Multifactor authentication (MFA) is a great way to prevent threat actors from using stolen credentials to access your network. But with remote work becoming the norm and the attack surface widening with more apps, devices and systems connecting than ever before, threat actors are working overtime to beat MFA. Cookie hijacking in particular is a problem. We sat down with an expert to talk about what to do about it.
The Basics of Cookie Hijacking
One MFA attack is ‘pass the cookie,’ which allows threat actors to hijack browser cookies to authenticate as another user in a completely different browser session on another system, bypassing MFA checkpoints along the way. Cookies are powerful, and in some cases, more so than passwords. With the right cookies, attackers can gain unlimited access to resources. If you’re a victim of cookie hijacking, MFA won’t help you.
While deploying MFA in your organization is always better than not using it, it’s critical to understand that it’s not foolproof. Far too often, people get complacent and become lulled into a false sense of security.
To get the most out of MFA, the more you know, the better. This article will answer these key questions:
- How simple is it to bypass MFA?
- How do the popular ‘pass the cookie’ and other cookie hijacking attacks work?
- What security risks are associated with cookies?
- How can the risk be reduced?
How MFA Cybersecurity Works
Roger Grimes, defense evangelist for KnowBe4 and author of “Hacking Multifactor Authentication,” says that while MFA reduces security risk, most attacks that could succeed against single-factor authentication are also useful against MFA solutions.
“There are over a dozen ways to attack different MFA solutions,” he says.
Grimes explained that MFA’s vulnerability comes down to the way it was designed. He points to SIM swapping as an example. In this attack, threat actors duplicate the subscriber identification module (SIM) card on the victim’s phone to take over the person’s calls and messages.
“You can’t stop MFA that relies upon [text] messaging to verify your identity,” he says. With SIM swapping, I can claim to be anybody. It’s not necessarily such a bad design decision. Everything is hackable, and MFA is no different.”
After speaking with numerous end-users and even computer security professionals, Grimes is concerned that too many people believe that they’re far less likely to be phished because they’re using MFA.
“In about ninety percent of MFA cases, I can send you an email or regular phishing email that gets right around your MFA — like it wasn’t even there,” says Grimes. “Not all types of MFA, but most of them. And, it’s dangerous. That’s how dollars get stolen, because people thought they were safer and couldn’t get hacked.”
Your employees may have the most secure passwords and might possess enough awareness to use different passwords for different websites, applications and resources. Their awareness may even prevent them from divulging their passwords over the phone or email. But if you’re using MFA, all that effort may be squandered if they fall for a convincing phish that leads to a cookie hijacking job.
How Cookie Hijacking Attacks Work
Pass the cookie attacks might sound new to you, but according to Grimes, these types of attacks have been around for decades. Grimes first wrote about cookie hijacking in 1989, when Bancos Trojans were wreaking havoc for banks in Brazil and South America.
Modern MFA attacks work exactly the same way: these malware programs wait for you to log on to a website, steal your session cookie and send it to the attacker.
The Legacy of Firesheep
Remember Firesheep? Back in 2010, a coder named Eric Butler created a Firefox extension that sniffs out and steals cookies of popular websites from a browsing session of users on the same Wi-Fi hotspot. This cookie hijacking extension was created to shine the light on the weak security measures of popular websites at the time.
Firesheep exposed the security risk of websites only encrypting your login. With a simple cookie check, anyone with access to the same Wi-Fi hotspot with that cookie can essentially ‘be’ you.
“With just this plug-in, you could walk into any coffee shop, click a button and take over the browser session by stealing cookies,” says Grimes. “Firesheep just automated it and made it so easy. There’s hundreds of hacking tools that do it.”
Like most successful phishing attacks, pass the cookie attacks are initiated by someone clicking on a link to a fake website.
Here’s how it works in a nutshell:
- Attacker sends victim a fake login
- Victim falls for it
- Clicks the link to the fake website, attacker steals the cookie
‘Like Stealing Your Driver’s License’
It depends on the service, but at that point, Grimes says, it’s called a session cookie, and at the very least it’s good for the session. And that session could be days or months.
“Once they have your session cookie, they’ll log in, change your password… and with automation, it happens in seconds,” he says. “As soon as I get your cookie, I put that cookie in my browser, refresh my browser, I am you, and immediately change your password. Once I change your password, I’m going to be able to do anything.”
The fake website acts as a proxy, capturing anything the victim types in. In a typical cookie hijacking or other phishing attack, the website address will contain a slight misspelling, which will trick anyone not paying attention. For example, if an attacker wanted your LinkedIn credentials, they might direct you to ‘linkediin’ or something similar.
“That session cookie is like your driver’s license,” says Grimes. “Once somebody has that, they are essentially you for that session. Literally millions of accounts have been stolen this way for decades — in what is a variation of the man in the middle attack.”
The worst possible scenario for the victim of cookie hijacking plays out when the attacker uses MFA against them by enabling MFA once they have the victim’s password. If this happens, the victim can never get their accounts back.
More MFA, More Cookie Hijacking?
Interestingly enough, as more companies embrace MFA, it doesn’t necessarily improve a business’ overall security posture. Because according to Grimes, as MFA becomes more prevalent, we’re only going to see more attacks like cookie hijacking.
“I have friends in the banking industry that tell me that they actually see more successful attacks after they went from logging you in with a password to MFA,” he says. “For six months, they hardly had any attacks. Then the attackers figured out the type of MFA they deployed and now they’re using it against them.”
Grimes estimates if every company in the world was to move to MFA, we would probably still see 60-80% of the same attacks.
That said, MFA does cut down on a lot of attacks. But if your employees still click on those same fake emails, what have you gained?
“I don’t mean to say that MFA isn’t good; MFA is good,” Grimes says. “It does reduce risk, in some cases significantly.”
But just because you’re using MFA, you can’t forget that threat actors can be competent, too.
Strategies for Defending Against Cookie Hijacking
While Grimes says there are many methods to combat MFA and cookie hijacking attacks like pass the cookie, his number-one piece of advice is to ensure everyone across the enterprise is educated about the risks. For the IT or security team, that means making sure that whichever MFA solution is used, they identify what the common attack methods are.
“There’s different attack methods that apply to the solution you’re using,” he says, adding that different attacks exist against Google Authenticator, FIDO (referring to the Fast Identity Online standard) or Titan keys. “Once you choose a particular solution, educate the administrators and deployers.”
For the end-users, Grimes advises they should be made aware that they could still be sent a fake link that tricks them into logging into a fake website — which gets around your MFA. End users should be confident they’re logging into the real website they’re expecting to access.
What Kind of MFA?
Step No. 2 on Grimes’ risk mitigation priority list is to avoid using the weaker forms of MFA. That means methods like text-based authentication and voice calling are too weak to rely upon today.
“I like FIDO,” he says. “Even though you can hack it, it’s less hackable, especially the FIDO2 solution.”
MFA solutions with push-based notifications and time-based one-time password solutions — if they use open standards — are more secure.
If possible, try to avoid single-factor biometrics. Instead, it should always be two-factor. There’s a lot of single-factor solutions out there, Grimes says, like FIDO keys that just plug into the USB key and you push a button.
“What that means is, if you lose that key, whoever finds it can become you,” he warns. “You’re better off than with a password because someone can’t email you and trick you out of your token. But people lose tokens all the time.”
Biometrics and MFA
Next, if you’re using biometrics, Grimes insists upon two-factor authentication to limit the damage of cookie hijacking. In addition, the biometric credentials need to be protected in such a way that if the biometric database gets stolen, the credentials aren’t compromised. To do that, you should be using fingerprint hashes versus actual fingerprints.
Finally, if an MFA solution uses proprietary cryptography, Grimes strongly advises against its use.
“Encryption is very hard to do,” he says. “There’s plenty of good open standards out there. Use them. There has never been a case where proprietary MFA encryption turned out to be good.”
Balancing Risks and Benefits of MFA
Circling back to the importance of education, like anything in cybersecurity, awareness within the entire enterprise is critical. Integrating MFA threat awareness into your security awareness program and sharing the information with employees and management might be the best defense against cookie hijacking yet.
Despite the misgivings you may come away with about MFA, Grimes has made it clear that any business, whether it’s small, medium or enterprise, should avoid the risk of not having MFA, too. However, we cannot be complacent in thinking that MFA is the solution to all of our security problems. If MFA is deployed, managed, and supported properly, and the risks of its use are well-integrated into your security awareness program, it can help you succeed.