5 Ways Hackers Can Get Around Your MFA Solution
Multi-Factor Authentication (MFA) is definitely more secure than passwords but it is not an unhackable solution. It is a common misconception that MFA offers 100% protection from unauthorized access. Check out five ways hackers can bypass MFA and learn how to prevent them.
Multi-factor authentication (MFA) is among the most recommended security measures across industries. But how secure is it, really? To answer this question, we must understand what MFA means and the state of implementation right now.
As per the MFA protocol, users must go through more than one security check before accessing an asset. For example, when using an ATM, one needs to enter both a physical card as well as a four-digit PIN. Or, an online payment gateway might ask the user to enter card details, a security code, and a one-time password. The first instance has two authentication layers – a card and a PIN – which is why it is called 2FA.
2FA is a subset of MFA and is probably the least secure of the lot.
The more authentication layers you add on, the lower the possibility of a hacker exploiting a vulnerability somewhere during the process. But despite the well-established effectiveness of string MFA (i.e., more than two layers), adoption remains lower than expected. Between 2017 and 2019, 2FA awareness increased by 33% – but one in two users still don’t know what 2FA is. In terms of adoption, just 53% were using 2FA in 2019.
And that’s just two-factor authentication. When it comes to the MFA market overall, an overwhelming 94% use a smartphone for their additional security layer apart from user ID and password when it comes to the MFA market. Only 4% choose a hardware-based solution, and 1% opt for biometrics, which is necessary to strengthen MFA protection. In other words, the problem with MFA is this: most people limit themselves to its least secure subset (2FA), and this opens up several vulnerabilities.
Here’s why.
1. Hackers Might Use a Technique Called Simjacking
The most common authentication channel is a telephone connection. After you enter your password, you receive a timebound code via call or SMS to process it. Phone-based is widely used in digital banking, social media account recovery, e-commerce, etc.
But malicious actors can approach a carrier, impersonate the user, and switch the connection to a new SIM. When a request is entered, the attacker gets the login credentials on their SIM and redirects the request. This slightly primitive – but highly effective technique – is called Simjacking, and it recently compromised the social media access for Twitter CEO, Jack Dorsey.
A group called Chuckling Squad gained access to Dorsey’s account for 15 minutes via Simjacking and was able to tweet a series of offensive remarks.
Learn More: Going Passwordless: 5 Authentication Trends to Watch
2. Malware Like Cerberus Can Bypass MFA Protocol
Did you know that there are specific malware variants that target multi-factor authentication? One of them is Cerberus, which allows malicious actors to break into Google Authenticator, take a screenshot of the one-time code, and thereby circumvent MFA. Another phishing campaign has been discovered that can bypass MFA on Microsoft Office 365 to access consumer data and hold it for ransom.
As attacks become more sophisticated and malware adapts to standard MFA architecture, a whole new breed of viruses, trojans, or worms could emerge explicitly designed to crack MFA.
3. SMS Communication Can Be Intercepted
Simjacking isn’t the only way to exploit a user’s telephone connection. A hacker could intercept SMS communication in a variety of other ways, such as applying a communication reset so that the MFA update is directed to a different channel. In today’s crowded digital landscape, most of us aren’t regular SMS users, and an SMS interception hack could very well slip under the radar.
This is particularly true for users who registered through legacy technology and have not updated their contact information in a while. In 2018, Reddit disclosed an MFA attack that exposed cloud-hosted user accounts as well as source code.
Interestingly, those who moved to token-based MFA were immune to the attack – indicating the need for strengthening authentication strategies in the digital era.
4. CMS Infrastructure Could Have Authentication Flaws
Sometimes, the content management system (CMS) at the back-end of a website has inherent security flaws that open up attack possibilities. One such flaw was recently found in two popular WordPress plugins, impacting around 320,000 websites. The flaw allowed malicious actors access to an admin account even without a password. Like several other flaws, the firm that discovered the issue said that it might have originated from a logical mistake in the code.
But despite its inadvertent nature (and the optimistic outcome that it wasn’t exploited), users must adopt measures that can protect against code-level MFA vulnerabilities.
5. Social Engineering Can Foil Employee Good Intentions
A combination of technical and social engineering can bypass MFA restrictions with shocking ease. One such tactic is voice phishing or vishing, where a malicious actor calls up a new employee impersonating IT personnel from their employer company. A new employee is an ideal target as they are yet to undergo security awareness training and may not be familiar with cybersecurity best practices.
Meanwhile, another co-actor overlays a phishing page on top of the company’s VPN platform to capture not only the user Id and credentials but also the one-time code. A vishing attack gains the user’s trust and induces behavior that otherwise would strike one as suspicious.
Learn More: COVID-19 Sounds the Death Knell for Passwords – Passwordless Authentication Is the Future
The Solution: Augment MFA With Failsafe Security Layers
At the outset, we should mention that multi-factor authentication is a must-have. Despite its vulnerabilities, it is miles ahead of single-layer, password-based systems. Google found that by adding a phone number to a user account, it is possible to prevent 66% of targeted attacks. Similarly, Microsoft found that 99.9% of all the accounts compromised under its aegis were not using MFA.
The key is to update MFA protocols for tomorrow’s needs. This means recognizing the need for truly multi (three or four) factor authentication, instead of considering MFA and 2FA as synonymous.
One of the smartest solutions is hardware-based MFA, where the user must plugin an NFC/biometrics-enabled USB device to validate a login attempt. Yubico, Kensington Verimark, Thetis, and Google Titan are some of the best solutions available in the market today.
Another widely used tool is knowledge-based authentication (KBA), where the user is asked to answer a secret question. Keep in mind that KBA isn’t immune to social engineering, needs regular updating, and must be woven seamlessly into the interface to provide a non-intrusive user experience. Finally, there is a device or IP-based authentication where an account is linked to specific hardware or network fingerprints as part of its “usual” activity trail.
Closing Thoughts
Companies – whether SMBs or large-scale enterprises – must reimagine their cybersecurity landscape, keeping the vulnerabilities of MFA (specifically 2FA) in mind.
This includes exhaustive security awareness training so that employees do not try to bypass proper protocol when accessing assets. Further, investing in hardware-based authentication, like Google using Security Keys to prevent phishing for its 85,000+ employees since 2017, could also help. A smart combination of these best practices would keep employees safe from cyber attacks. But the first step is to shake off the complacency around MFA and recognize its growing risks, even as we boost adoption.
What are your thoughts about the effectiveness of MFA? Comment below or let us know on LinkedIn, Twitter, or Facebook. We would love to hear from you!
