Beating Clever Phishing Through Strong AuthenticationBrett Winterford of Okta on How Strong Authenticators Can Beat Account Takeover
Successful account takeovers are one of the most common ways that organizations end up with attackers in their systems. Phishing remains an ever-present risk to employees, and some quite clever techniques are being used to get around multifactor authentication.
Strong authenticators can offer the best resistance against advanced phishing attacks, says Brett Winterford, regional chief security officer for APJ at Okta. For example, take session hijacking, a technique that involves stealing the session cookie of a logged-in user.
Most infostealer malware can steal session cookies, which is also the goal of many real-time phishing kits. Attackers attempt to get victims to enter their login credentials into a legitimate-looking sign-in page, but attackers control a proxy server in between the victim and the real service. In this adversary-in-the-middle, or AITM, attack, attackers collect the session cookie that's returned from the legitimate service, enabling them to access an account and get around MFA.
But a strong authenticator tied to a device or someone's fingerprint can stop such an attack. The proxy server can be detected because the authenticator only allows someone to enter their credentials on the legitimate service. Winterford says more than half of the phishing kits Okta proactively detects are this kind of AITM attack.
He says many organizations usually don't make changes to their authentication schemes, but they should in light of evolving attacks. Typically, organizations "only make a change when the alternative form of authentication is actually more convenient or because they've recently suffered a security incident," he says.
In this audio interview with Information Security Media Group, Winterford discusses:
- How advanced phishing kits are beating multifactor authentication;
- Why phishing-resistant authenticators offer better security;
- How strong authentication can be delivered without deploying physical security keys.
Winterford advises policymakers, business leaders and fellow security professionals on evolving threats and opportunities to improve their security posture. Prior to Okta, he held a senior leadership role at Symantec and led security management, research and education at Commonwealth Bank. He is best known for his work as a security journalist. In 2020, he was the founding editor of the Srsly Risky Biz newsletter, a companion to the "Risky Business" podcast, providing the cybersecurity, policy, defense and intelligence communities with a weekly briefing of news that shapes cyber policy.