Passwords are one of the biggest headaches in today’s digital world; they are difficult to manage and not very secure. Recently, hackers accessed the personal data of 6.9 million 23andMe users by exploiting reused passwords, compromising details like names, birth years, and DNA information. For millions of people, the exposure of genetic and personal data raises the risk of identity theft, targeted scams, discrimination, and other harm. This is not an isolated case; in fact, 82% of breached organizations say credential misuse or authentication weaknesses was the cause. In good news, passwordless authentication solutions are increasingly available! Let’s explore these solutions as well as the major industry changes in authentication and authentication hacking.
New Voice Cloning Attacks Can Undermine Passwords
When users forget their passwords, what do they do? They call the Help Desk and request a password reset. Unfortunately, criminals are all too familiar with this process, resulting in a recent spate of voice attacks targeting IT help desks. For example, in the recent MGM case, hackers reportedly called the company’s IT service desk and convinced them to reset a user’s password. Okta has warned that attacks against IT service desks are a trend, and that hackers use them to reset MFA on administrator accounts, leading to full takeovers.
Voice cloning is poised to exacerbate these issues—and create more. Already, scammers are using voice cloning tools to commit financial fraud, such as a recent case where an elderly victim paid $17,000 to scammers after they put his “son-in-law” on the phone. In reality, they had cloned the son-in-law’s voice using common tools, and made it sound like he was in trouble. Hackers only need about a minute of audio for a cloning program to create a frighteningly accurate voice clone. Then the criminal can type in any arbitrary message, and it will be immediately generated in the cloned voice.
Soon, voice cloning attacks are likely to shift to the business world, where hackers can use these tools to convince managers to request IT-related changes, bypass multifactor authentication and more. Businesses rely on voice authentication constantly. Got a call from the boss? A colleague? A longtime customer? The sound of the caller’s voice is instinctively part of your authentication process. To make matters worse, CallerID spoofing is all too easy for attackers, meaning you can’t rely on the caller’s number to verify their identity—and even the sound of their voice can be easily faked.
As voice cloning technologies become widespread, make sure to review your caller verification processes, and train all employees—including managers, IT Help Desk staff, and more—to use other methods for authenticating callers, such as MFA apps. Speaking of which…
The Latest MFA Bypass Techniques
Email and text (SMS) authentication are popular Multi-Factor Authentication (MFA) tactics—but easy ones for attackers to bypass. One common tactic is for attackers to create a spoofed web site and then trick users into entering their one-time code into the fake site. Criminals can also employ “SIMjacking” to redirect your text messages to their own device, or simply break into your email to retrieve one-time codes (remember, Business Email Compromise is a leading cause of losses, according to the FBI).
Harder to bypass, but not as secure as a passwordless authentication solution, is Microsoft’s authenticator app with push notifications. Since there is no one-time passcode for attackers to steal, it’s not vulnerable to the same types of phishing attacks. However, attackers have still found ways around it. For example, in “MFA fatigue” attacks, hackers try to trick users into approving pop-up MFA requests by sending repeated MFA app notifications until the victim gets tired and approves the request, allowing the attacker to login.
Microsoft now offers “number matching,” which adds an extra layer of security by requiring the user to type in a number shown on their push notification. This helps prevent users from accidentally approving pop-up MFA requests.
Blog post courtesy of LMG Securities.