How to solve 2 MFA challenges: SIM swapping and MFA fatigue

SIM swap and why SMSs and voice messages are the weakest authenticator factor types to use

In February 2022, the FBI issued a public service announcement (https://www.ic3.gov/Media/Y2022/PSA220208) that included the following text:

"From January 2018 to December 2020, the FBI Internet Crime Complaint Center (IC3) received 320 complaints related to SIM swapping incidents with adjusted losses of approximately $12 million. In 2021, IC3 received 1,611 SIM swapping complaints with adjusted losses of more than $68 million."

Here is a screenshot from the FBI website:

Click to learn more about
Implementing Multifactor
Authentication.

A SIM swap is a type of social engineering attack in which a malicious actor uses social engineering or another method to convince a phone company to transfer the victim's phone number to a new SIM card that they control. This allows the attacker to intercept calls and text messages meant for the victim, potentially giving them access to sensitive information such as one-time codes used for recovering their accounts or MFA.

Let's see what happens if your phone number is transferred to a cybercriminal:

1. The hacker goes to the account login page and clicks on Forgot password?:

2. The hacker selects the phone number they now control as a recovery mechanism:

3. The hacker enters the code:

4. That's it -- the account takeover is complete. The hacker can continue without changing the password or change the password and possibly complicate the process of the original owner recovering their account:

SIM swap is one of the worst attacks because it is tough for the service provider to prevent. As seen in the preceding example, even though the account was protected by MFA, the cybercriminal was able to bypass the password and use only one factor to take over the account.

In a typical scenario, the security of services depends on the company providing them and the user using them. If the service provider allows the use of SMSs or voice messages as a recovery mechanism, the security of the service will also rely on the phone company, which neither the service provider nor the user can control. If SMSs or voice messages are only allowed as a second factor during a password-based login, and not for account recovery, the cybercriminal needs to obtain the user's ID and password, and also obtain control of the victim's phone using SIM swap.

What can the service provider do?

The service provider can mandate app-based or phishing-resistant authentication factors for account recovery and as a second factor of authentication. If that is not an option, it can at least recommend and educate users on the benefits of a stronger factor of authentication.

A service provider can also enhance the chances of a successful session or account takeover being detected by suggesting or mandating a second recovery mechanism:

Users with an email address and a phone number as security mechanisms will be notified when one of the security mechanisms is used for account recovery:

This is what the service provider can do to recover an account. Let's see in the next subsection what the user can do.

What can the user do?

To avoid being the victim of SIM swap fraud schemes, users should avoid using SMS messages and voice messages for 2FA as well as for recovering their accounts.

If quickly recovering the account is more important than avoiding the possibility of being the victim of a SIM swap, users should make sure that more than one method of recovery is enabled. This way, as we saw in the previous example, the user will be notified if someone recovers the account inappropriately, or if a user logs in to the account from an unknown computer.

MFA fatigue -- also known as MFA push spam

As service providers and users become more security conscious and avoid SMS-based MFA, hackers increasingly use a technique that does not require SIM swap and can bypass authentication factors classified as more secure. This method is called MFA fatigue. MFA fatigue was used in confirmed cyberattacks on Cisco (https://blog.talosintelligence.com/recent-cyber-attack/), Microsoft (https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/), and other companies. Several security companies, including Mandiant, have published reports about Russian actors using the technique (https://www.mandiant.com/resources/blog/russian-targeting-gov-business) to target the US government and private companies.

MFA fatigue is commonly initiated by compromising the user's identity to obtain initial access to the organization or the victim's account. This is typically done via the following methods:

• Deploying malware such as Redline Stealer or Loki Password Stealer
• Obtaining credentials and session tokens in criminal underground forums
• Recruiting current and former employees who have access to specific company networks, as depicted in Figure 2.9:

When companies use mobile apps as a second factor of authentication, where a user sees a notification on their phone that they must approve, cybercriminals will attempt to cause the legitimate user to accept one of the repeated MFA prompts and let the cybercriminal in. In some cases, the attacker will also send a message to the victim pretending to be from the company and urging the user to accept the MFA push:

What can the service provider do?

Service providers can provide additional security against MFA fatigue by enabling number matching. If enabled, the user must enter a number in the authenticator that matches the number shown in the authentication sign-in. Microsoft considers number matching a critical security upgrade and will enforce number matching starting in 2023 (https://learn.microsoft.com/en-us/ azure/active-directory/authentication/how-to-mfa-number-match). Duo, another product we will use as an authentication factor, starting from Chapter 3, also supports using a verification code to avoid MFA fatigue. This is called Verified Duo Push.

Another way that service providers can avoid scams based on MFA fatigue is by providing additional context for the push authentication, if enabled by the MFA application.

The following figures show number matching and other settings for Microsoft Authenticator. Starting February 27, 2023, Microsoft Authenticator will enforce number matching for all users tenant-wide, eliminating the need for this configuration. This is a crucial security enhancement over traditional second-factor push notifications:

Number matching is a feature that requires the user to input numbers from the identity platform into their app to confirm the authentication request:

As seen in the following figure, Microsoft allows the application name and the geographic location to also be shown during the authentication process: