Does “typical MFA” protect against viruses, trojans, worms?
My answer is no.
First, some definitions:
Typical MFA: This is what most banks and credit unions have done in response to the FFIEC mandate. Basically a combination of:
- some kind device id (looking at signatures based on browser info and cookies)
- some additional challenge questions
- showing the user something they should recognize (like a picture or text)
Virus, Trojan, Worms: All of these different types of nasties have one main thing in common, the end result is nasty code running loose on your machine. The differences between viruses, trojans and worms have mostly to do with delivery, which is an interesting discussion but not particularly relevant to this topic.
So here is why my (actually the) answer is no. Basically, any form of authentication that does not include some out of band data (like a HW token, or an SMS message, or a phone call) is susceptible to nasty code on the end point machine because the nasty code can always intercept, capture, or reverse engineer whatever security trick is used.
Examples:
- some MFA solutions make you click your password in with an on screen keyboard (sometimes the keys even move around, oh ah)
- setup a webex, invite someone to join and then login to your online banking while they are watching, guess what, they just watched you click away and have your information.
- it’s pretty darn easy for a hacker to create a nasty that acts just like webex without you even knowing
- some MFA solutions have challenge questions
- same webex example, so the hacker gets to learn your questions and answers
- also, the hacker can delete the cookie on the your machine that tells the MFA solution not to challenge this user/machine combination, that way the real user ends up being challenged every time he logs in, and guess what, the hacker now knows ALL the questions and answers
- some MFA solutions show you a picture and a text as a way to boost your confidence that you are at the real site
- first off, most people don’t really get that, and if the hacker put up a page without the image and text, most users would never even notice
- but let’s assume people do pay attention, with the webex example, the hacker can see your shiny little picture easy enough
- more than that, the hacker can actually scrape the image directly out of the browser so he even has a copy of the original picture, which gives him the ammo for one hell of a spear phishing site
- some MFA solutions use device signatures, and say things like “our device signature data is based on 58 different characteristics of the end users machine!”
- this is all completely spoofable by a hacker, if he’s got code on your machine, he can discover all 58 of those factors and just do the same
- some MFA solutions use geo location to locate the user who is logging in, and then not allow the login or throw up some additional challenges
- geo location data based on IP address is not that accurate, and completely spoofable to boot
- and we already discussed how challenge questions do not cut it
So has this MFA exercise been just a big farce ? Not completely, at the end of the day, it did put up some additional road blocks for the hackers and bad guys. But it was no more than roadblocks, a determined hacker can still get you, especially when the scenario involves an infected machine.
