You likely have not only heard of MFA, or multi-factor authentication, but you use it in either your personal online services or in the workplace.
Multi-factor authentication assumes the premise of multi-dimensional identity verification techniques, such as verifying you based on something you know and/or something you have in your possession.
But what have we been seeing in practice?
Do you find it convenient to complete your identity verification seamlessly on your iPhone or Android smartphone? While convenient for the user, fraudsters are also finding work in their favor. Criminals have been successfully bypassing MFA when they find both factors on the same device. How so?
First off, we have been convinced that (1) one-time passcodes (OTPs), whether over hardware or software, for inputs comprise of “friction”, in the sense that they slow down the user experience to reach or complete the requested service to which they are authorized or entitled; and (2) that because of criminal techniques of SIM swapping or jacking, OTP over SMS or text messaging is not as secure. And so, Okta and Microsoft (as well as many others, such as PingIdentity, VMware, Google, etc.) all offer push notification and some type of “frictionless” interaction to ensure that you do not abandon your request over the Web to satisfy verifying your identity out of some frustration of the perceived hurdles.
It doesn’t stop there. Smartphone manufacturers, such as Apple or Samsung, also take the various input methods as MFA options, which we refer to as biometrics authentication. You may have set up your fingerprint or face to not only sign into your smartphone, but for your smartphone to seamlessly log you into the locally installed mobile app or online services.
What a world we live in! Even though we are willing to go through airport security, quite a few of us have paid for expedited travel options to streamline the security process for convenience of making use of time on our own terms, haven’t we? We tend to bring the same mentality to our digital identities.
Back in May 2022, the I-Team in Bost, MA, reported that criminals were able to use an online check deposit scam and Zelle for cash withdrawal from someone’s bank account, all by hacking the victim’s smartphone. Of course, Zelle is now under scrutiny, as I’m sure the bank is, for not preventing the fraudulent transaction. But did they fail in accepting the smartphone’s biometric MFA as a viable option?
Peter Tran, a cybersecurity expert with whom I’ve had the pleasure of knowing from my days at RSA, reported that the biometrics on the iPhone, for example, can be bypassed because of the way the biometric is represented – as a numeric value. The criminals were able to provide the numeric value that represented the victim’s biometric registration on his smartphone, which fulfilled what the bank required using the embedded (and federated) Zelle wire transfer service.
Fraudulent Cash Withdrawal via Zelle
- The victim’s credentials were compromised, possibly due to social engineering or spear fishing tactics
- The hacker was able to install malware on the victim’s smartphone
- The hacker accessed the victim’s bank via mobile banking app on the victim’s smartphone
- When prompted for MFA, the hacker was able to bypass it by providing the numeric value expected (vs having victim interact with the smartphone as the bank tested)
- The hacker deposited bad checks via mobile app, again via mobile app on victim’s smartphone
- Hacker then initiated cash transfer via Zelle service, part of bank’s mobile app
The flaw here is the fact that the transaction and the MFA were handled on the same smartphone. While this is purely a convenience, it’s obviously not secure because it dilutes the two dimensions of something you are (i.e., the biometric factor) and something you have (i.e., the smartphone as a registered device).
What Should Have Happened?
I believe that said bank from the I-Team report requires that traditional wire transfers be done using a traditional Internet browser from a traditional computer or laptop, and uses other identity verifications, such as OTP over SMS, instead of the native mobile app biometric authentication. As mentioned on current state of biometric authentication on the smartphone as it is today, it is still a viable option when used as a something you are factor but is separate from the something you have or are using.
Since the user was using Zelle on the mobile banking app, the user should have been prompted to either transfer the transaction to another device, such an Internet browser on a computer or tablet, or perform some other interactive identity verification, such as CAPTCHA or image-based identity verification input. The fault here is on the bank because the bank decided to settle on these MFA options that included loopholes for fraudulent transactions to occur despite the security implemented.
Situational Awareness or UEBA?
There have been many topics on how elaborate situational awareness offers data points to reduce risk of fraudulent access and heighten identity verification certainties. This is the premise of User and Event Behavior Analytics (UEBA). While UEBA is often applied to reactive solutions, such as Security Orchestration, Automation and Response (SOAR), some aspects of situational awareness, such as the checks deposited prior to the request for funds withdrawal or send via Zelle, should have prompted for an alternative MFA input, varying from the initial mobile app MFA that satisfied the identity verification.
But as with all things, having thousands of data inputs to derive certainty costs money – both on the service provider’s side and the security provider’s side. But how much money have Zelle and this unnamed bank lost due to this one news report? Would that monetary loss (or opportunity cost, for you economics majors out there) be worth it? I can’t imagine the fallout, whether in court for judicial or civil actions.
iVision offers expertise in identity and access management (IAM) to the degree of helping you to understand and implement the best-of-breed technologies and practices to ensure secured access, despite the ever-changing landscape of fraud to the digital identity.