articles Ratings /ratings/en/research/articles/221018-cyber-brief-multifactor-authentication-remains-effective-but-not-impenetrable-12531751 content esgSubNav
In This List
COMMENTS

Cyber Brief: Multifactor Authentication Remains Effective But Not Impenetrable

COMMENTS

Instant Insights: Key Takeaways From Our Research

COMMENTS

CreditWeek: How Will COP29 Agreements Support Developing Economies?

COMMENTS

U.S. Media And Entertainment: Looking For The Winds Of Change In 2025

COMMENTS

BDC Assets Show The Prevalence Of Payments-In-Kind Within Private Credit


Cyber Brief: Multifactor Authentication Remains Effective But Not Impenetrable

image

No matter how many controls a company uses to protect its data, attackers inevitably find ways around them, using advanced tools and exploiting poor password practices to compromise accounts more easily than ever. MFA can better confirm the identity of a user, helping reduce the risk of a security breach. Microsoft stated that MFA can block 99.9% of account compromise attacks. However, attackers are finding new ways to also bypass MFA. In this article, we'll look at what MFA is, how attackers are getting around it, and how that impacts cybersecurity.

MFA Reduces Vulnerability To Certain Types Of Cyber Attacks

MFA uses more than one step to verify a user. In a basic set-up, a security system will request a single credential to match with a user. Most traditionally, this looks like a password submitted with a user ID. However, anyone with the user ID and password can also access that account--and all the data within. Adding another authentication factor can mitigate that risk by verifying a user more thoroughly. For example, after using a password to log in, a bank account security system may ask for a code it texts the user or request one generated by an authentication app. Even if an attacker has the password, they don't have access to the user's phone, which blocks them from accessing the account. Another popular factor uses biometrics, like a fingerprint, to verify users.

image

image

Using MFA reduces the risk of a compromised account, especially when users don't follow secure practices like creating unique passwords for every account. Hackers can purchase lists of stolen passwords on the black market or acquire them from breaches of other organizations. When people reuse passwords across multiple platforms, it then increases the likelihood a hacker can gain unauthorized access to multiple accounts. This hacking technique, called credential stuffing, has up to a 2% success rate according to an article in the Harvard Business Review. With 1 million stolen passwords, an attacker could potentially compromise 20,000 accounts. MFA helps reduce this risk by requiring authentication beyond a single password--which attackers cannot get through credential stuffing alone. For this reason, MFA measures are increasingly common at many companies.

Cyber Attacks Are Evolving To Thwart MFA

Despite its effectivity, MFA can still be vulnerable. In 2018, US-based cyber security firm Mandiant Inc. demonstrated a process to bypass MFA. It released ReelPhish, a tool that allows someone to capture authentication information that includes MFA data.

Lack of awareness and poor security behaviors can undermine the additional protection that MFA provides. In May 2022, Cisco Systems Inc. disclosed that it was the victim of an attack. It determined that an employee was compromised after an attacker gained control of a personal Google account. The attacker used the credentials stored in that account to send a flood of push notifications to the employee, tricking them into accepting an MFA request. This method is called MFA fatigue.

Some criminal groups have even taken advantage of this by turning it into a business opportunity. The EvilProxy platform frames phishing as a service. It acts as a middleman between users and their intended internet destination. Much like ReelPhish, this allows EvilProxy to collect credentials and MFA data to take over the user's account. Users pay this professional-looking service upwards of $600 per month to bypass MFA-enabled accounts, some belonging to major brands like Apple Inc., Meta Platforms Inc., GoDaddy Inc., GitHub Inc., and Alphabet Inc.

EvilProxy not only enables MFA bypass of certain major brands, but it also targets developer sites such as Github and PyPI. When accounts on these platforms are compromised, attackers can potentially introduce malicious code into trusted software without anyone's knowledge. The developer sites unintentionally become distributors of malware, highlighting a type of third-party risk. In August 2022, PyPI, a well-known repository for Python software, announced that hackers were attempting to compromise developer accounts through phishing attacks. According to security firm Resecurity, it is possible that these attacks were using EvilProxy.

Bolstering Cyber Defenses With Awareness And Education

Although MFA is incredibly effective at minimizing risks associated with passwords, organizations need to acknowledge it's not invincible. Security controls should include layers of protection beyond MFA in case an attacker bypasses it. Organizations can take steps to investigate a brand-new device being used from unexpected locations, such as during the Cisco attack, when hackers added new devices under the compromised account. Groups can also weed out devices that do not meet their basic security requirements, leaving only valid, authorized technologies connected to their networks. Implementing network segmentation can reduce an attacker's ability to move around the network easily. Companies should also adequately log suspicious events, so that they can be fully investigated.

Lastly, companies should highlight these types of attacks to employees, preparing them to keep secure habits and avoid attacks such as MFA fatigue. Only with proper education can employees know to react to unexpected MFA requests or to scrutinize phone calls from unverified personnel who may be phishing for information. Employees should also understand what steps to take if they are a target of any such attacks.

Cyber Risk Management Can Impact Credit--Especially When It Falls Short

By itself, the presence or absence of MFA is unlikely to have credit rating implications. However, a lack of MFA can indicate potential deficiencies in an entity's operational risk management practices. Wider risk mismanagement can impact our assessment of governance practices and ultimately lower ratings.

We expect entities with robust operational risk management practices will continue to develop their controls and defenses as threats evolve to find new ways to bypass existing controls like MFA. We view this continuous improvement approach to cybersecurity as important for stable credit ratings, as it has implications for an entity's risk management practices and competitive position within a sector.

Related Research

S&P Global Ratings research
Other research
  • EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web, Resecurity, Sep. 5, 2022
  • Cisco Talos Shares Insights Related To Recent Cyber Attack On Cisco, Talos Intelligence, Aug. 10, 2022
  • One Simple Action You Can Take To Prevent 99.9 Percent Of Attacks On Your Accounts, Microsoft Security, Aug. 20, 2019
  • ReelPhish: A Real-Time Two-Factor Phishing Tool, Mandiant, Feb. 7, 2018
  • You Can't Secure 100% Of Your Data 100% Of The Time, Harvard Business Review, Dec. 4, 2017

This report does not constitute a rating action.

Primary Credit Analyst:Paul Alvarez, Washington D.C. +1 2023832104;
paul.alvarez@spglobal.com
Secondary Contacts:Maria Mercedes M Cangueiro, Buenos Aires + 54 11 4891 2149;
maria.cangueiro@spglobal.com
Charlie Cowcher, CFA, London + 61 3 9631 2009;
Charlie.Cowcher@spglobal.com
Tiffany Tribbitt, New York + 1 (212) 438 8218;
Tiffany.Tribbitt@spglobal.com

No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.

Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.

To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.

S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.

S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.

 

Create a free account to unlock the article.

Gain access to exclusive research, events and more.

Already have an account?    Sign in