NetworkTigers outlines how hackers hack multi-factor authentication.
Multi-factor authentication, or MFA, is regularly touted as the best way to protect your accounts from hackers. Because most breaches occur at the hands of cyber thieves who either guess weak passwords using special software tools or steal passwords through other means, setting up an additional line of defense is usually all it takes to encourage an opportunistic hacker to look for easier targets.
However, cybersecurity remains a constantly moving target, and hackers are employing techniques to bypass MFA.
What is multi-factor authentication?
Multi-factor authentication is a system in which a user must take more than one step to verify their identity or permission to access an app, account or device.
After a user enters their password, they are then prompted to prove who they are once more via an app, phone call, email or other avenue tied to a different account or device. This means that if a hacker wants to breach an account with MFA in place, they generally also need to possess the device or other account used to confirm access.
In most cases, this stops a hack from taking place and notifies the user of the activity, allowing them to alert system administrators or take additional precautions.
Ways that hackers hack multi-factor authentication
Social engineering
Social engineering is a term that encompasses a wide range of manipulation tactics, from phishing emails to actual phone calls. It has become the most popular and effective way for hackers to access targeted systems.
No matter the method, a social engineering attempt seeks to convince a victim to click a fraudulent link, download malware, hand over login credentials or verify an unauthorized login attempt with little actual hacking involved. For example, a targeted user may receive a text message purported to be from their boss claiming to have been locked out of an account and requesting login information or authorization. In another case, a victim may receive a phone call from someone masquerading as an IT administrator who directs them to download an attachment carrying malicious code.
Session hijacking
Session hijacking, also called cookie stealing, allows a hacker to bypass MFA entirely by capturing the account access permission that their browser grants them. This type of attack can be carried out in several ways with varying degrees of sophistication. In many cases, session hijacking begins with a phishing attack that installs a Trojan onto a victim’s device. Victims receive an email with a link to a proxy login page. After the user logs in using their MFA credentials, the session cookie is captured by the hacker and then used to breach the account.
SIM-jacking
SIM-jacking is when a hacker can convince a mobile phone carrier to transfer a victim’s number to their device. They can do this by bribing someone at the carrier or stealing a victim’s personal information. SIM-jacking allows a hacker to intercept any verification prompts intended for the user, and the ease with which this type of attack can be carried out is alarming.
MFA prompt bombing
Criminals know that they’re playing a numbers game. Thousands of account breach attempts take place before success is ever reached. One such brute force method for getting around multi-factor authentication is overloading a victim’s device with incessant verification prompts. This is a technique called MFA prompt bombing.
Sometimes, the person on the receiving end of the prompts will verify the login to make the notifications stop and end the annoyance, thereby giving the criminals a way into the account under siege.
Hackers are meticulous and known to target people who are generally overworked and tasked with receiving and sorting correspondences, bulk emails, etc. They know that overwhelming someone in this position will likely fatigue them into letting them in.
Stolen hardware
Some applications require a USB key or fob to verify usage permission. Such hardware is small and easy to misplace. It’s also easily stolen, as one can snatch a USB key from an unattended laptop while walking by.
Using a hardware key is an excellent way to prevent a hack via the internet, but diligence needs to be practiced regarding the device’s security.
Malware
Some malware variants are specifically designed to break through MFA protocols. One such variant, a banking Trojan called Cerberus, allows hackers to access Google Authenticator and see the code it creates for the intended recipient.
Like many other malware variants, Cerberus can be purchased on the dark web by anyone who desires to employ it.
How to keep hackers at bay
Put the “M” in “MFA”
One of the easiest ways to enhance the effectiveness of MFA is to add more layers of verification. Instead of using a text prompt to authenticate your identity, consider adding an email or phone call to the process. While most agree that placing additional steps between you and your account is inconvenient, that’s precisely the point. With so much opportunity available, hackers are easily discouraged by additional work.
Use hardware and biometric verification
Hardware USB keys and other forms of verification done in the real world are still superior forms of verification. From facial scans to fingerprint readers, these methods are harder to crack.
Avoid SMS-based MFA
Most experts and security researchers urge people to abandon or, at the very least enhance SMS-based MFA methods.
Because of the prevalence of SIM-jacking, social engineering, phishing attacks and the overall vulnerability of text messaging, SMS messages provide flimsy security.
Security questions
Tried and true, a layer of protection that asks a user to answer questions only they would know remains effective in some cases. However, this type of protection is still vulnerable to social engineering attacks, should be impossible for others to guess and should be regularly maintained.
Additional protection
MFA should be part of a more comprehensive security environment that employs virus protection, firewalls, hardware security components, regular employee education, strict adherence to password hygiene and regular updates.
