Mastodawn

This is a terrifying and sobering write-up by Retool on so many levels. It's about about a recent spear-phishing via SMS attack on employees, followed by voice phishing attack that deepfaked an employee's voice.

Retool said just one of its employees fell for it, which is of course all it takes. Here's the scary part:

"The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide the attacker one additional multi-factor authentication (MFA) code.

The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite session on that device. Google recently released the Google Authenticator synchronization feature that syncs MFA codes to the cloud. As Hacker News noted, this is highly insecure, since if your Google account is compromised, so now are your MFA codes.

Unfortunately Google employs dark patterns to convince you to sync your MFA codes to the cloud, and our employee had indeed activated this “feature”. If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isn’t a clear way to “disable syncing to the cloud”, instead there is just a “unlink Google account” option. In our corporate Google account, there is also no way for an administrator to centrally disable Google Authenticator’s sync “feature”. We will get more into this later."

https://retool.com/blog/mfa-isnt-mfa/

When MFA isn't actually MFA

Due to a recent Google change, MFA isn't truly MFA.

Retool Blog

BrianKrebs Sep 15, 2023

Also this part: "The fact that access to a Google account immediately gave access to all MFA tokens held within that account is the major reason why the attacker was able to get into our internal systems."

Harris Lapiroff Sep 15, 2023

@briankrebs They kinda write off technical solutions in this post—and I certainly see their point that technology can't solve all security holes—but it feels like hardware tokens would have gone a long way toward preventing this particular attack, no?

BrianKrebs Sep 15, 2023

@harris I'm not certain, but yes I believe security keys probably would have stopped it.

William Johnston Sep 15, 2023

@briankrebs I'm starting to get the sense that we're in the beginning stages of conventional wisdom switching from "TOTP MFA makes you secure" to "TOTP MFA is too phishable, only use hardware keys and passkeys". It'll probably be another decade before it's mainstream (see SMS as a second factor), but maybe?

David Schuetz ** looking for work **Sep 15, 2023

@wjohnston @briankrebs Except that hardware keys can still be very cumbersome, so we'll see that shift into passkeys, which for portability, get support from password managers, which for simplicity, get integrated into your OS and other primary login systems, which just puts us back where we started.

William Johnston Sep 15, 2023

@darthnull @briankrebs I mostly agree… We finished switching my company of roughly 150 folks over to using Yubikeys for our core systems a few months ago. So in a business setting, it doesn't seem terribly bad (especially for the folks who can do more damage, like engineers). In general though, I think that moving to a single non-phishable (or at least quite difficult to phish) factor with passkeys will be far better than the current phishable password + phishable TOTP.

William Johnston Sep 15, 2023

@darthnull @briankrebs With all that said, my last assertion (single passkey factor is more secure than passwords plus totp) will probably be the center of the debate in the next decade, methinks.

David Schuetz ** looking for work **Sep 15, 2023

@wjohnston @briankrebs I think there still needs to be a second factor — a strong PIN on the key. Because (again, convenience) a lot of them will be the little nubs that barely stick out of the USB port, always installed. And easy to steal from a momentarily unattended laptop.

David Schuetz ** looking for work **Sep 15, 2023

@wjohnston But generally, yes, I’m excited to see where this sort of active cryptographic auth leads.

Zimmie Sep 15, 2023

@wjohnston @darthnull @briankrebs Anybody who disputes that misunderstands how digital authentication actually works. “Something you know” has never been meaningfully different from “something you have”.

TOTP is ultimately just another symmetric token, like having a second password. It’s a little better than a password in that the token isn’t sent to the authenticating entity in cleartext, but it’s still symmetric. Passkeys are asymmetric. Asymmetric tokens are objectively more secure for authentication, which is why we have had computers use them to authenticate to each other for decades.

Zimmie Sep 15, 2023

@darthnull @wjohnston @briankrebs Not really back where we started. Passkeys make it impossible for a breach of one authentication database to compromise the user elsewhere. The service only has your public key. That’s a big improvement even if absolutely nothing else changes.

Biggles Sep 15, 2023

@bob_zim @wjohnston @darthnull @briankrebs

This. Not having "we hacked the poorly protected site, grabbed the hashes, and immediately cracked the third of them with poorly chosen passwords that also happen to be shared with other sites" as a viable attack vector is huge. A good password manager and practice does the same, but that's also burdensome and intrusive, so a hard sell.

deefdragon Sep 15, 2023

@darthnull @wjohnston @briankrebs this same thing is why I hate that bitwarden has an integrated 2fa for each password. you can just... completely ignore the purpose of 2fa.

David Schuetz ** looking for work **Sep 15, 2023

@briankrebs This is why, even as Apple improves iCloud Keychain, I still advocate keeping passwords, MFA keys, etc., in a manager separate from your OS or primary cloud accounts (iCloud, Google, etc.).

Charlie Br0wnn Sep 15, 2023

@darthnull @briankrebs yep! Started using Proton Pass recently for this exact reason

@briankrebs The fact that Google Workspace admins can't even disable this feature at all is a huge issue. With customer accounts it seems like it was just poorly implemented, which is still a problem, but how they can possibly justify allowing this with no admin recourse on Workspace accounts is pretty flagrant IMO.

BrianKrebs Sep 15, 2023

And nail this to the door: "We oftentimes bias towards technological solutions because they’re easy to self-serve, but ultimately, anything that can be done by an employee can be socially engineered out of that employee too."

Todd Knarr Sep 15, 2023

@briankrebs I think nail it to the door in 6-foot-high flaming letters. Social engineering of this type has been the most-exploited attack vector since I've been working with computers, and I started when punch cards were a thing. We know how to solve the problem, but the minimum distrust required for it exceeds the maximum distrust the executives are willing to allow the targets to be trained to require.

BrianKrebs Sep 15, 2023

I think it's also important to point out that this attack is a good recent example of many in which the primary attack vector is contacting employees *directly* on their mobile devices. Sometimes, it's SMS. Sometimes it's a deepfaked voicemail. Or a deepfaked live call, as apparently was the case w/ Retool.

Gobs of even big companies still haven't internalized this reality or modeled how attackers might exploit it. Just ask Kroll.

https://krebsonsecurity.com/2023/08/kroll-employee-sim-swapped-for-crypto-investor-data/

But more and more attacks start w/ a medium that is mostly beyond the control of the employer (the employee's mobile device).

Kroll Employee SIM-Swapped for Crypto Investor Data – Krebs on Security

Daniel Schildt Sep 15, 2023

@briankrebs And it's even worse in countries where mobile devices are the primary/only devices people use for digital services. All the countries that started with mobile phones and mostly skipped the desktop/laptop devices. Only reason we haven't read more about those is because most of the tech media is focused on a rich countries.

Joe Sep 15, 2023

@briankrebs We aren't going to manage to get everyone to stop using SMS for password reset. So I think we need to get the mobile phone providers to do better. Suppose that before T Mobile or Verizon or whoever will permit a SIM swap, the registered owner of that number has to show up in person at a store, show an employee their ID, and sign to authorize it, and if the company gives someone else my phone number without going through this procedure they are liable for all resulting damages? Since everyone is treating phone number ownership as proof of identity, require proof of identity. That would require new legislation but it would be popular.

Wilfried Klaebe Sep 15, 2023

@not2b How would that work with eUICC?

Joe Sep 15, 2023

@wonka @briankrebs The problem to be prevented is someone switching SIMs as a way to steal your phone number away from you. As the valid owner you should be free to switch but you should need to prove you are who you say you are. I suppose alternatively someone could decline this protection, leaving themselves vulnerable to this kind of theft but free to switch with less hassle.

Phil Reitinger Sep 15, 2023

@briankrebs I love the use of the technical term “gobs” in this post.

Augusto Barros Sep 15, 2023

@briankrebs "more and more attacks start w/ a medium that is mostly beyond the control of the employer (the employee's mobile device)." - Strong reason for detection efforts to stop looking for initial compromise signs and focus on later tactics

LisPi Sep 16, 2023

@briankrebs I'm somewhat surprised that threat vector is novel for corporations.

Relatives being called by someone faking the voice of a loved one to extract money long predates deepfakes. One would've thought that same tactic would be used on corporations too.

(In fact I vaguely recall some presentation specifically mentioning just such a tactic a few years ago.)

BrianKrebs Sep 15, 2023

Oh, and if you use Google Authenticator for one-time codes, make sure the cloud icon has a slash thru it. Like this:

AGTMADCAT 🇬🇧🇺🇸🇺🇦🇹🇼🇵🇸Sep 15, 2023

@briankrebs I walked into the ocean with my phone in my pocket a month or two after Google started backing up my MFA codes, which really saved my ass, let me tell you. So I'm feeling very ambivalent about this advice, let me tell you.

kalichai Sep 15, 2023

@AGTMADCAT @briankrebs You don't keep backup keys at home?

AGTMADCAT 🇬🇧🇺🇸🇺🇦🇹🇼🇵🇸Sep 16, 2023

@kalichai @briankrebs I had been kind of lax and hadn't updated my backup device in a month and a half... And in that time I started a new job and had added a *whole lot* of new accounts. Serious cock-up on my part but isn't that always how it is with human factors?

kkeller Sep 15, 2023

@AGTMADCAT @briankrebs there are other TOTP apps that can be configured to make less opaque backups. Aegis for Android is an open source TOTP app that has a few options for backups, but I imagine there are others.

https://github.com/beemdevelopment/Aegis

GitHub - beemdevelopment/Aegis: A free, secure and open source app for Android to manage your 2-step verification tokens.

A free, secure and open source app for Android to manage your 2-step verification tokens. - beemdevelopment/Aegis

GitHub

AGTMADCAT 🇬🇧🇺🇸🇺🇦🇹🇼🇵🇸Sep 16, 2023

@kkeller @briankrebs Gotta keep the cognitive load down I'm afraid!

@briankrebs Of course, it appears do to this automagically if you’ve signed in to other google iOS apps (e.g. GMail) — and the ‘use Authenticator without an account’ button feels like it may nuke existing tokens.

So many dark patterns in this app. “Use FaceID” renamed as “Privacy Screen” — why?

Eric Carroll Sep 15, 2023

@briankrebs
Or use yubico authenticator app with a yubikey.

So that your critical secrets are not stored on the phone or backed up in the cloud.

Dustin [BusySignal-KE2EFX]Sep 15, 2023

it's so frustrating that there doesnt seem to be a way to go in reverse and undo the cloud icon/sync.

using a test device - i havent been able to do it...

the tower fairy Sep 15, 2023

@briankrebs but where/how do you log in to Google with Authenticator in the first place? (i'm on iOS)

Richard "RichiH" Hartmann Sep 15, 2023

@briankrebs the great thing about Google Cornhole is that you can't positively prove that key extraction as-a-service was always disabled. If it was enabled just for one broken app update for a minute you have to reroll all your 2FA, but you can never be _certain_.

heckj Sep 15, 2023

@briankrebs it would really help to know HOW to make sure it’s in that state.

blackfeathers Sep 15, 2023

@briankrebs
♬ 🎵🎶where do we go now?? 🎶🎵 ♬

🔻 aetios 🇪🇺Sep 15, 2023

@briankrebs thanks, made me check. I'm good. been wanting to move away from Google totp for a while

Submarine Sep 15, 2023

@briankrebs thanks a mil, boss

Thomas Broyer Sep 15, 2023

@briankrebs Great, so now when you lose access to your phone (stolen, broken, whatever) you lose all your OTP/MFA.

Do you recommend we use password managers that don't sync to the cloud too?

Do you trust Google less than LastPass security-wise?

If the problem is that you're using GSuite as SSO and some app will sync MFA to *that* account, defeating MFA, then ban the app (https://support.google.com/a/answer/6328701?hl=en)

Thomas Broyer Sep 15, 2023

@briankrebs Now this was a social engineering attack, and bad threat modelling by Retool, so don't blame Google or Google Authenticator for it.

And don't recommend that everyone lowers their security (recoverability of MFA) by disabling sync to the cloud.

The message should be: don't store MFA in the same account you use for SSO.

And also that OTP is faillible as it doesn't prevent phishing, contrary to FIDO2.

Thomas Broyer Sep 15, 2023

@briankrebs note that it would have been the same if they didn't use SSO but the attacker gained access to the password manager where both passwords and MFA would have been sync'd: access to the password manager means game over.

So maybe don't sync your OTPs to the same account as your passwords?

Anyway, nothing will ever be resistant to social engineering if you want users to somehow be able to recover their accounts.

Andreas K Sep 16, 2023

@briankrebs
Hint: there are so many nice TOTP authenticator apps, some even open-source, all of them without “Google” in the name, you know the company totally n̶o̶t̶ associated with surveillance capitalism at all.

https://search.f-droid.org/?q=OTP

F-Droid Search: OTP

chebra Sep 16, 2023

LOL 5 months ago: https://techcrunch.com/2023/04/24/google-authenticator-can-now-sync-2fa-codes-to-the-cloud/

> Some users might be wary of syncing their sensitive codes with Google’s cloud — even if they did originate from a Google product. But Christiaan Brand, a group product manager at Google, asserts it’s in the pursuit of convenience without sacrificing security.

TechCrunch is part of the Yahoo family of brands

@briankrebs Unless I'm misunderstanding something, that turns off cloud sync, which is a huge problem. Before they had cloud sync, I had to factory reset my phone, lost the codes and it was a royal pain in the ass to access my accounts again and switch over to a new Authenticator app.

Cloud sync matters. The better recommendation is to STOP using Google Authenticator entirely.

Svavar Sep 17, 2023

I learned the hard way to have 2 authentication devices when Google Authenticator decided to forget all of my codes without warning.

Mishaal Khan 🔒Sep 17, 2023

If you're new to the internet, I don't blame anyone using Google Auth, but PLZ transition to a better MFA app. (I use @bitwarden 's built-in TOTP code generator, you can also use KeePass), so much easier to search thru 1000s of entries.

Diego Elio Pettenò Sep 15, 2023

@briankrebs sigh. Not that this problem wasn't well understood for years (https://flameeyes.blog/2017/06/24/lastpass-authenticator-cloud-backup-and-you/) and that at other solutions have come up with mitigations (Authy with the backup passphrase.)

LastPass Authenticator, Cloud Backup, and you

I’m still not sure how it is that over the past two years I consider myself a big expert of 2FA, it probably has to do with having wanted to implement this for a very long time for the work I did b…

Flameeyes's Weblog

BrianKrebs Sep 15, 2023

@flameeyes Point taken. But it's funny that the (2017) post you linked to mentioned LastPass authenticator. Just shows how authentication, like everything else in security, is a moving target.

Diego Elio Pettenò Sep 15, 2023

@briankrebs true. I think the main reason why I was noting LastPass there is because it was the first combined password manager and TOTP generator with cloud backups.

I definitely had to go through a number of blog posts to stop recommending LastPass in the last year!

Luk Sep 15, 2023

@briankrebs you made me realize that my tokens were indeed stored on Google cloud without my knowledge 😱

Ben Aveling Sep 15, 2023

@briankrebs deepfake? Or insider attack?

Joy Denebeim Sep 15, 2023

@briankrebs well, the problem here is that if you lose your MFA machine, unless you have really good backup hygiene, you're in for a world of hurt.

The old Google MFA had no way to back up your keys. And they wouldn't transfer to a new machine.
We push MFA on everyone we meet, but there needs to be a solution that will work for my mother. Reregistering every site every time you change machines ain't it.

Joy Denebeim Sep 15, 2023

@briankrebs about the best solution I've been able to come up with in my head, is printing out QR codes and sticking them in a safe.

Oldmeanroy Sep 15, 2023

@denebeim @briankrebs lol

Joy Denebeim Sep 16, 2023

@oldmeanroy @briankrebs so is that biometric?

Oldmeanroy Sep 16, 2023

@denebeim @briankrebs modern day equivalent for wearing your heart on your sleeve.
Scan for a date.

Riley S. Faelan Sep 15, 2023

@briankrebs The HOTP/TOTP secret is a strong example of something that needs to support local back-up rather than "syncing to the cloud".