Page 137 - Cyber Defense eMagazine July 2024
P. 137

The Limitations of Legacy MFA

            The overriding limitation to legacy MFA is the human in the middle. A human is given a code or an app
            to click to verify it’s them. But humans are easy to trick into doing that action (or giving the code away) to
            a trusted party. Not every human…but  if you have 1000 employees  I can get perhaps  10% to give up
            their code or tap an app to stop it from bugging me. But. Don’t need 10%, or even 1%. I need 0.1% and
            I am in. Can anyone guarantee  to train their employees  so well that not even 0.1% would fail the test?
            You know the answer already.

            Roger Grimes (KnowB4) famously published the 11 ways all legacy MFA is compromised by bad actors
            today:

               1.  SMS-based man-in-the-middle  attacks
               2.  Supply chain attacks
               3.  Compromised MFA authentication workflow bypass
               4.  Pass-the-cookie attacks
               5.  Server-side forgeries
               6.  Social Engineering
               7.  Stolen Phones
               8.  Human hand-over of SMS or other codes
               9.  Simple SMS text duplicate receive system
               10. Stolen random number seeds
               11. MFA fatigue attacks




            USB keys also have serious issues which compromise their effectiveness:

               1.  Not secure or convenient
               2.  Easily hacked, easily stolen, easily left at home
               3.  Unsure who has possession at any time
               4.  Fake ones exist en masse
               5.  USB ports are the #1 security threat from rogue memory sticks with malware to rapid data theft
               6.  Open USB ports are not allowed for many government computer or most secure enterprises
               7.  USB keys are not allowed to be used by most USGOV agencies



            And finally, tokens,  such as codes which  change every 20 seconds still have the human in the middle
            who can and will share a code with a bad actor unknowingly.

            Legacy  MFA methods,  such  as SMS-based  authentication,  are highly  susceptible  to phishing  attacks.
            Cybercriminals  can easily trick users into revealing their authentication  codes through fake websites or
            emails. Once the code is obtained, attackers can gain access to the user's account, rendering the MFA
            process ineffective.








            Cyber Defense eMagazine – July 2024 Edition                                                                                                                                                                                                          137
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   132   133   134   135   136   137   138   139   140   141   142