To combat phishing, multi-factor authentication was added to our logins to make it impossible to get in just by having a password. Now you can give away your password and if you have MFA, it doesn’t matter. The bad actor tries to login and is presented with a second method, one that only you have access to. It started with a text message that goes to your phone, since theoretically only you have access to your phone. Well, sure enough, hackers found out that the walled garden around SMS is fairly easy to climb over. All you need is to pretend to be a phone company and you’re in. And inside of that garden, there aren’t many things to keep you from getting your hands on a text message.

So now, you have a complicated password that’s hard to remember and changes all the time and a text message coming in that gets stolen. A lot of services still rely on this combo, but a group called the Initiative for Open Authentication developed a way to get around the insecurity of SMS. Using some clever math, you can have a device generate a key that changes every 30 seconds that only your device and the server you’re logging into knows how to generate. These are the little six-digit codes you get out of an authenticator app now. These cannot be stolen, since they don’t go over the Internet or SMS network, so we’re safe from that attack when we use them.

However, it’s a real pain in the butt to log in. To make your life easier, companies added in the ability to “stay logged in” to their services. This drops a little token on your system that says who you are and that you’ve already gone through all that rigamarole to get signed in, so don’t ask me again. Just use this token. We’ll make it expire every now and then so it doesn’t get too stale, but you can get to work without having to reauthenticate all the time. This opened a new way to get into someone’s account called Token Theft, and it’s becoming increasingly popular as the go-to method to hack into an account.

There are several ways to steal that cookie. One is from malware that is installed on your computer, but we don’t see that very often. The more common method is by an Adversary-in-the-Middle attack. This starts with an email that says something like “Click here to download your invoice” or something like that. It’s often sent from a legitimate account, maybe even someone you know who has been hacked recently. You click the link, then are presented with a legitimate login page for your Microsoft account. What you don’t see is that there is a proxy in the middle that is grabbing copies of your tokens as you successfully authenticate, allowing the hackers to impersonate you. They usually go straight to your account settings and add a new MFA option so that they can get in without your consent even after the token expires.

While we are still learning more about these attacks and how to protect you from them, the best defense is still to be diligent about email security. Even if you get an email from a trusted source, scrutinize it before entering any credentials. Do they usually send you documents that way? Is there anything that looks out of place, like a “Kind regards” at the end of the email that you wouldn’t expect? Feel free to call them first to verify they meant to send it. A lot of times that phone call could save your account.

Stay safe out there!

-Nate