Podcast: Play in new window | Download

Subscribe: RSS

Episode 25 I’m Tired -MFA Fatigue

Introduction (3 mins): The host introduces MFA (Multi-Factor Authentication) and the case of three individuals pleading guilty to cybercrimes using MFA fatigue attacks. The focus is on how attackers exploited human behavior rather than technology.

Segment 1: The Recent Guilty Pleas – What Happened? (5 mins): Explains how MFA fatigue attacks work by bombarding victims with authentication requests until they approve one out of frustration. This tactic uses psychological pressure rather than technological hacking.

Segment 2: The Human Element of MFA Fatigue (7 mins): Discusses the social engineering aspects of MFA fatigue attacks, emphasizing how cybercriminals use frustration to manipulate victims. The segment explores the psychological reasons why these attacks work and their severe consequences.

Segment 3: Protecting Yourself from MFA Fatigue Attacks (10 mins): Practical advice on preventing these attacks, including using biometric MFA, time-based passwords, and limiting notifications. Also, tips on what to do if you’re targeted by repeated MFA prompts.

Segment 4: Lessons for Businesses and IT Teams (5 mins): The importance of educating employees on recognizing MFA fatigue attacks, proactive security training, and implementing systems to monitor suspicious login behaviors.

Conclusion (5 mins): Recap of key points and a final reminder that while MFA is essential, attackers are evolving their tactics. Staying vigilant and informed is crucial in the fight against cybercrime.

The episode discusses a real-world case of MFA fatigue, where an insurance agent’s email account was compromised after an attacker exploited his two-factor authentication (2FA) by using AI-generated phone calls to obtain the 2FA code. The host, Scott Gombar, explains the concept of MFA fatigue, where users become overwhelmed by repeated 2FA requests, making them more susceptible to cyberattacks. He emphasizes the importance of security awareness training, using biometric authentication, and limiting MFA notifications. The episode also highlights the need for proactive monitoring and alerting systems to prevent such attacks.

Transcription

Welcome to the human element, the podcast that delves into the often overlooked human side of cybersecurity. Each episode, we’ll explore real world stories, uncover the tactics used by cybercriminals to exploit human behavior and share insights on how you can protect yourself and your organization from these subtle but devastating attacks. Join us as we peel back the layers of deception and reveal the true power of the human element in cybersecurity. Let’s get started. You.

A couple years ago, got a phone call from an insurance agent on a weekend. It was a referral, potential referral, I should say, from, from somebody I know. His email account had been compromised. He was getting an email from himself, saying, Pay. I don’t, I don’t remember the exact numbers. A certain amount of money in Bitcoin. It was a few $100 I believe he didn’t want to pay that, obviously, and you never should pay the ransom if it can be avoided.

Called me up asking me what he should do

the account the attacker was in the email. They likely grabbed all the client information. Probably may have contacted those clients to let them know. I don’t really know what happened from after that, because I never heard from the guy again, except for the next day, when he called again and said he attempted to change his password and then received a phone call from Microsoft saying, Can you please verify the code that was text to you? The problem was, his phone was still on the account. His cell phone was still on the account as the two factor authentication in the form of a text message. And the attackers knew this and but couldn’t change the phone number without alerting him, because he would have gotten a text message. So they pretended to be Microsoft, called him up and asked him for the two factor code, and then they were able to not only change the password, but change the phone number attached to the account. His account was lost, and likely everybody whose contact information was in that email account was also a victim.

Welcome to Episode 25 of the human element podcast. I’m your host, Scott gombar, and today, we’re going to talk about MFA fatigue. I have this article on I’m using bleep and computer, but I believe this article is located in multiple online resources at this point, where three individuals were arrested and pleaded guilty to running an MFA fatigue scam targeting unsuspecting victims. Of course, this evolves. This goes to show the ever evolving threat, I should say, around what cyber criminals will do to circumvent security measures. That are in place. So we’ve been told for years now, multi factor authentication will stop everything. 90% 99% of all breaches will be prevented as a result of having multi factor authentication set up on your accounts. And that’s somewhat true because the 1% and it’s probably the number is probably higher than that. I don’t have that number, but the number is probably higher than that. The 1% where it fails, usually due to social engineering of some sort, or sim swapping. So before we get into the details of this case, let’s briefly explain what multi factor authentication is. This is an additional layer of security today, as it stands right now, most accounts that you log into have a password. You enter a username and a password, hopefully your password is secure, but that’s a different topic. And then you have this second layer of authentication, and in most instances, at this point, it’s some form of multi factor authentication, or two factor authentication is the more technical way of stating it, because you have a lot of times it’s a text message. That is not the recommended way of handling your second form of authentication, but a lot of times it is a text message that you receive and you input this code. The code is good for 10 or 15 minutes. You put the code in, and you’re in. But it could be an app on your phone that generates a new code every 30 seconds. It could be a hardware token. Those are pretty much phased out at this point, but they. They’re still available. It could be in the form of biometrics, so a thumbprint, a retina scan, something like that. And it could be a vital key, such as a YubiKey, which I have any account that will take them I have that set up. So that’s your second form of authentication. Now, if your second form of authentication is the YubiKey, or the app on your phone that generates the code your Authy, or Microsoft authenticator, or Google Authenticator, that technically is more than a second form of authentication, because, chances are the app your phone requires you to authenticate to the phone in the form of a, you know, facial recognition, or a pin or something like that. So that technically adds another layer of security there, and the FIDO key has to be in your possession. Now you could also set up conditional access, meaning the person can only log in if they’re in a certain location or at certain times of the day, things like that, conditional access. So these are all forms of multi factor authentication. Could even come in an email. I think, I think I have one account that requires email, and ironically, I believe it’s email security, but I think it’s only there’s only one account that I get an email pin, and that’s the only option available for that account. But these are all forms of secondary authentication. So again, your username and your password is your first form of authentication, and then you have one of those other things, or multiple of those other things, and that’s where the term MFA comes from for multi factor authentication. Eventually we will move away from this, you will we will be passwordless, although there’s already been some rumors that that may not work. But again, another episode, another time, but eventually, hopefully, we’ll move away from having to do the password slash multi factor authentication method.

So what happened? Why am I bringing this up? And we’ve talked about passwords and MFA in the past, but I’m bringing it up today because there’s a recent article, again, I believe I saw it on bleep a computer. I’ll include the link in the show notes where three individuals pleaded guilty to running a cyber crime operation that involved multi factor authentication fatigue attacks. So that’s what it sounds like. People are getting tired of having to deal with multi factor authentication. You know, the apps, I personally have two different apps for for multi factor authentication codes, because for Microsoft accounts, it’s easier to use their Microsoft authenticator and probably more secure, but then also the FIDO key. And then there’s a few out there that might be text message or email. And it does get exhausting when I’m trying to log into multiple things and and I have to put in a code for everything, or, you know, touch the FIDO key. It can be tiresome. And I’m in the world, I’m in the cybersecurity world. So for me, I know it’s necessary, and I just remind myself, you have to do this. This is protecting not only my business, but but other businesses as well. So I get over it and move on. And in reality, it only takes a few seconds, but I’ve talked to individuals, people, a matter of fact that story I told you about at the beginning of this episode, an insurance agent I know of another insurance agency where they don’t use multifactor authentication because it’s too much work. It’s extra work for them to have to have that. Now some applications, some SaaS applications, are now saying it’s mandatory. You have to set it up. So there’s that. But in this case, three individuals pleaded guilty to using multi factor authentication fatigue attacks, which means they’re going after people that maybe they’re getting tired of these multi factor authentication codes. Or, you know, there’s, there’s a in the IT world, we call alert fatigue. So you get all these alerts for stuff, and eventually something gets missed, because we’re just overwhelmed with all the alerts, similar idea here. So you get these MFA codes and of MFA alerts, whatever it might be, and you’re just like, okay, whatever. And so that’s what happened in the story I told you the beginning, he got he got tricked because he thought Microsoft was helping him out. In reality, it was the cyber criminals. It’s a form of fatigue. They targeted victims by spamming them with repeated MFA authentication requests until the victim finally approved one given the attackers access to their account. Now they also didn’t call directly. They. Used AI voices to call these people. So an AI generated voice sounds like a recording. We hear these voices all the time. And if you go to Amazon, it’s called poly. I think it’s called poly, or something like that. I think it’s called poly. You can generate, you know, voice to or text to voice you. You type in the text, and it generates voice. It sounds pretty real. Can sound pretty realistic, but you could also, at the same time, tell that it’s not real, but it’s getting closer. So they use that technology to generate phone calls to these victims and request the MFA code. And if it’s a text message, remember, usually those are good for 10 or 15 minutes, so they have enough time to call and say, give us that code. This, these three individuals who were young. They were kids. I think they were teenagers. They had, they were paid to do this. So I, if I called up and said, You know, I want to access my wife’s bank account, but she has multifactor authentication turned on, they would I would pay these individuals. I know the password, but I need the multi factor authentication code. I would pay these individuals to get the code for me. They’d get the code, they’d give it to me, and I’d be able to log in. So how does MFA fatigue work? Let’s break this down. Imagine receiving non stop MFA notifications on your phone or email asking you to verify login attempts. After a while, some people just hit approve to stop the barrage of notifications. Or in this case, they will, you know, in a lot of the cases for the for these three individuals, they called up and said, Hey, what is the code? You know, we’re calling from wells, Fargo Bank, we need your two factor authentication code because we’ve detected abnormal activity on your account. And the person on the other end, you know, they’re not inside, especially if they’re not in the technology world, they probably said, Oh, okay, my code is blah, blah, blah. After you’ve received a number of these codes, you might really believe that there’s something wrong, like, what is going on with my account? So this is how these three individuals were able to pull this off. And again, they used the voice to tech or text to voice services like Amazon, Polly, I believe Microsoft, Azure has one and Google has one. So it’s not, it doesn’t take a lot. And there’s, there’s, I’m sure there’s free services out there that do that as well. It doesn’t take a lot to make this work. And so people paid them to get these codes. They were able to pull this off. I don’t remember the number, but it was a significant amount of people that they were able to trick into doing this.

What is the human element behind MFA fatigue? We kind of touched on on it already. People are just tired. We’re distracted. We’re very distracted all the time. We’re in a very rapid, paced world, especially in the United States, very, very rapidly moving. And sometimes we’re just not paying attention, and we just react instead of thinking about things through. This is how social engineering works. This is what social engineering is counting on. And you have the fear factor. So the psychological tactics behind MFA fatigue the attack highlights a crucial concept in cybersecurity. Social Engineering still plays a huge and probably will continue to play a huge role in cybersecurity. And this is why we train everybody. This is why awareness training, security awareness training, is so relevant and so important in all of your cybersecurity plans, you cannot ignore the training aspect of everything and expect that you will not become a victim. Cyber criminals understand human behavior and know that overwhelming someone with repeated actions often leads to poor decisions. They get annoyed and they make the bad decision. The MFA fatigue attack taps directly into frustration, confusion and ultimately compliance, meaning now they’re tired and now they’re just going to do it to make it stop. Why it works? Many victims of the attacks don’t understand the risks, and might think if I approve this request, the notifications will stop. Attackers know that use. Years, especially in stressful moments or late at night. There was another case, I believe, out of Brazil, somewhere in South America, where these these alerts were coming in, the MFA alerts were coming in in the middle of the night, two o’clock in the morning. You’re less likely to make the right decision if you have sleep so now, because you’ve been overwhelmed or you’re overtired, or you’re not in a position to think the decision through whatever that might be, you’re more likely to cave and allow access without realizing the consequences and the impact once the attackers gain access, the consequences can be severe account compromise, which, if it’s your bank account, that’s bad news, sensitive data theft. If they’ve gotten into the business, they’re probably going to steal data. That’s almost a guarantee at this point in cybersecurity and often even financial losses. Now, I was listening to a podcast the other day where they the CISO, the CISO, or whatever you want to call the size Oh, I’ve heard all of these. I’ve heard it pronounced all these ways. That was the guest on the podcast said that most ransomware attacks are, are, I’ll say benign. What I mean by that is, it’s one computer, one workstation, that’s encrypted, and somebody demanding a payment to decrypt that machine, and that the cyber attacks, or the ransomware attacks that we see, where there’s data exfiltration and entire organizations brought to their knees, and they demand millions of dollars in ransom payment, these are far and few between. However, there have been hundreds reported this year, and that’s just reported. There’s probably some that have not been reported, even though they’re supposed to. And therefore, the sensitive data theft is probably more than we know, and often even financial losses if you’re going to pay a ransom as a result. You know the first story I told you at the beginning of this podcast about the guy that lost access to his email account, it was a ransom. It was only a few $100 but it was a ransom demand. Nonetheless, it’s financial loss. And then if your business has data exfiltrated and it’s sensitive data, there’s going to be a loss of business. There’s going to be downtime, there’s going to be a recovery time, there’s going to be mitigation, there’s going to be remediation, there’s going to be there’s gonna be legal costs, there’s going to be all kinds of financial costs as a result of this MFA fatigue attack.

So what’s a person supposed to do to prevent falling victim to an MFA fatigue attack. How do you protect yourself? The first step to combatting these types of attacks is awareness, knowing that MFA fatigue is a method used by attackers can help users recognize these signs before falling victim, getting overwhelmed with MFA alerts, that’s the first sign of a potential attack, somebody randomly calling you up for an MFA code, even if it is a AI generated voice, or what sounds like a recorded voice, that’s a sign of attack, because all no organizations will call and ask for that code. As a matter of fact, a lot of them include that that note in their MFA alerts that or in their email notifications that they will not call to ask for this code, and you should not give this code out over the phone. I know Google does, Microsoft, does? They tell you do not give this code out over the phone. If you receive a barrage of unexpected MFA requests, ignore them. If you get a phone call asking for the MFA code, ignore them. Take it as a sign that someone is trying to access your account without permission. Strengthen Your MFA approach. You could use biometrics again, the thumbprint, the retina scanner, the facial rec, facial recognition, that is, these are, these are better methods of MFA. If it’s possible, again, it’s not always going to be possible, but if it’s possible, then use that. And I mentioned it earlier in this podcast, on top of having the MFA code generator on your phone, make sure your phone is locked. I know there’s some people out there that say, Hey, I don’t lock my phone. My spouse doesn’t want me to lock my phone. We trust each other. It’s not about trusting each other at this point, it’s about trusting the rest of the world. You drop your phone somewhere and you have a couple dozen MFA codes in your code generator app. You just gave it to somebody else in the world, and I’m guessing, if you did that, then you probably have the password list on your phone as well. I use a password manager. I use an MFA app on my phone for some of my accounts, and that app is also locked. And then again, like I said, I use a Fido key for other accounts. I have two factor authentication. Just log into my computer. You’re not going to get in without the second authentication. Use. Time based one time passwords. That’s the app on the phone, like Google Authenticator or Authy that I mentioned multiple times, Microsoft authenticator, most of the time, these generate new codes every 30 seconds and limit MFA notifications. Some systems do allow users to limit the number of MFA requests they receive. Setting up limits can help reduce the risk of falling victim to these attacks by ensuring only legitimate requests come through, a lot of accounts will also limit the number of temps for password logins, which will then limit the number of temps for MFA as well. If you are targeted, that likely means your password has been compromised. So as a as an example, I created a booking.com account years ago. Completely forgot even had it, and then I started getting alerts in my email account that my booking. Here’s your code, your two factor code for booking.com login, and I got multiples of these. Well, so what does that mean? That means that somebody figured out the password to that account again, years ago. So I have no idea. I didn’t even remember having the account, whatever. So I go in, I changed the password the you know, I fortunately did have the the password in my password manager. So I was able to get in, change the password and no longer getting those notifications. But that’s an example that somebody’s gotten your password. You need to change your password, so if you start getting Facebook notifications that you here’s your two factor authentication. And I hope you do have that set up on facebook, please, because Facebook is a big target for attackers. Um, then they’ve gotten your password and you need to change password, follow best password protocols. Again, that’s a whole nother episode. We’ll get into that another time. Inform your IT team. If it is work related, you need to let them know, and do not approve any requests until you have confirmed that they are legitimate. Again, understand that businesses are not going to call you up, your bank, your email provider, whoever it is, they’re not going to call you up and ask for your two factor authentication. Now, is it possible that there’s some type of technical issue, and that’s why you’re getting all these requests? Yes, that’s definitely possible. But it’s better to err on the side of caution. Somebody’s probably attacking your account. What are some lessons for your IT team, your cybersecurity team, your SOC, whoever’s monitoring these things, assuming you have one, hopefully you do. And again, just just to reiterate this fact, small businesses that don’t believe you can afford cybersecurity, think again, you cannot afford not to have cybersecurity, and that’s important. I have clients that are as small as one, so yes, you can afford it. So first of all, it and security teams, they must stay alert. MFA fatigue attacks expose the importance of not only securing systems, but also educating users, and we’re going to get to that in a moment. It teams should be proactive in informing employees about these tactics and how to recognize them. This is one of the reasons I have this podcast, I have a YouTube channel, I have all these different forms of educating my clients. Hey, this is not normal activity. This means you’re being attacked. Training is the key, and we at Nawaz tech offer we don’t offer it’s part of our package, security and awareness training set. Okay, so my clients have weekly trainings only a few minutes long, and in an annual training, and they have to take a four question quiz on this in these weekly trainings and multiple question quiz for the annual training. And the idea is not so much to say it’s not punitive, okay, if you, if you fail, then go back and do it again. It’s three minutes, four minutes, whatever it is. The idea is to keep them, keep the clients aware, everybody, by the way, everybody C level, all the way down the owner, the CEO, whoever it is, the boss, all the way down to anybody else that has access to systems. Training is key. Awareness is key. You, if you, if they’re not aware, they are definitely more likely to fall for this. And then, of course, businesses should also invest in systems that monitor unusual login behavior. So all of our clients also have this where we monitor for unusual logins outside of their normal routine. So it’s behavior based, but also location based. So if they’re outside of their normal location and there’s a login, we get an alert if they’re logging outside of normal hours, we get an alert if a document. It shared from one point or SharePoint outside of the organization, we get an alert. So sounds like a lot. If we don’t get that many alerts because of the security and awareness training aspect of this, they’re they’re aware that a, you can’t do these things, you shouldn’t do these things. I shouldn’t say can’t you shouldn’t do these things, and B we are monitoring for these things, so they feel all warm and fuzzy, but at the same time they’re aware sat security and awareness training. And if you know me, you know that training, security and awareness training is by far, it’s my favorite thing, but also the most important thing for our business. All right, that’s going to conclude this episode. So let’s just go over a few things. First of all, MFA fatigue is real, and it’s a growing concern. MFA is only as good as as the people that are utilizing it. And so if you don’t train your people, educate your people on what to look out for and how to prevent MFA fatigue attacks from succeeding, then you are most likely going to have an incident. So security and awareness training, monitoring and alerting are critical. So the thing to look out for multiple rapid fire MFA alerts via text message or email. If that’s the type of MFA you have set up, and if you do have this set up, get off of it as soon as possible. Switch to at minimum one time pass code app on your phone, such as Google Authenticator, Microsoft authenticator, or Authy. Authy is great option if you don’t want to be tied to Google or Microsoft for that purpose. Or you can use biometrics. And you should use biometrics everywhere you can, and that’s in the form of a fingerprint or retina scan or or facial recognition. And then, if possible, set up conditional access. So if you know that employees should only be at one location, checking email, then set it up so the email only works there. And this way you avoid this altogether. As always, technology is only as strong as the people using it. The attackers, in this case, didn’t break the MFA system. They broke down the victim’s patience and awareness. So in other words, there was nothing wrong with MFA. MFA works. It did exactly what it was supposed to do.

It was the people involved, the attackers, the victims. That’s where the link in cybersecurity was broken. And I’ve said before, and I’ll say it again, the human element is the weakest link in any cybersecurity plan. So we’d appreciate shares, likes, reviews of this podcast episode and the podcast in general. You know, as you know, the more reviews we have and the more people that like this. Give us five stars, four stars, whatever it is on the platform you’re listening to this, so more people that will hear this and will help us grow and make more people aware of the risks that are out there. Thanks for listening. Episode 25

stay secure.