top of page
Search
EquiTech

Why Multi-Factor Authentication on its own won't protect you?

Multi-Factor Authentication (MFA or 2FA) has become a recognised standard for cyber security now and rightly so. Most of us have become accustomed to it, we log into our bank and it sends us a text message to check it's us. Or if we try to login to our Microsoft 365 account on an unrecognised network or location  it'll ask us to authenticate via the authenticator app. We've all got used to how it works.

 

It's been a great addition to the world of IT and Cyber Security. Now days if your username and password is compromised, then MFA is there to protect you and your data.

 

Of old, if your credentials were compromised then typically a cyber security breach would ensue. But MFA has put or stop to that…or has it?!

 

Unfortunately, cybercriminals are evolving the approaches that they use to exploit people and organisations. One of those newly used attacks is known as Session Token Theft.

 



Session Token Theft - What is it?


In such an attack, a cybercriminal is attempting to steal a session token of a person to gain unauthorised access to their account. Typically, that token is the users MFA, as that is unique to their login attempt. Unlike the username and password that might be static for some time, MFA is continually changing. You'll notice this when you enter a MFA code in that it is only valid for a short period of time before it refreshes to a different code.

 

That code is what cybercriminals are trying to coerce from you, it's the final piece of the puzzle that they need to gain access to your account.


How Does A Cybercriminal Do It?

Unfortunately there are numerous methods that a cybercriminal will use. Commonly techniques include:

 

Cross-Site Scripting (XSS)

  • In an XSS attack, the cybercriminal injects malicious code into a website or application, which is then executed by the persons internet browser. This code can steal the session token stored in the user's browser and send it to the attacker.

 

Cross-Site Request Forgery (CSRF)

  • Slightly more tricky to understand, but the cybercriminal attempts to trick a person into unknowingly sending a request to a website or application that they are already authenticated with.

 

Session Hijacking

  • Where a cybercriminal intercepts the session token as it is being transmitted to the user's device. This can happen through various means such as sniffing the network traffic, using man-in-the-middle attacks, or exploiting vulnerabilities in the communication channels.



A Typical Attack

So let's talk about a typical attack they'll mount, it will happen just like this:

 

  1. A phishing email which a person mistakenly deems as legitimate and clicks a link to log in

  2. This then takes them to a landing page to enter their username and password

  3. Which then tiggers them to enter a MFA key

  4. Cyber breach complete

 

It's as simple as that. Then a cybercriminal would have access to the persons account, they could tweak the security settings to turn off MFA, or add their own means of authentication source. Then they'd have free reign over that persons account, they could remain dormant for weeks or months, gathering intelligence before mounting a more comprehensive attack on the organisation.


What Can Protect Us Against This Risk?

Well there are many things you can do to protect your organisation, but what you have to do is something. MFA in isolation, is no longer fit for purpose. It's a great protection step, but it too can be compromised as we've outlined.

 

What every organisation should do is monitor for suspicious activity. Take Microsoft 365, you should be monitoring for

  • High-threat IPs and locations

  • New logins from proxy services

  • Forwarding to external domains, deleting items, RSS feeds or other locations

  • Suspicious naming conventions

  • Tenant permission modifications

  • New user promoted to global admin


Imagine This?

Imagine if one of the above things happened, say an account login happened from a high threat location?

 

What if you had a cyber security provision in place, that when such an occurrence happened, it would proactively cease access. If it provided identity isolation, that as soon as a trigger happened, it would disable the compromised Microsoft 365 user account, revoke the session and/or disable inbox rules during the active incident?

 

Well that is now a reality, and we'll be showcasing the platform that we use ourselves, that offers such protection against this risk of Session Token Theft.

 

If you'd like to see this in the flesh, attend our remote event:

 



Call to Action

If you'd like to know more about this risk, preventative measures or our event then speak to one of our consultants at EquiTech Group:

 

Phone - 01604 346 444

 



Comments


bottom of page