How Hackers Bypass MFA (+ How to Stop it)
The inherent weakness of using single passwords as login credentials has led to the rise of two-factor authentication to better secure access to sensitive data and information.
In short, multi-factor authentication (MFA) requires that a user provide their identity by providing two or more verification factors. These can take many different forms – it might be a unique PIN provided by a hardware token, or something unique to you, such as biometric authentication or an iris scan.
However, while we have seen multifactor authentication become an essential cybersecurity tool, they are not impervious to data breaches. We are unfortunately seeing a rise in cybercriminals specifically targeting common MFA verification methods like one-time passwords, voice calls, and push notifications.
Read on to find out more about Multi Factor Authentication and how attackers attempt to bypass two factor authentication:
What is Multi-Factor Authentication?
Two-factor authentication serves to provide an additional layer of defence on top of the usual username/password combination familiar to many.
In simple terms, it requires a user to provide additional verification to verify that the sign-up attempt is being made by them.
5 Different Ways Hackers Bypass Multi-Factor Authentication
Bypass MFA via Social Engineering
In essence, social engineering involves tricking a target into revealing privileged information which is then leveraged via a cyber attack.
In the context of bypassing MFA solutions, phishing is one of the most common social engineering tactics used to obtain a user authentication factor. In a phishing attack, the cybercriminal poses as a reputable source or trusted authority in order to trick a user into giving up useful information.
For example, an attacker might use a fake website to harvest both passwords and the security codes created by authentication apps and password generators. This information is then used to perform a simultaneous login at the same time.
It should also be noted that automated phishing attacks are on the rise. Leveraging actions such as cookie theft and reverse proxies can make MFA useless by routing all inputted credentials to the attacker’s server.
Consent Phishing via Open Authentication
Open Authorization (OAuth) is used by organizations to allow limited access to user data. You probably use this in your everyday life without even realizing it.
For example, you have used OAuth every time a third-party app requests permissions on your phone – You have probably granted application access to your camera or photos without necessarily providing access to everything else.
Cybercriminals have begun to leverage this through a new method called consent phishing. Threat actors create fake OAuth login pages asking for the specific credentials that they need. If permissions are granted, the attacker is able to essentially bypass MFA and enable a full account takeover.
Exploiting Generated Tokens
If you have ever tried to sign into an online account, chances are you may have had to rely on an authentication app like Microsoft Authenticator or Google Authenticator.
These tools are MFA tools that essentially act as a password generator – they create temporary tokens that are then used as an authentication factor in addition to a user’s authentication credentials.
These platforms often provide a list of manual authentication codes to prevent account lockout. If stored in an unsecure location or with poor data security hygiene, a cyber criminal could easily obtain these codes and gain access.
Hijacking Sessions by Stealing Session Cookie
Hijacking session cookies are a form of man-in-the-middle attack in which MFA security is bypassed using a browser session cookie.
This is possible when web servers do not flag session cookies as secure. If a user does not send cookies back to the server via HTTPS, an attacker can steal the cookie and hijack the session to gain access.
SIM hacking occurs when an attacker gains unauthorized access to a victim’s phone number through a variety of techniques like SIM swapping, SIM cloning, and SIM-jacking.
Once access to a victim’s phone number is acquired, hackers can intercept and receive SMS verification one time passwords in order to provide this verification factor during an intrusion attempt.
Tips for Strengthening Multi-Factor Authentication (MFA)
While MFA solutions can provide an extra layer of security for your organization – it has become clear that they are not sufficient alone. For this reason, it is always a good idea to have a trusted security partner like Stratejm who can take a close look at your security posture and identify any key gaps in your environment.
With that in mind, here are some key actions you can take to strengthen your two factor authentication:
- Avoid the use of short, numeric one time password (OTP). Instead, opt for longer alphanumeric combinations where are much harder to crack via brute force
- Use complex passwords in accordance with password guidelines – Or try a password manager
- Dont reuse passwords!
- Avoid the use of SMS verification – This is one of the most cracked MFA verification factors!
- Administer regular cybersecurity awareness training