A security researcher has revealed the details and mechanisms for a technique to circumvent multi-factor authentication on some banking and other web-applications. The attack depends on the fallback to a secret question type of authentication when no cookie or token is available for the user. The researcher has demonstrated using the technique to perform successful phishing attacks against some systems.
The attack heavily leans on the fallback mechanism that many organizations have put in place to allow customers to skip multi-factor mechanisms and resort to a single secret question – though it could also be used against sites that fallback to passwords or other single factor mechanisms. If your organization uses fallback access tools that are only single factor – this could be a serious risk to you.
The fact that the attack technique was made public means that copycat and attack evolutions are very likely. Certainly, we will see probes of authentication fallback mechanisms and web-applications go through yet another rise in probes and scans. The resources required to perform the attack vary little from traditional phishing, and any development required to code the proxy mechanisms is likely to happen fairly quickly.
Organizations should carefully inspect their authentication mechanisms and configurations and should consider eliminating single factor fallback if that is an option.
You can read more about the researcher, the attack and the mechanisms used here.