Voice Security: is Multi-Factor Authentication (MFA) the Answer?

MFA is Back in the Spotlight, this time for Voice Security

In the ongoing wake of MGM-style mega-breaches precipitated and instigated through voice-based attacks, cybersecurity experts have, once again, touted Multifactor Authentication (MFA) as not just an important element of a comprehensive cyber defense strategy, but now an answer for voice security.

But is MFA a “reasonable” defense strategy for the voice channel?

Can MFA be used to eliminate Voice-Based Attacks, which include voice phishing (vishing), social engineering, spoof calls, voice spam storms, scam calls and robocalls?

This article delves into the common elements behind recent, high-profile breaches, examines the limitations of MFA as a Voice Security strategy, and outlines a proven approach enterprise-class organizations can take right now to defend against voice-based cyberattacks.

Vishing, a Tipping Point for Voice Protection

Bad actors have been abusing the voice channel for years, hiding behind spoofed numbers and flooding networks with robocalls, scam calls and spam calls. 

However, Vishing (voice phishing) is the critical cyber threat that has taken center stage.

Vishing was reported to be the tactic used to breach MGM and initiate a series of events which has proven to be one of the most significant cyber events in all of 2023. 

Bad actors have increased their use of vishing techniques because they are highly effective.  Vishing employs two of the weakest points of an organization’s threat landscape:  humans and the voice network.

Via Vishing, bad actors become highly skilled imposters, armed with just enough personal information to form a convincing impersonation. 

Because the voice channel is not adequately protected, it is an easy and direct avenue to connect directly with human targets.

And once that voice connection is made, the bad actors use social engineering and the power of human-to-human persuasion to extract the information they need to gain VPN access, highjack accounts, launch ransomware and infiltrate internal systems.

The ongoing success of these vishing attacks, even on sophisticated, tech-savvy companies that have robust employee cybersecurity training programs, is alarming to say the least. It also sends a clear message: there is no such thing as adequate cybersecurity defense without adequate Voice Security.

Where does MFA Fit In?

Multi-Factor Authentication (MFA or, alternately, Two Factor Authentication – 2FA) is a security protocol designed to thwart would-be account hackers by requiring proof of identity through multiple, unrelated verification mechanisms before login access is granted. That might involve repeating a numeric code that has been sent to the legitimate user’s personal mobile device or email account, or maybe just a simple click on “Approve” in a pop-up window on a personal device.

In this way, even if a hacker has access to a victim’s username or password, they would not be able to complete the last step without access to that person’s device or email account. 

For personal accounts, MFA is clearly a common-sense safeguard.

Enterprise Voice Security Demands More

However, when it comes to enterprise voice interactions, MFA has proven alarmingly flimsy when challenged by skilled cybercriminals intent on circumventing voice network-protecting security measures.

Need proof? Just consider last year’s high-profile breaches at some of the nation’s most security-centric companies, including Okta, Uber, and Cisco. All were breached by MFA-busting hackers wielding the power of human manipulation.

MFA, Zero Trust and the Promise of Identity Security

The practice of multi-factor authentication is an outcropping of the “Zero Trust” approach to network security.

Zero Trust assumes that no user or application attempting to gain access to sensitive accounts or data can be trusted by default, and so must be challenged through additional layers of authentication. 

There are several ways this Zero Trust vetting can take place, but generally there are three categories:

• Identify something only you Know (such as a PIN or the answer to a personal security question);
• Verify through something only you Possess (such as a physical token, email account or personal mobile device that can receive push notifications);
• Verify through who you physically Are (such as voice, facial, or fingerprint biometrics).

With a Zero Trust strategy, even if an impostor has a potential victim’s username and password (which is uncomfortably common thanks to the ever-growing repository of stolen personal data on the Dark Web), they will not have access to that user’s mobile device, email account, or physical characteristics and, therefore, would not be able to complete the last step to gain account access.

MFA, Not the Cybersecurity Bulkhead We Thought It Was

However, the promise of MFA infallibility has been short-lived. Because, of course, finding ways to defeat security protections is a full-time occupation for seasoned cybercriminals and a growing legion of ethics-challenged, tech-savvy, attention-seeking teenage hacker gangs. 

It wasn’t long before criminal enterprises like the notorious Lapsus$ group found a way to break through MFA guardrails.

How?

By simply recruiting the assistance of their unwitting human targets.

Hackers are Overcoming MFA

According to this extensive 2023 Cybersecurity and Infrastructure Security Agency (CISA) Cyber Safety Review Board report, cyber-hacking organizations have multiple methods for breaking through MFA, including:

• Man-in-the-middle (alternately, Machine in the Middle – MitM) attacks. This intrusion often begins with a phishing email or SMS text that appears to be from a legitimate source such as an organization’s IT department. It includes a link that takes recipients to an impostor webpage that looks like a legitimate internal site but is controlled by the threat agent. When the user logs into the bogus site with their usual username and password, the MFA authorization request is retrieved by the hacker and used to complete the login to the victim’s actual account. Once in, the adversary, often accompanied by co-conspirators, infiltrates related internal systems, stealing data and/or planting malware.
• Token theft. This attack is perpetrated through a malware virus that allows adversaries to scrape “cookies” stored on the victim’s computer. A cookie is a session code used by web browsers to track user activity as they log into different web pages. When a session involves an MFA-protected account, the cookie reduces friction by keeping an authorized session “active” so users don’t have to re-authenticate every time they access different pages. Cybercriminals take the stolen cookies and place them into their own web browsing session, thereby tricking the browser into thinking they are the authorized user, which bypasses the need for additional MFA authentication.
• SIM-Swapping: In this attack, the criminal agent leverages a victim’s stolen username and password plus other harvested personal information to support a convincing impersonation. They then contact the victim’s mobile provider to say they have a new phone and need that number ported over when, in fact, the “new phone” is controlled by the adversary. Once the victim’s number is transferred over, the adversary can log into their accounts and intercept MFA push requests for full account access.
• MFA Fatigue: This attack technique requires neither malware nor website spoofing to succeed. Instead, it turns the actual MFA prompt mechanism into a bludgeoning tool used to break the resistance of a human target.

A good example of the effectiveness of MFA Fatigue (alternately known as Prompt Bombing) is the well-documented breach of Uber’s IT systems last fall. 

According to this Uber update, threat agents reportedly obtained the corporate account VPN login credentials for an external contractor whose Personal Identifiable Information (PII) had been exposed through a mobile phone hack and posted on the Dark Web. Knowing that any login attempt would generate a 2-factor authentication request on the contractor’s phone, the threat agent wrote a script that would automatically trigger another login attempt each time the user tapped “Deny.” At the same time, the threat agent, posing as Uber IT tech support, contacted the user directly to support the legitimacy of the authorization requests. After an hour of non-stop assault, the exasperated contractor eventually succumbed to the impostor’s request and granted authorization. Once logged in, the attacker (later identified as an 18-year-old member of the Lapsus$ cyber extortion gang) moved quickly into internal administrative systems to exfiltrate data and then bragged about the breach through Uber’s own Slack channel.

A similar strategy was behind a recent Cisco hack. The attacker, thought to be an Initial Access Broker (IAB) with ties to the Lapus$ group and Yanlouwang ransomware operators, used a combination of social engineering and vishing (voice phishing) to target numerous Cisco employees identified as high value access prospects. Posing as an IT support staffer, the threat agent was able to convince one of those targets to disclose login credentials for their Google account.

As with the Uber attack, the adversary then unleashed a flood of login attempts that generated a non-stop stream of MFA push requests to the employee, while at the same time engaging the victim by phone to help solve the “problem.” Eventually, the employee, either out of frustration or by mistake, clicked to grant authorization. Once inside the account, the threat agent and fellow co-conspirators were able to uncover internal passwords linked to the victim’s business accounts. This included access to the organization’s VPN and data which they then exfiltrated from internal files and released on social media as proof of their achievement.

The fact is, the cybercriminal community is simply not inhibited by MFA barriers as evidenced by this Microsoft study revealing more than 382,000 MFA Fatigue attacks alone took place during a recent 12-month recording period.

If the techniques and success rate of hacks perpetrated by the likes of Lapsus$ is any indication, cybercriminals are increasingly seeing MFA, not as an obstacle, but as a tantalizing challenge ripe for the conquest.

MFA, Just One Component of Cybersecurity Strategy

MFA is an important tool to add to an organization’s cybersecurity arsenal as it has proven effective at filtering out mostly low-level network access attempts by would-be hackers.

But MFA is by no means a complete enterprise panacea in the face of a sophisticated, ever-evolving cyber threat landscape. Employee training, network monitoring, software updates, and penetration testing, for example, also play key roles but, like, MFA, only address one facet of the attack surface.

MFA is Not Reasonable Voice Security

Regarding Voice Security, MFA is not a reasonable defense.  To protect and defend Voice, organizations must employ cybersecurity solutions designed and built for Voice Security, with robust controls for today’s voice-based threats (vishing, spoofed calls, voice spam storms, scam calls, robocalls) and for emerging voice threats.

 If you think Multi-Factor Authentication is your shield for enterprise-class voice security, you have already lost the battle.

Voice Security Requires Solutions Architected for Voice Security

As evidenced by recent, high-profile cyber breaches and MFA failures, cyber-criminals are finding human fallibility to be the key that unlocks their access to an organization’s networks and data. Their focus and intent, then, is simply to make that initial contact and, from there, unleash their skills at deception and psychological manipulation.

No doubt, an organization’s top level of defense, then, is to prevent criminal access to employees in the first place. While employee training often centers around password management and email phishing scam detection, the growing prevalence of voice phishing (vishing) is proving that cybercriminals intent on reaching their targets will continue to migrate to open doors of opportunity. They are clearly finding that in the voice channel.

Voice Security is a Threat Vector You Can Protect

Separate from Data Security, Voice Security is a unique and distinct threat vector and, therefore, warrants a very targeted approach.

Mutare’s singular focus is on threat detection and defense for the voice channel is foundational to its break-through Voice Security solution.

Mutare’s Voice Traffic Filter is designed specifically to leverage the revealing data found in voice calls and behaviors and can detect unwanted intruders before they impact the network or reach employee endpoints.

Our purpose-built Voice Security technology is, itself, a multi-layered solution that combines a massive dynamic database of unwanted callers with sophisticated call data analytics to detect and deflect robocalls, spammers, scammers, spoofers, spam storms, vishers and social engineering attacks at the network edge. While eliminating the disruption of unwanted calls, VTF dramatically reduces the chance a skilled cybercriminal can reach, and potentially breach, a human target.

 As with any data protection technology or practice such as MFA, Voice Traffic Filter is one part of a complete strategy, but an invaluable one that closes a gaping Voice Security hole that currently exists for so many organizations. To learn more, click Here.