Home M3AAWG Blog M3AAWG 5: SMS BEC Prevention Part 2: MFA abuse and vulnerabilities
Posted by the M3AAWG Content Manager

Multi-factor authentication (MFA) finally is having a moment, as both users and organizations work to fight rampant online abuse and fraud. In our latest M3AAWG5 series member experts and co-chairs for M3AAWG Technical committee address this issue and provide some best practices and recommendations to identifying and preventing SMS-based business email compromise and benefits of MFA. 

As a starting point, let’s take a look at MFA basics. Considered a baseline for user authentication, MFA adds an extra layer to the typical authentication process, which involves “something the user knows” (usually a password) and “something the user owns” (usually a specific user device, such as a mobile phone or computer) and even “something you are” which would represent the third leg of the traditional multi-factor triad: fingerprint reader, facial recognition, iris scans, etc. The multi-level approach to authentication helps prevent attackers from accessing applications or devices to prevent attacks and breaches. 

Unfortunately, MFA can be abused and even authenticator apps can be used for nefarious purposes. Attacks include a fatigue approach, in which users get bombarded with MFA notifications until they give in and approve a request. In the token theft approach, an attacker scrapes session cookies from a user’s browsers and then uses them to trick the browser into believing the user has been authenticated. 

A third attack, machine-in-the-middle, starts with a phishing email that leads to a malicious proxy server that intercepts traffic between the user and attacker, allowing the attacker to grab legitimate credentials. 

What can businesses do to prevent MFA misuse or problems? Offer MFA as an option for your user and strongly recommend use by all associates. In some cases, require it for high-risk roles. Even the most basic forms of less secure authentication (i.e. SMS) makes it more difficult to break in.  Set limits on push notifications. Consider a “verified push” approach, which matches numbers.  Enforce biometric or more secure  unlock methods, such as a PIN, for devices used for authentication purposes. Finally, do not allow software that can be outdated or outside of company policy and controlled for use with authentication. 

More tips and best practices on this topic can be found on our video, bit.ly/MFAM3aawgvideo

blog, https://www.m3aawg.org/blog/understanding-and-preventing-sms-based-business-email-compromise-bec and in our best practices, https://www.m3aawg.org/sites/default/files/m3aawg-multifactor-authenication-bp-2017-02.pdf.  Industry resources include https://www.cisa.gov/uscert/ncas/current-activity/2022/10/31/cisa-releases-guidance-phishing-resistant-and-numbers-matching, from the Cybersecurity and Infrastructure Security Agency (CISA) for recommendations on tamper-resistant MFA tools and techniques.



The views expressed in DM3Z are those of the individual authors and do not necessarily reflect M3AAWG policy.