2. Sherrie Cowley
• Masters in Information Systems
• Managed Software Engineering,
Support, and Identity and Access
Management
• InfraGard Liaison for FBI Cyber Task
Force
3. Dennis Taggart
• M.A. in Political Science/International Relations
Working on an M.S. currently
• Enjoy hardware work…
SMD is fun
• Pen testing for last few years
4. Disclaimer
• This presentation is for educational purposes only.
• We are not endorsing anything and nothing/nobody endorses us.
• Any images/artwork chosen for this presentation are utilized under fair-use and we
make no claim to ownership of any of it. Any logos are trademarks of their owners
and they reserve all rights
• There is no substitute for sound/professional judgement
• The views expressed are not the views of our employers, past or present
• we do not endorse any illegal or unethical activity
7. Reddit and SMS
“…we learned that SMS-based authentication is not
nearly as secure as we would hope, and the main attack
was via SMS intercept. We point this out to encourage
everyone here to move to token-based 2FA.”
https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/
Not a Reddit roast, but such timing
In 2017, NIST SP 800-63B describes PSTN (SMS) as a restricted (read
“risky”) form of MFA
9. Step 1.
Exploit target’s cell carrier account or impersonates
the user to port/forward/otherwise access SMS
messages
Step 2.
Use account recovery to trigger MFA messages to
gain access to additional sensitive information
Bypassing SMS:
Porting the Number
Takescontrol
ofservice
SMS
123456
10. Bypassing SMS:
Phishing
Fake Login Page
Step 1.
User is presented with
fraudulent page and logs in
Step 2.
Attacker logs into real site with
harvested tokens
Credentials +MFA token
sent to attacker
User
Pass
Login Page
User
Pass
Login Page
User
Pass
Login Page
15. Preventing SMS Bypass
• Request “port-out” authorization from carrier
• Application security (e.g. XSS or some such allows
sessions…)
• Train on Phishing and protect against Malware
• Document a strategy for responding to unsolicited text
messages
16. Handling unsolicited SMS MFA notifications
•Verify request was not solicited (take a breath)
•Identify if it’s a privileged user (admin, CEO,
financial controller, etc.)
•Change password
•Identify all attacker activity
•Continue to monitor user’s account
17. TOTP
Time-Based One-Time Password
• Popular Applications: Duo, Google Auth,
Authy…etc.
• Part of OATH standards (Not OAuth2)
• HOTP is Counter-Based and TOTP is Time-
Based
• Typically 6 digit code changing every 30
seconds
Enter your
MFA Code
MFA Page
123456
Some
Authenticator
App
123456
26. Device Token
How do Push Notification work?
Application Google/Apple
Services
Mobile Phone
Device Token +
Query
Device Token +
Response
User
Pass
Login Page
Device Token
(Device Token stored
/accessible by app)
tm tm
27. Bypassing Push Notification
Device Token
Step 1.
Change the Registered Device ID
to an attacker-controlled value
Step 2.
Access the application as the targeted user
SQLi, Param
eter Tam
pering,
Indirect Object Referencing
Device Token
User
Pass
Login Page
User
Pass
Login Page
Device Token
29. Defending against Push Bypass
•Application security!
•Train against phishing/social engineering and
protect against malware
•Create a strategy for responding to
unsolicited push notifications
30. Manipulating End Users
•Phishing
•Session Hijacking
•Social Engineering
•Hope for Accidental Approval
•Hope the user gets sick of the
gratuitous requests and simply
disables MFA
31. FIDO U2F Security Keys
1. Enters Password 2. Touches Button
Universal Second Factor
User
Pass
Login Page
33. FIDO U2F Security Keys
•Uses a Signed Public/Private Key
•Uses Origin Bound Keys and Token Binding
to protect against Phishing, Man-in-the-
Middle Attacks, and Session Hijacking
•Doesn’t allow writing to Security Key
•Uses a Counter to protect against Cloning
•Requires human interaction
34. FIDO U2F Security Keys
U2F Device App Identity Provider
Challenge, Origin,
TLS Channel id
Challenge, Origin,
TLS Channel id
User
Pass
Login Page
35. Origin Binding
Fake Login Page
Real Login Page
Phishing
Fake Login Page
User
Pass
Login Page
User
Pass
Login Page
36. Token Binding (Channel ID)
Real Login Page
Session Tokens
Man-in-the-Middle
Session Hijacking
Real Login Page TLS Tunnel
Sign In
Login Page
User
Pass
37. Bypassing Fido U2F
•Physical attack
•Try MITM and Session Hijacking (missing
token binding)
•Manipulate Application Database
•Replace entire registration message stored with
your own
•Social Engineering Support Team
•Try a Backup MFA Options
•Find an Open Port or another vulnerability
38. Bypassing Fido U2F
Step 1.
Get U2F device or social engineer
to downgrade type of MFA
Step 2.
Access target’s account
Reminded us of classic comic
Security:xkcd.com/538
39. Defending against FIDO U2F Bypass
•Protect Authentication Database
•Train Against Social Engineering
•Patch and Monitor Known
Vulnerabilities
•Protect against Malware
40. Is MFA the Silver Bullet?
No!
But it does raise the bar for attacks.
42. Thanks & References
Family, friends, coworkers, etc. who took time to listen to us and let us be gone as we worked on this
Artists and professionals who shared their skills with the world
Women in Security
https://cryptologicfoundation.org/learn/stimulate/women-in-cryptology.html
Smishing Poster
https://memegenerator.net/instance/82042286/forever-alone-didnt-you-mean-smishing
https://www.usatoday.com/story/tech/columnist/saltzman/2017/07/03/delete-suspicious-text-messages-on-your-smartphone/439647001/
http://fortune.com/2017/07/07/smishing-scam/
https://www.experian.com/blogs/ask-experian/what-is-smishing/
XKCD Comic
https://xkcd.com/538
OpenClipArt
Fingerprint by jhnri4 https://openclipart.org/detail/74581/fingerprint
Cloud by SavanaPrice https://openclipart.org/detail/193455/cloud
Phone by lifeincolour https://openclipart.org/detail/228650/phone
LCD Monitor by molumen https://openclipart.org/detail/6977/lcd-monitor
Cell tower by shared4you https://openclipart.org/detail/179921/radio-tower-wireless
Sim Card by Anonyous https://openclipart.org/detail/13187/sim-card
User (various remixes) by elconomeno@email.com https://openclipart.org/detail/287798/user & https://openclipart.org/detail/288356/spy-behind-computer
Server by sagar_ns https://openclipart.org/detail/5159/server-cabinet-cpu
Users by danilo https://openclipart.org/detail/215499/users
Reddit
https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/
Images of Google are owned by Google, Inc. Images of iOS are owned by Apple.