Two Factor Hack – Why Your Clients Might Not Be As Safe As You Think They Are

By Ken Rode, Director of IT Services, UNAPEN Inc., ASCII member since 2014

Two factor authentication (2fa) is available with many Internet sites and services (though you may need to manually choose to use it) and it can greatly increase the security of your clients’ accounts. Rather than simply relying on a static username and password, 2fa introduces a second authentication entry such as a onetime password sent via text to a cell phone, an ever-changing code entered from a physical token or token app on a smartphone, or a one-time password sent to an email address. Of these three options, there is one that is less secure and may even equate to a completely false sense of security.

We have a client that uses a remote access utility to connect to their work PCs from home and other locations. This client is security focused and uses 2fa to protect this service. However, each employee is allowed to choose their preferred method of receiving the one-time password and many have chosen a personal email account to do so. Recently, this convenience revealed a significant weakness.

The first indication of a problem was people at the firm receiving email notifications from the remote access service that someone tried unsuccessfully to log onto their account. This is not the call you want to receive 10 p.m. on a Friday night.  Our investigation revealed successful access to one account from a European IP address and further investigation showed this account was using Gmail for the 2fa code.

While I am sure this could happen with any email service, in our experience, every third-party email service compromise we have investigated has been with Gmail. As we work with a lot of Financial Services firms, the typical hack we have seen is emails from one of their clients with a Gmail account asking for suspicious money transfers. Fortunately, each one was stopped before the money was moved but some got pretty close and these firms no longer accept transaction requests via email.

To be fair, Gmail does offer 2fa for email accounts. However, as control of this is outside our reach as an MSP, we can’t rely on it being active. That leaves us with the stance that empirically Gmail accounts are vulnerable and, theoretically, so are all the others. As these public services operate completely outside the control of you or your clients’ IT department, there is no way to ensure security and monitor access attempts. Further, the goal of these services is to provide cheap, accessible email access to millions; not to ensure that access is secure. Consequently, they should not be used for 2fa.

Once the Gmail account was compromised, the attacker was able to determine the remote access tool in use and log onto the account using the 2fa code that was sent to the Gmail account. We later determined this was due to the user setting the same password for both services. They also decided to try accessing other remote access accounts from the same firm and triggered alerts at that point when they were unsuccessful. Fortunately, logging into the remote access account did not give the attacker access to the PC as it was logged off and used a different password.

So, what have we learned?

1. Public email accounts (particularly Gmail) are a very bad choice for receiving 2fa codes. We have simply seen too many accounts compromised in recent years and this leads us to believe they can in no way be considered secure.
2. If possible, use a token (physical or smartphone app) or a text message for 2fa. While tokens are an added cost, text messaging is the same as email to the 2fa service. Clients simply need to be convinced that the added security is more important than being able to cut and paste the code.
3. While we don’t have control over what clients do, we need to continue to impress on them to always use different passwords for different services. That way if one is hacked, the attacker doesn’t automatically have access to others.
4. Another item to impress on users whenever you can — use complex passwords. Also, be sure they understand this doesn’t mean you need to use a string of 17 random characters. Most services allow very long passwords these days so you do not need to use password123 to make it easy to remember. Use a sentence with punctuation, spaces and other characters… “Sentences are good!” Not making everything an English word can also increase security while not increasing difficulty that much; “I LV lkChamplain in the 5ummer!” If you need to remember a specific password for a particular service, try something like “RemoteXS W!nter 2016!”. Whatever you do, they need to use something other than a dictionary word only slightly modified even if that meets the minimum requirements; i.e. “Password#1”
   I know password selection is mostly out of our control but, it doesn’t hurt to send out regular reminders on how to pick good ones.
5. PCs must be logged off or locked when not in use, particularly if any method of remote access is enabled. This provides a secondary block to an attacker that could be your savior. This is also something you can monitor, control, and automatically remind users about from within your RMM. We run an agent procedure daily that pops up a reminder on the screen for anyone who hasn’t logged off by 2 a.m. Some people still ignore it, but many have started complying and at least it shows we are doing our part to better secure their systems.

Two-factor authentication can provide a huge increase in security when compared to a simple username and password. However, if the implementation allows compromise of one service to allow access to both the password and the 2fa code, there is no benefit. By following the guidelines listed above, you can ensure you are doing everything you can to protect your own and your clients’ personal and professional data.