How cybercriminals exploit MFA reset prompts
culture
Inclusion and Diversity
Corporate Social Responsibility
Team BRIT
Environmental, Social & Governance
Insurance
accident and health
casualty
public and products liability
employers liability
environmental liability
contingency
event cancellation
non appearance
film
prize indemnity
cyber
cpr
xdr
bcap industrial
xdr pro tech
first50
cyber claims
delegated authority
commercial property
flood
financial property
homeowners
small commercial general liability
directors & officers
energy
e-trading
financial institutions
fine art and specie
healthcare liability
marine
cargo
hull and marine war
keel
marine and energy liability
political risk trade credit
political violence / terrorism
political violence/london
private client
home
motor
travel
professional liability
small north american liabilty
north american professional liability london
programs
property
north american open market property
international property
uk property
transportation
Reinsurance
casualty treaty
international casualty treaty/london
north america casualty treaty/london
property treaty
property treaty
property treaty bermuda
Claims
Claims Philosophy
Claims Innovation
Cyber Claims
industries
aerospace
aquaculture, equine and livestock
architects and engineers
commercial
construction
consumer goods
education
energy
events & entertainment
farming and agriculture
financial services
healthcare
municipalities
personal lines
professional services
real estate
religious and not-for-profit
retail
technology
transportation
utilities and industrial
careers
Why join Brit?
Why work in Insurance?
our business areas - speaking for ourselves
business area - actuarial
business area - claims
business area - finance
business area - internal audit
business area - operations
business area - risk
news
Brit Group
Brit Global specialty
Brit Global Specialty Bermuda
Brit Re
Camargue
Ki
financials and governance
Financials
Governance
executive & board
Risk
History of Brit
Working with FinTechs and InsurTechs
Fair Value Assessments
brokers and coverholders
leadership
innovation
contact
Complaints
Privacy Notice
Modern Slavery
Terms and Conditions
The latest from Brit

Financials

Results for the year ended 31 December 2023

find out more

news

find out more
Cyberpam Header

news

A MFA (Multi-Factor Authentication) reset attack is where a threat actor manipulates one of a few factors used to authenticate to a network. As a reminder, the strongest form of MFA is made up of the items below:

  • Something a person has: a security token, a card, a key, a mobile device with an authenticator application, a mobile device which receives an 'SMS OTP’ (one time password)
  • Something a person knows: a PIN or password
  • Something a person is: biometric data such as a fingerprint or facial recognition
  • Somewhere a person is: a specific connection point or GPS location

You can find out more about MFA in our previous article here.

The attacks that we are seeing are taking advantage of the ‘something you have' category. There has been an uplift in these attacks in recent months, as threat actors try and breach the perimeter of networks posing as a user that is legitimately authenticating.

 

Attack Path 1

Service Desk Compromise – Social Engineering (most common)

  1. The threat actor calls the IT Service Desk of a business and uses information that’s in the public domain or has been leaked previously, to impersonate a legitimate employee
  2. They use the information to convince service desk staff to reset the MFA Factor of the impersonated employee.
  3. This could involve sending a new QR code to onboard the threat actor to an authenticator app (soft token)
  4. Or they may change the phone number to which the OTP (One time password) is sent, to the threat actors mobile number instead of the employee

Attack Path 1

Attack Path 2

Mobile Phone Carrier Compromise – Social Engineering

  1. This example is referred to as a ‘SIM swapping attack’
  2. The threat actor calls the mobile phone network of an individual and persuades them to port the number currently associated with the MFA to a new sim (impersonating someone changing networks)
  3. Information that’s in the public domain is used for this basic authentication e.g. pet’s name
  4. The OTPs are then sent to the threat actors phone as they have the number of the victim under their control and linked to their handset

Attack Path 2

Attack Path 3

Mobile Phone Carrier Compromise – Credential Stuffing

  1. Threat actor using credential stuffing (trying leaked passwords from other sites) to login to mobile phone network carrier website/mobile app
  2. Requests phone number to be ported to new sim

Then as above Attack Path 2

Attack Path 3

Actions a business might take to reduce the likelihood of an MFA reset attack

Reviewing what MFA factors are being used by the business is another good form of mitigation, given the above attacks on the SMS OTP, many businesses may want to consider moving away from SMS as a factor. 

Make sure the service desk team validate the identity of employees ahead of performing an MFA reset using thorough checks. If there is no service desk involved, an approval flow should be considered. Regular monitoring post MFA changes enables the organisation to spot unusual activity following an MFA reset.

During the MFA reset process, the service desk team should look out for signs of fraud, for example:

Toolbox

1. Different country code from the location in which employees are based.

2. Call coming from an employee outside of working hours

3. Employee is marked as being on leave

4. Where is the MFA prompt being accepted from? Is this a territory the business operates in?

Scope

5. Where is the incoming connection coming from for the connection?

Ensuring users are:

1. Encouraged to use a personal password manager would support these efforts.

2. Mindful of the personal information they share about themselves online, in public places and on unsecured networks.

Furthermore, using a corporate PAM (Privileged Access Management) tool for the governance of highly privileged accounts can help mitigate the risk of these accounts being compromised.

Find out more about PAM here

Whatever the type of company, we can offer an appropriate cyber insurance service

Our knowledge of the cyber risk landscape gives us a deeper understanding of the different types of cyber risk – whether it’s the physical damage exposure of a big industry or the high volume of patient records stored by a hospital.

Get in touch with our Cyber team to find out more.

Risk Versus Reward: Using AI In Business

22-05-2024 |Cyber
Read more

Ransomware negotiation: Don’t try this at home

18-03-2024 |Cyber
Read more

Brit launches Brit Cyber First50 to expedite placement of large cyber risks

13-03-2024 |Cyber
Read more

Addressing The Cyber Gap With SMEs

29-01-2024 |Cyber
Read more

Brit - NIS2: What does it mean for cyber security?

30-11-2023 |Cyber
Read more
London Footer White

A Fairfax Company

©2024 Brit Group Services. All rights reserved.

We Brit Insurance Services USA, Inc. d/b/a Brit Global Specialty USA, are a service company that is part of the Brit Global Specialty group of companies. We are regulated by state departments of insurance in our capacity as a Managing General Agent. We have authority to enter into contracts of insurance on behalf of the Lloyd’s underwriting members of Lloyd’s syndicates 2987 and 2988 which are managed by Brit Syndicates Limited. This material is intended to provide general information about Brit Insurance’s products and services. It is neither an offer to sell nor a solicitation to purchase any specific insurance product. Coverage may not be available in all US jurisdictions and are subject to legal and underwriting requirements. Any availability is on a surplus lines basis only through duly licensed producers. Inquiries about the products and services described herein should be directed to producers duly licensed in the relevant US jurisdiction.