Gajus - stock.adobe.com

Mitigating social engineering attacks with MFA

The growing frequency of social engineering attacks highlights the increasing need for organisations to take steps to mitigate the effects of phishing

This article can also be found in the Premium Editorial Download: Computer Weekly: IR35 reforms – the difficult decisions facing IT contractors

Social engineering attacks are one of the most prevalent forms of attack against organisations. They can target any organisation, regardless of size or type.

In fact, many of us will have experience of them, such as automated calls claiming to be from your internet service provider or emails offering “unbelievable” discounts, for example. They can vary in sophistication, with some easy to spot, while others are highly convincing.

Europol’s Internet organised crime threat assessment (IOCTA) 2018 highlights the growing prevalence of social engineering attacks, stating that “criminals use social engineering to achieve a range of goals: to obtain personal data, hijack accounts, steal identities, initiate illegitimate payments, or convince the victim to proceed with any other activity against their self-interest, such as transferring money or sharing personal data”.

Phishing attacks can have a hugely damaging effect on businesses and individuals, according to the Home Office.

“That is why we have invested more than £200m since 2010 in the law enforcement response and are funding local specialist cybercrime units to ensure that cyber criminals are brought to justice,” a spokesperson tells Computer Weekly.

Social engineering attacks can be broadly broken down into three distinct types, with the first being the most frequent:

  • Phishing – Email or social media based social engineering attacks.
  • Vishing – Voice-based social engineering, frequently over the phone but can also be in person or VoIP (i.e. Skype).
  • Smishing – Mobile phone-based text messaging (SMS) social engineering attacks.

Whaling and spear phishing

Targeted phishing attacks against senior management (whaling) and specific people/organisations (spear phishing) have also recently become a popular form of social engineering attack for criminals.

Spear phishing may act as a precursor to a much more damaging attack. For example, a spear phishing attack could be used with the intent of acquiring access to a network, with a subsequent data breach taking place once access rights have been acquired.

One of the reasons that phishing is so frequently used is that it does not rely on vulnerabilities in an organisation’s security infrastructure in order to be effective, but on the natural goodwill of people. It is for this reason that it can be so effective, as people are naturally inclined to be helpful and efficient – the same qualities that makes employees good at their jobs.

Therefore, no matter the technological solutions in place (such as limiting access rights, identifying external senders or preventing users from installing software), phishing attacks can still be successful if employees are insufficiently trained to detect them. Therefore, it is crucial to educate employees, especially those in public facing roles, in how to detect social engineering attacks and report them.

Educating employees in this matter can provide a valuable contribution to an organisation’s network defences. This education should be non-judgemental and explain the common indicators of a phishing message that employees should be on the lookout for.

Simulated phishing scenarios are an effective tool for educating employees in how to detect social engineering attacks, by providing real-world examples of what can be expected without any genuine threat to the organisation. However, care should be taken.

While such simulations can help provide an understanding of susceptibility to specific phishing messages, it could also impact upon productivity through uncertainty of genuine emails, as well as employees feeling as if they have been tricked by their organisation.

Read more about multifactor authentication

Another option is to request that all employees complete an e-learning course, which will allow them to practise spotting phishing emails. Such courses typically conclude with a test in order to verify that the required competence has been achieved.

Providing a tool for employees to report phishing incidents, even just an email address for forwarding suspected phishing emails, can also help organisations. Not only does this allow trained professionals to review suspected phishing emails, but it can also alert security teams if the organisation is being targeted as part of a spear phishing campaign.

One technological solution that has proven successful against social engineering attacks, especially when the goal has been for acquiring access details, is the implementation of two-factor authentication.

Two-factor authentication (2FA), and multifactor authentication (MFA), are access management systems that require two – or more – pieces of evidence, whether it be knowledge (such as passwords), possession (a physical token for example) or inherence (eg fingerprints) in order for access to be granted.

The reason that 2FA/MFA is so successful is that should one of their verification stages (such as a password) become compromised, a hacker will still be unable to gain access to the organisation’s network without the other pieces of authentication.

Although broadly similar, each type of 2FA/MFA methodology can be broadly subdivided into the following categories;

  • Email – a unique one-time password is sent to the user’s email address.
  • SMS – a unique one-time password (OTP) is sent by text to the user’s mobile phone.
  • Application – a unique one-time passcode sent to an app on the user’s smart phone.
  • Device – a unique one-time passcode displayed on a separate physical device.
  • Token – a physical token that can be inserted into a USB port.
  • Biometrics – reading aspects of the user’s body to check they are who they claim to be.

Version of authentication

Commonly, for the authentication system to be robust, each stage of the 2FA/MFA process relies on a different channel being used.

“There are lots of different versions of authentication, but they broadly boil down to being unique every time you log on, and that is why they are so good,” says Colin Tankard, managing director of security firm Digital Pathways.

Email, SMS, device and application based 2FA/MFA systems all work on the same principle of sending the user a one-time passcode when they are attempting to log in. This passcode has a brief window in which it can be entered, otherwise it becomes invalid.

This is commonly 30-60 seconds for Email, app, or device methods, but SMS commonly has a longer window of two minutes, to allow extra time for the SMS message to be received.

Some SMS-based authentication systems offer the opportunity to send multiple one-off passcodes. This allows users to have a stock of pre-generated passcodes in advance, which can be helpful in areas where there is limited coverage by mobile providers.

However, this is also carries the risk that someone might be able to obtain the phone and acquire the passcodes. The lifespan of these passcodes sent in advance can vary from weeks to months or even years, and their duration is dependent upon the risk attached.

SMS is potentially the weakest method, due to the extended duration in which the code remains valid and the potential for the message being intercepted. That said, this is such a comparatively low risk that it remains a robust method of 2FA/MFA.

Application-based methods

The application-based method of 2FA/MFA methodology is comparatively recent, as well as becoming the most common, with apps like Google Authenticator and Sophos Authenticator being easily available for organisations to use.

Furthermore, this does not require the additional expense of purchasing more devices, as would be required with token and device-based 2FA methods.

“The primary issue with these is that you do need a backup method of getting in. If your phone breaks or gets lost, your account will most likely be inaccessible,” says Chris Johnson, a solutions architect.

“Many sites get around this by providing a set of rescue codes that you can print out or save somewhere in case of phone loss.”

Device-based 2FA/MFA relies on the user having a small device with them (typically credit-card sized). It may also require them to enter a pin-code in order to activate the device to receive the passcode, adding a further layer of security to the process.

One downside to this method, is that the batteries can run out or the device be lost, which will necessitate a new device being sent, with the user unable to access the organisation’s network during that time.

Physical tokens

Physical tokens, such as USB keys, carry within them a second passcode. Care has to be taken with these, as there have been instances where users have kept their token in the same bag as the laptop it is designed to unlock. Users should be encouraged carry tokens on their key rings or security lanyards; a habit that can be encouraged by adding a keyring to the token.

I’ve used various forms; the most common was RSA Security’s one-time tokens which we've used to protect sensitive environments, as these just work and last for years,” says Johnson. “The downside is that they aren't the cheapest when you ramp up the user count.”

Token and device-based systems also have the advantage of ensuring employees cannot login after they leave an organisation, because at the exit interview, they are typically required to return all equipment belonging to the organisation.

Biometrics have become the holy grail of 2FA/MFA because it is an authentication method that is inherently unique to the user and cannot be easily taken from them. Biometric authorisation can be performed using fingerprints, voice-print or retina-scanning, but each carries significant challenges.

Fingerprint scanning is the most commonplace, as many smart phones and laptops carry fingerprint scanners, but they are also the most unreliable and inaccurate. Rather than requiring a specific match, fingerprint scanners allow for some accuracy deviation – to compensate for dirty fingerprint readers – and thereby potential false-positives.

“It is like saying you got your password a little bit wrong, but I am going to let you in, which you do not have if you are using the token readers,” says Tankard.

Storage security

There have also been several instances of fingerprints being spoofed, and there is the additional concern of where the fingerprint is stored and how secure this storage is. This point was illustrated by the recent discovery by security researchers of a publicly accessible database of biometric information, including unencrypted fingerprint records.

Retina scanning remains most the reliable method of 2FA/MFA. However, as a vast number of people remain phobic about eye scans, and the equipment is still expensive, it remains impractical for mass-market adoption.

Voice recognition, frequently used in telephone banking (many will have had to repeat “my voice is my passport”), bridges the age gap and does not require the additional devices that apps or device-based 2FA/MFA can require.

Voice-based 2FA/MFA systems can also be combined with speech recognition systems to provide an additional layer of security, with users having to state an additional passcode. However, the sensitivity of the system is such that it may not recognise the user where there is a poor connection.

Before implementing any biometric system, it is important to ensure that any current or future employees with disabilities will not be affected adversely.

With the exception of biometrics – and especially retina scanning – the price of 2FA/MFA technology has dropped in recent years, making them a readily affordable solution for many organisations.

No unified standard

However, this recent rapid emergence of 2FA/MFA systems has meant there is no unified standard amongst security providers. For example, Google Authenticator will not work with Sophos Authenticator. That said, some platforms allow for a range of 2FA methodologies under the same system, which some industry commentators see as being key to making passwordless access to systems ubiquitous.

Organisations must carefully choose which 2FA/MFA solution to use, as each platform has its own limitations. “I do not think we will ever get to a point where there will just be one unified approach for multifactor authentication, and that is going to be the problem,” says Tankard.

Nonetheless, 2FA/MFA remains a valid solution for mitigating the effects of a social engineering attacks, especially spear phishing and whale phishing attacks where the intent is to acquire access information to an organisation’s network. With a 2FA/MFA system in place, even if a name and password is acquired by hacker, access will not be permitted unless the corresponding passcode(s) are also entered.

“We moved from manual to third-party software for driving licence and vehicle checks to meet our obligations for our grey fleet [use of an employee's private vehicle for business use] and company car drivers,” says Darren Pulsford, a finance analyst.

“To meet IT protocols, we asked them to add 2FA,” he says. “Implementation was easy enough, and by and large we have had no difficulties. The company has since moved to 2FA for remote logging on, so all our mobile or travelling users are accustomed to it.”

Given that social engineering is a key element to the majority of data breaches hitting the headlines, organisations should investigate what multifactor authentication methods would be best suited to their need to shut down a vulnerability that is routinely exploited by attackers.

Read more on Identity and access management products