MFA: Lack of management and overconfidence “There is no insurmountable control and no intimidated adversaries”
Abstract:
During the analysis of BEC (Business Email Compromise) incidents, we identified the compromise of email accounts using multiple techniques and taking advantage of different configuration and management weaknesses. Incidents that allowed attackers to transfer hundreds of thousands of dollars by impersonating critical people; but according to our research, mainly taking advantage of the trust and “liability discharge” that many users and IT administrators generate in the multi-factor authentication control. We will present incident scenarios, study frameworks used by attackers and some security recommendations for handling additional authentication controls.