Last year my Twitter feed became full of stories and retweets about how Google “solved the phishing problem” using hardware multi-factor authentication (MFA) tokens. One such article covering this topic was “Google: Security Keys Neutralized Employee Phishing” by the venerable Brian Krebs. While I have a lot of respect for his work, I have to strongly disagree with the title of his blog post. If you haven’t already read the story, take a moment to familiarize yourself with it. I don’t want to be the one to crush your hopes and dreams, but, frankly, this is untrue.
Before we get too far into this, I want to throw this out there and say that for the sake of this article, I use the term MFA loosely and as a synonym for 2-factor authentication (2FA). I will also mention that I am a fan of MFA and cover some information about MFA in a previous article I wrote for this column, “Credential Phishing – Easy Steps to Stymie Hackers”; however, it is not the cure for everything as some people seem to think. In my years doing sysadmin and information security work for the US Army and in the private sector, I have learned to appreciate the great things that MFA can do to secure systems and communications, something I have even covered in previous articles in this very column. I have also learned that it has its limitations as well. I want to go on record saying this, MFA does not solve the phishing epidemic.
There, I said it. Now let me help you understand what is happening here. First and foremost, Google is an advertising juggernaut. Marketing is what they do. This is an important fact when we consider this story. You see, just days after the Krebs article was published, Google announced it would be selling its own version of a hardware MFA key called the Titan.
Is it just a coincidence that these two things happened so close to each other? I don’t think so.
To my bigger point about what MFA can and will do for you, I think it’s very important to understand what was actually said in the Krebs article. In the article “a Google spokesperson” said, “We have had no reported or confirmed account takeovers since implementing security keys at Google”. This is not the same as saying the keys neutralized employee phishing and that is a very important distinction.
Account takeovers and credential stuffing are significant issues in the larger scheme of phishing, but certainly not the only issues. This is not a small issue, and the FBI estimates that there was a loss of over $12 billion since 2013 due to Business Email Compromise (BEC) scams. That is nothing to scoff at; however, it is still only a part of the phishing epidemic we are facing.
Consider this. What does this second form of authentication on an email account do to protect against a user clicking a link or opening an infected document and launching malware? What does it do to protect against a spoofed email from the CEO requesting a funds transfer? Nothing.
Another thing to consider is that even with hardware MFA tokens, accounts can be taken over using other attacks such as session hijacking as demonstrated by Kevin Mitnick on TechCrunch. I have even demonstrated how session hijacking works using free tools downloaded from GitHub in a past webinar here with The Ethical Hacker Network, “A Perfect Crime: The Tech and Psych of Effective Phishing“.
What can’t MFA do for you?
Multi-Factor Authentication will do nothing against the types of attacks that involve getting the user to transfer funds, buy gift cards or let tech support scammers take control of PCs. These attacks are almost purely driven by human manipulation. In these cases, training the users to spot, ignore or report these sorts of attacks is the most effective defense. Unfortunately, these attacks are on the rise both in the commercial and consumer spaces.
Looking at this story where a couple lost $130k while trying to buy a house, it seems that the real estate agent had their email account compromised. While this may have been avoided with an additional factor associated to their email address, there is nothing an additional factor would have done to help the couple realize the email was a scam.
This is true for other scams as well. One of the hot topics currently active in the scammer circles is the redirection of paychecks. It works like this, someone in human resources or the payroll department receive an email from an employee (usually from a spoofed email address with a similar reply-to address and also often an executive) that gives some sort of reason that they had to open a new bank account and requests that their paycheck be sent to the new account. As it is often from an executive, the HR or payroll person doesn’t want to push back against that authority and makes the change. Again, MFA is useless in these cases.
So, what can MFA do for you?
So, if MFA only handles specific types of phishing, why bother with it? Well, it is very effective at protecting against credential stuffing. This is where an attacker gets a set of credentials from a user, either through a credential phishing attack or through a dump from a data breach like Collection #1 and tries to use these credentials on other websites. Because people continue reusing the same passwords across multiple websites, the attackers are often successful. Consider this, Collection #1 had 773 million unique email addresses and only 21 million unique passwords. That means a lot of passwords are either reused, or the same password is used across an awful lot of people. Either way, the numbers are very telling.
MFA helps with this in a couple of ways. First of all, it can provide an alerting mechanism, especially in the case of MFA that generates a text message with a code. Think of it like this: Codes are generated after you enter a correct username and password pair, right? Therefore, if you receive a legitimate text message out of the blue with a secondary code for your account, you would be wise to assume that the username and password have been compromised for that account.
The other thing it does is to stop the login, even if the attackers have the correct credentials because of the lack of the additional factor(s).
As you can see, other than these scenarios, MFA does very little to combat the majority of phishing attacks occurring today. For this reason, you can’t let your guard down even if you have deployed MFA and users have adopted it. And especially don’t let your guard down just because a Google spokesperson dazzles with apophenia.
Use MFA to:
- Secure email accounts from takeovers
- Secure social media accounts
- Secure password managers and other high-value accounts
Don’t expect MFA to:
- Protect against scammers
- Replace training and awareness campaigns
- Replace requirements around password reuse or length
- Eliminate phishing as an attack vector
As long as you have a clear idea of what MFA can and can’t do for you, it can be a very powerful tool in specific scenarios. Regardless of the title of the Krebs story, the Titan Key (or any other type of MFA) will not neutralize employee phishing any more than a lock on your front door will keep a burglar from going through an open window.
Erich Kron, Security Awareness Advocate at KnowBe4, is a veteran information security professional with over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, MCITP and ITIL v3 certifications, among others. Erich has worked with information security professionals around the world to provide the tools, training and educational opportunities to succeed in InfoSec.krebs kron mfa mitnick opinion phishing