Defense Against Multi-Factor Authentication Attacks

You can never be too cautious with your personal information online. As cyberattacks become more and more common, protecting your data is increasingly difficult. In fact, a study from Juniper Research found that by 2023, cybercriminals are expected to steal an estimated 33 billion records.

In response to the growing number of cyberattacks, many companies are utilizing multi-factor authentication (MFA) to enhance their cybersecurity and protect against phishing attacks. Although MFA can add an extra layer of security to protect your online accounts, cybercriminals may still be able to bypass this security measure.

Multi-Factor Authentication is Effective

MFA adds a layer of security that allows companies to prevent credentials from being compromised. Through this method, users must confirm their identity by providing extra information (e.g., a phone number or unique security code) when attempting to access corporate applications, networks, and servers.

Although MFA can reduce certain cybersecurity risks, no MFA solution is unhackable. This is not to say that you should not utilize MFA. It is still very effective at reducing certain hacking risks and should be used anywhere where secure authentication is needed.

However, MFA can only stop certain types of authentication attacks. According to KnowBe4, there are more than 12 ways to bypass MFA and 48% of cybersecurity breaches are not preventable by strong MFA. Additional cybersecurity measures are needed in order to ensure your information is secure.

Types of Cyberattacks on Multi-Factor Authentication

There are several scenarios that allow hackers to bypass MFA. A security advisory created by the U.S. Federal Bureau of Investigation documented attempts by cybercriminals to circumvent common MFA systems. These include a combination of social engineering attacks on MFA users and technical attacks on the organization as well:

• In 2016, customers of a U.S. banking institution were targeted by a cyber attacker who ported their phone numbers to a phone he owned, an attack techniquecalled SIM swapping. The attacker called the phone companies’ customer service representatives, finding some who were more willing to provide him with information to complete the SIM swap. Once the attacker had control over the customers’ phone numbers, he called the bank to request a wire transfer from the victims’ accounts to another account he owned. The bank, recognizing the phone number as belonging to the customer, did not ask for full security questions but requested a one-time code sent to the phone number from which he was calling. He also requested to change PINs and passwords and was able to attach victims’ credit card numbers to a mobile payment application.
• Over the course of 2018 and 2019, the FBI’s Internet Crime Complaint Center and FBI victim complaints observed the above attack-SIM swapping-as a common tactic from cyber criminals seeking to circumvent two-factor authentication. Victims of these attacks have had their phone numbers stolen, their bank accounts drained, and their passwords and PINs changed. Many of these attacks rely on socially engineering customer service representatives for major phone companies, who give information to the attackers.
• MFA fatigue is a technique used by scammers wherein they bombard a user’s authentication app with a barrage of push notifications. The scammers hope that the user will accept the push notification in order to put a stop to the flood of notifications. In doing so, the hacker now has access to your information. MFA users may not be aware that they are approving a fraudulent notification. Only approve MFA notifications that are instigated by yourself.
• SMS-based man-in-the-middle attacks. The weakness of SMS one-time passcodes has to do with how easily hackers can compromise smartphones and assign the phone number to a device under their control. This can be done by convincing a cellular customer service agent to reassign a phone number or by using an easily accessible commercial service to gain access to a cellular account and reroute SMS messages.
• Pass-the-cookie attacks. This attack leverages browser cookies and sites that store authentication details in the cookie. Cookies allow users to remain signed in to their applications. However, if a hacker can extract that cookie data, they can take over your account.

Learn more about hacking techniques that can bypass MFA here.

Defending Against MFA Attacks

While certain cyberattacks can circumvent MFA, it is an still essential component of a cybersecurity defense system. Microsoft offers several pieces of advice on how to bolster your current MFA.

• • Enable conditional access policies. Conditional access policies are evaluated and enforced every time an attacker attempts to use a stolen session cookie. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as compliant devices or trusted IP address requirements.
  • Invest in advanced anti-phishing solutions that monitor and scan incoming emails and visited websites. For example, organizations can leverage web browsers that can automatically identify and block malicious websites.
    • KnowBe4’s Data-Driven Defense Evangelist, Roger A. Grimes, keeps a regularly updated list of phishing-resistant MFA solutions here.
  • Continuously monitor for suspicious or anomalous activities:
    • Hunt for sign-in attempts with suspicious characteristics (for example, location, ISP, user agent, use of anonymizer services).
    • Hunt for unusual mailbox activities such as the creation of Inbox rules with suspicious purposes or unusual amounts of mail item access events by untrusted IP addresses or devices.

Choice Bank is committed to providing you with up-to-date resources to help you stay informed. Check out our cybersecurity resource page for more tips, trends, and current events.