How Attackers Bypass Multi-Factor Authentication (MFA)
By Ken May
IT security tactics are constantly changing and trying to stay one step ahead of hackers, advanced persistent threats (APTs), and other malicious actors, is a constant game of cat and mouse.
According to the 2019 Symantec Internet Security Threat report, 1 in 412 emails are malicious. And, according to the SANS Institute, 95% of all cyberattacks on enterprise networks are the result of successful spear phishing.
This means phishing remains one of the most common targeted attacks out there, and there is a still a lot of focus on compromising people’s digital accounts.
How to Defend Against Cyber Threats
The current answer is multi-factor authentication (MFA). We used to simply call this two-factor authentication (2FA), before it became clear that multiple methods were needed. MFA is an authentication method in which a user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism, such as:
Knowledge: something the user, and only the user, knows
Possession: something the user, and only the user, has
Inherence: something the user, and only the user, is
What is The Adoption Rate for Multi-Factor Authentication?
That’s the concept, so how is the implementation? By and large, many organizations still don’t have MFA rolled out, including banks, if you can believe it (don’t ask me which ones!). One global survey reveals that when it comes to Office 365, only 20 percent of organizations use MFA for admins and users.
Even the majority that do have MFA rolled out seem to mainly support either email, or SMS tokens, and sometimes both.
Eventually, security researchers realized we could use things like hardware tokens or apps, such as Google Authenticator, Microsoft Authenticator, Duo, Authy, etc. These devices generate one-time codes directly, without the need to send them by email or SMS.
How Do Hackers Get Past Multi-factor Authentication?
Unfortunately, if someone has brute forced their way into an email account, receiving MFA codes to their email is pretty self-defeating. Even worse, now we are seeing attackers social engineering cell phone carriers into allowing them to clone a victim’s SIM card. By doing that, they receive a copy of any SMS messages sent to it, and thus they can receive SMS MFA tokens as well. We are even seeing attacks where the hacker contacts the victim and claims that they need an MFA code, from whatever source, in order to verify the victim’s identity. Once they give away the code, it’s all over, and the hacker will change the recovery information on all the victim’s key accounts.
How Can I Protect Myself Against These Attacks?
Currently, the best practice is to enable MFA wherever possible, and to use an authenticator app or service.
These are unlikely to be vulnerable to replay attacks, which is a form of network attack where valid data transmission is maliciously or fraudulently repeated or delayed so that an attacker can intercept the data and re-transmits if they chose to. Additionally, MFAs only have a typical lifespan of 30—60 seconds, which is a pretty short window.
That being said, no amount of technology will prevent a sufficiently dedicated user from bypassing all this by handing over their codes directly to a hacker. In the end, educating people is the most critical aspect of protecting the enterprise, SMB, or home user.