Many security breaches take place when attackers gain access to Internet-facing applications by using compromised credentials. As an added layer of security against leaked credentials, organizations have been implementing multi-factor authentication (MFA) mechanisms to verify the identity of users connecting to critical online assets.
One of many multi-step authentication methods is phone call back. The authentication process starts with a user inputting a password that, once successfully validated, leads to a phone call on a registered device associated with the user’s account. After the user answers the phone and approves the login request, she is allowed to login. Unfortunately, phone callback verification is prone to misconfigurations resulting in compromises even in the presence of MFA.
Things to watch out for in MFA
- Ensure the option to enroll the next time users attempt to log is not available to connecting users. If available, attackers with a valid password can complete the enrollment on a user’s behalf using the phone number of their choice before the legitimate user ever accesses the system. It is critical that enrollment of legitimate users’ devices is completed prior to allowing access to applications protected by phone call back. Otherwise, the first step in the authentication process using a valid password should fail if a user has not completed the enrollment.
- Ensure the voice call or text clearly explains that the purpose of the call is to authorize a pending login request. Non-specific messages, such as “We have a very important message for you are problematic. A message like “If you didn’t not expect this, please end the call. Otherwise, press any key to continue”, will likely result in users wanting to hear the message even though they did not expect it. Using compromised valid credentials, attackers could exploit this issue by selecting the callback option in the hope of tricking an unsuspecting user into answering the call to authorize the login.
- Educate users about the voice calls they will receive after selecting the callback option. If they receive a voice call but did not initiate the login, they should end the phone call immediately and notify the incident response team about the attempted login.
MFA remains ones of the best approaches to secure online access to resources. However, security of online assets may be at risk if default configurations or weak configuration options are implemented. Different ways to bypass MFA may emerge over time and various techniques may be involved in such attacks. Hence, organizations should regularly test their MFA systems in order to predict the attacker’s methodology and ultimately protect the resources.
Testing your MFA is only one of the aspects of network penetration testing. But an important one. When was the last time you checked the resilience of your MFA environments to attacks? Check out the services of AT&T Cybersecurity.