Legacy MFA from major airlines hacked, exposing reams of data

On these pages, “multifactor authentication” has begun to sound archaic, as biometrics, passkeys, proximity detection and other security tools offer better protection than traditional MFA systems. Fraudsters have learned to subvert one-time-codes, push approvals, authenticator apps and other tactics deployed in legacy systems.

Nonetheless, these vulnerable MFA systems remain in widespread use – which means somebody has to become a lesson in lax security. In this case, the body is the airline industry, which has seen a rash of recent breaches that have exposed the data of millions of customers.

Breach reading: Hawaiian Airlines attack relies on MFA fatigue tactics

A blog from Token looks at a recent breach that affected Hawaiian Airlines. Suspected to have been engineered by the active threat group Scattered Spider, the breach was accomplished with relatively simple tactics: “real-time phishing through spoofed websites and MFA fatigue tactics to bypass weak authentication.”

The breach playbook goes roughly as follows: employee lands on a spoofed login page and enters credentials; attacker instantly relays that information to the real site, including the MFA code. Access granted.

“It’s not that these attacks are sophisticated,” says Kevin Surace, chair of Token, which produces security hardware devices. “They’re successful because companies continue trusting MFA tools that weren’t designed for this threat. How many breaches do we need before we replace security theater with real security?”

The issue is the various factors being used to authenticate. Token’s Token Ring and Token BioStick products combine biometric authentication with proximity-based login (meaning the device must be physically near the machine being accessed) and cryptographic origin-checking. Tamper-proof hardware is bound to a single domain and device, unlocked only by a live fingerprint scan.

“In a scenario like the Hawaiian Airlines breach, the fake website wouldn’t even engage the Token device. No proximity, no biometric verification, no login. It’s that simple.”

Qantas breach exposes data of up to 6 million customers

Don’t judge Hawaiian air too harshly, though: Qantas has the same problem. A release from the Australian airline confirms that a major cyber incident occurred in one of its contact centres, exposing the data of up to 6 million customers, including names, email addresses, phone numbers, birth dates and frequent flyer numbers.

“The incident occurred when a cyber criminal targeted a call centre and gained access to a third party customer servicing platform,” says Qantas. “We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant. We understand this will be concerning for customers.”

The company says the branched server held no credit card details, personal financial information or passport details, and that no passwords, PIN numbers or login details have been accessed. It has notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner, as well as the Australian Federal Police.

A statement from Qantas Group Chief Executive Officer Vanessa Hudson says “we sincerely apologise to our customers and we recognise the uncertainty this will cause. Our customers trust us with their personal information and we take that responsibility seriously.”

Scattered Spider: global threat is a bunch of teens making fake sites

Just how seriously, is up in the air. Consider that Scattered Spider, which is also suspected of  engineering the Qantas attack, is described by GovInfo Security as a “band of English-speaking adolescent hackers.” Yet its footprint is massive, and getting bigger.

Qantas has not confirmed that Scattered Spider was behind the attack, but it has “hallmarks of a Scattered Spider operation – including the social engineering attack on a call center.” The group is also believed to have attacked Canadian airline WestJet, which disclosed a cyber incident. Likewise with U.S. insurance giants Aflac, Erie Insurance and Philadelphia Insurance, all of which reported attacks in June, raising red flags at the Federal Bureau of Investigation.

The group’s loose membership consists mainly of U.S. and British residents, estimated at about 1000, who tend to target single industries at a time. Its run of disruptive attacks against Caesars Entertainment and MGM Resorts International, two of the largest casino and gambling companies in the U.S., led Microsoft to label it “one of the most dangerous financial criminal groups.”

Also tracked as Star Fraud, Octo Tempest, Scatter Swine, Muddled Libra, Roasted 0ktapus and UNC3944, it has attacked at least 130 companies, including Visa, Truist Bank and Marks & Spencer.

Biometrics offer solution to IT helpdesk impersonation: iProov

In comments emailed to Biometric Update, Andrew Bud, CEO of iProov, says Scattered Spider has shifted its focus from attacks on British retailers like Marks & Spencer and Co-op to major U.S. targets, causing shelf shortages at Whole Foods and forcing Victoria’s Secret to temporarily close its e-commerce site.

“Modern multi-factor authentication, which was supposed to prevent these sorts of attacks, often relies on things people know, like passwords and code numbers sent to their phones,” he says. “By impersonating IT help desks, hackers convince employees to give them both these factors. That’s not the fault of employees, but a crucial weakness inherent in the current methods of authentication.”

“The solution is to use biometrics, like face verification. Employees’ faces can’t be conned away from them, stolen, or shared. Of course they can be copied, but modern strong liveness technology prevents anyone using those copies successfully. So if a fake helpdesk contacts the employee, and the employee verifies using their face, the hacker just gets some selfies; they could probably get them from LinkedIn or Instagram anyway. Strong cloud-based liveness assurance prevents hackers using those images to break into the organization and, importantly, the technology is constantly evolving to stay ahead of the attackers.”

The threat extends beyond just the immediate targets of the attack. A notice from the FBI says Scattered Spider’s methods mean “anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk” following the recent breaches.

Researchers scanning the cyber landscape for threats have also detected an “uptick in registrations of new domains mimicking legitimate corporate and authentication services, a known Scattered Spider technique.” Many of the fake company domains were registered in the oil and gas sector – raising fears that it could be next.

However, there could be disruption in its activities. In April, police in Spain extradited 23-year-old Scottish man Tyler Robert Buchanan – AKA TylerB, suspected of being the leader of Scattered Spider – to the United States to face charges of wire fraud, conspiracy and identity theft, and up to 47 years in prison. His alleged co-leader, Noah Michael Urban, is incarcerated in Florida, facing up to 20 years in federal prison.

Article Topics

biometric authentication  |  biometrics  |  cybersecurity  |  data protection  |  iProov  |  multifactor authentication  |  Scattered Spider