wouldn’t work, your streaming service wouldn't work, your satellites that you use wouldn't work and they sort of - - it's an eye opener and you're like, it's pretty much everything with ones and zeros won't work and PKI is sitting everywhere and all that stuff. You're right as the sort of baseline piece of functionality that most of us never even have to touch because it's just part of the stack.

  • Jason Soroko

    This is a little bit of a diatribe here. But what the heck, I don't - -

  • Tim Callan

    What the heck. Go for it.

  • Jason Soroko

    I don’t do the name and shame too often, but here we go.

  • Tim Callan

    Ok.

  • Jason Soroko

    I'm a Canadian and I have a Canadian bank account. By law, there's only six chartered banks in Canada. There definitely are some other options in this country but there are only six chartered banks. So, competition is not quite what it is in the United States or other parts of the world and that's decreed by the government. The Canadian government loves monopolies. And that's one whole political problem. One of the issues that it has caused is those six Canadian banks don't offer MFA, even for simple bank account logins for consumers.

  • Tim Callan

    Just because there isn't the competitive motivation to do so?

  • Jason Soroko

    Yep. And the Canadian government insures Canadian bank accounts. So, when you when you complain to your local bank and say, hey, can you offer me MFA? What they'll say to you is, well, if your money gets stolen just give us a call, it's insured. So, you know, what's your problem?

  • Tim Callan

    Ok.

  • Jason Soroko

    And as a consumer, look, you know, that's like, I hate to say it, but that's like Soviet Era thinking of just to put up with it because there is no competition. You are peon and we can afford lobby groups and lawyers and you can't, so to heck with you. The reason I'm going down this road, Tim, is not so much to blast the bank, it's to show you the levels of which you think you might be protected or are or are not because this FBI news release that they put out it really is saying to you look if you get down to the root cause of why the FBI had to issue that report, it is simply this, many forms of MFA are actually quite weak.

  • Tim Callan

    Right.

  • Jason Soroko

    And those weak forms of MFA are weak because they're shared secrets and they're shared secrets that are vulnerable to very simplistic social engineering.

  • Tim Callan

    Sure. You’re right. And the point, like at the end of the day, it seems like the point of the FBI is warning is not to tell us not to use MFA and, in fact, they're quite explicit on that. We say, we're not telling you not to use MFA, but they do want to make people aware of the fact that this thing that you might think of as ironclad and foolproof - is not.

  • Jason Soroko

    Yeah, and what the conclusion that that clicked into my head very quickly after I read the article, Tim, and one of the reasons I flipped it over to you to have a look at was like guys, you know, stop looking into your belly button about the weaknesses and strengths of MFA and start taking a look at the strengths of technologies that have actually been around for 20 years plus.

  • Tim Callan

    Yeah.

  • Jason Soroko

    That are far, far, far, stronger than this. Especially when you're talking about non-human use cases.

  • Tim Callan

    And agreed. Like as we, to reiterate what we said before. There are use cases like if you kind of use the I'm some random person out in the world and I sign up for a bank account for the first time ever you don't see where you have a lot of surrogates for the sort of MFA approach, but there are lots of other circumstances where you do control the whole ecosystem or the whole process, right, and you can do much better and under those circumstances, let's do much better.

  • Jason Soroko

    Tim, that's exactly my whole point here, which is look, I think the FBI has done us all a service saying, hey guys, some MFA is not good, so protect yourselves. That to me should be a call to the industry going look there are solutions to this and what I did with my little diatribe was to try to show, look, there's some of us who do very sensitive online transactions where there's not even MFA offered to us. So, that's how bad the world still is.

  • Tim Callan

    Yeah. All right. So that's maybe a good place to leave it today. I think it was an illuminating notice from the FBI.

  • Jason Soroko

    Yeah.

  • Tim Callan

    And something that deserved to be talked about and as always, thank you, Jay for a nice conversation.

  • Jason Soroko

    Appreciate it, Tim.

  • Tim Callan

    Thank you, Listeners. And this has been Root Causes.