How to solve 2 MFA challenges: SIM swapping and MFA fatigue

While MFA improves account security, attacks still exploit it. Learn about two MFA challenges -- SIM swapping and MFA fatigue -- and how to mitigate them.

Cybersecurity experts recommend using multifactor authentication to strengthen user accounts and reduce credential theft, but MFA isn't without its challenges. Attackers continuously adapt techniques to bypass MFA and infiltrate user accounts.

Once-popular MFA options, such as text and email, have fallen out of favor as attackers learn how to exploit them, as well users, to gain access to accounts.

To help organizations properly deploy MFA and address MFA challenges, author and identity and access management expert Marco Fanti wrote Implementing Multifactor Authentication: Protect your applications from cyberattacks with the help of MFA. Organizations can learn how to adopt strong MFA for their employees, third-party contractors and customers.

In the following excerpt from Chapter 2, learn about two major MFA challenges -- SIM swapping and MFA fatigue -- and explore why employees and organizations must remain vigilant and use tools such as Fast Identity Online and public key infrastructure to stay secure. Also, read about the different types of MFA available and when to use them in a PDF download of Chapter 2.

More on Implementing Multifactor Authentication

Check out an interview with Fanti on how organizations can begin MFA implementation, types of MFA methods to consider and how to reduce user friction during the early adoption phase.

SIM swap and why SMSs and voice messages are the weakest authenticator factor types to use

In February 2022, the FBI issued a public service announcement (https://www.ic3.gov/Media/Y2022/PSA220208) that included the following text:

"From January 2018 to December 2020, the FBI Internet Crime Complaint Center (IC3) received 320 complaints related to SIM swapping incidents with adjusted losses of approximately $12 million. In 2021, IC3 received 1,611 SIM swapping complaints with adjusted losses of more than $68 million."

Here is a screenshot from the FBI website:

Screenshot of FBI public service announcement in 2022 about SIM swap schemes
Figure 2.2 -- FBI's PSA on SIM swap schemes

A SIM swap is a type of social engineering attack in which a malicious actor uses social engineering or another method to convince a phone company to transfer the victim's phone number to a new SIM card that they control. This allows the attacker to intercept calls and text messages meant for the victim, potentially giving them access to sensitive information such as one-time codes used for recovering their accounts or MFA.

Let's see what happens if your phone number is transferred to a cybercriminal:

  1. The hacker goes to the account login page and clicks on Forgot password?:
    Screenshot of Google login page
    Figure 2.3 -- Login page with Forgot password?
  2. The hacker selects the phone number they now control as a recovery mechanism:
    Screenshot of Google account recovery page
    Figure 2.4 -- Account recovery selection page
  3. The hacker enters the code:
    Screenshot of Google account recovery code submission page
    Figure 2.5 -- Account recovery page
  4. That's it -- the account takeover is complete. The hacker can continue without changing the password or change the password and possibly complicate the process of the original owner recovering their account:
    Screenshot of Google's welcome back page
    Figure 2.6 -- The Welcome back page

SIM swap is one of the worst attacks because it is tough for the service provider to prevent. As seen in the preceding example, even though the account was protected by MFA, the cybercriminal was able to bypass the password and use only one factor to take over the account.

In a typical scenario, the security of services depends on the company providing them and the user using them. If the service provider allows the use of SMSs or voice messages as a recovery mechanism, the security of the service will also rely on the phone company, which neither the service provider nor the user can control. If SMSs or voice messages are only allowed as a second factor during a password-based login, and not for account recovery, the cybercriminal needs to obtain the user's ID and password, and also obtain control of the victim's phone using SIM swap.

What can the service provider do?

The service provider can mandate app-based or phishing-resistant authentication factors for account recovery and as a second factor of authentication. If that is not an option, it can at least recommend and educate users on the benefits of a stronger factor of authentication.

A service provider can also enhance the chances of a successful session or account takeover being detected by suggesting or mandating a second recovery mechanism:

Screenshot of Google account recovery verification page
Figure 2.7 -- Account recovery mechanism selection page

Users with an email address and a phone number as security mechanisms will be notified when one of the security mechanisms is used for account recovery:

Screenshot of Google account recovered notification email
Figure 2.8 -- Account recovered notification email

This is what the service provider can do to recover an account. Let's see in the next subsection what the user can do.

What can the user do?

To avoid being the victim of SIM swap fraud schemes, users should avoid using SMS messages and voice messages for 2FA as well as for recovering their accounts.

If quickly recovering the account is more important than avoiding the possibility of being the victim of a SIM swap, users should make sure that more than one method of recovery is enabled. This way, as we saw in the previous example, the user will be notified if someone recovers the account inappropriately, or if a user logs in to the account from an unknown computer.

MFA fatigue -- also known as MFA push spam

As service providers and users become more security conscious and avoid SMS-based MFA, hackers increasingly use a technique that does not require SIM swap and can bypass authentication factors classified as more secure. This method is called MFA fatigue. MFA fatigue was used in confirmed cyberattacks on Cisco (https://blog.talosintelligence.com/recent-cyber-attack/), Microsoft (https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/), and other companies. Several security companies, including Mandiant, have published reports about Russian actors using the technique (https://www.mandiant.com/resources/blog/russian-targeting-gov-business) to target the US government and private companies.

MFA fatigue is commonly initiated by compromising the user's identity to obtain initial access to the organization or the victim's account. This is typically done via the following methods:

  • Deploying malware such as Redline Stealer or Loki Password Stealer
  • Obtaining credentials and session tokens in criminal underground forums
  • Recruiting current and former employees who have access to specific company networks, as depicted in Figure 2.9:
Screenshot of ransomware group LAPSUS$ employee recruitment message
Figure 2.9 -- Recruitment message from the group LAPSUS$

When companies use mobile apps as a second factor of authentication, where a user sees a notification on their phone that they must approve, cybercriminals will attempt to cause the legitimate user to accept one of the repeated MFA prompts and let the cybercriminal in. In some cases, the attacker will also send a message to the victim pretending to be from the company and urging the user to accept the MFA push:

Screenshot of push-based notifications from Microsoft without number matching in Microsoft Authenticator
Figure 2.10 -- Push-based notification without number matching

What can the service provider do?

Service providers can provide additional security against MFA fatigue by enabling number matching. If enabled, the user must enter a number in the authenticator that matches the number shown in the authentication sign-in. Microsoft considers number matching a critical security upgrade and will enforce number matching starting in 2023 (https://learn.microsoft.com/en-us/ azure/active-directory/authentication/how-to-mfa-number-match). Duo, another product we will use as an authentication factor, starting from Chapter 3, also supports using a verification code to avoid MFA fatigue. This is called Verified Duo Push.

Another way that service providers can avoid scams based on MFA fatigue is by providing additional context for the push authentication, if enabled by the MFA application.

The following figures show number matching and other settings for Microsoft Authenticator. Starting February 27, 2023, Microsoft Authenticator will enforce number matching for all users tenant-wide, eliminating the need for this configuration. This is a crucial security enhancement over traditional second-factor push notifications:

Screenshot showing how to enable number matching in Microsoft Authenticator
Figure 2.11 -- Enabling number matching in Microsoft Authenticator

Number matching is a feature that requires the user to input numbers from the identity platform into their app to confirm the authentication request:

Screenshot of push-based notifications from Microsoft with number matching in Microsoft Authenticator
Figure 2.12 -- MFA push with number matching in Microsoft Authenticator

As seen in the following figure, Microsoft allows the application name and the geographic location to also be shown during the authentication process:

Screenshot of Microsoft Authenticator asking the user to confirm MFA push with application name and location included
Figure 2.13 -- MFA push with the application name and location in Microsoft Authenticator

Dig Deeper on Identity and access management

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close