Up until recently, people believed multifactor authentication (MFA) was foolproof, but hackers are developing methods to bypass it. MFA remains a critical layer of cybersecurity, but users should understand how cybercriminals can exploit it and how to strengthen their strategies.
Types of MFA to Be Aware Of
There are multiple types of MFA that users should be aware of, since hackers bypass each method in different ways.
- Text messages: Organizations send users codes via text message to log in to their accounts.
- Authenticator apps: An organization sends a notification to a separate app that the user previously set up to access their account.
- Security questions: The user selects questions that they must answer correctly to log in to their account.
Methods Hackers Use to Bypass MFA
There are multiple ways for cyberattackers to bypass MFA. Previously, hackers targeted larger companies, but the share has fallen from 50% to 35% since victims now include small businesses. Individual users are also at risk. Here are some methods hackers use to get past MFA.
Phishing and Social Engineering
Social engineering attempts involve tricking users into giving away their credentials, which the hacker then uses to bypass MFA. This method involves direct contact with the account holder, either via phone, email or text. Phishing is a form of social engineering in which cybercriminals claim to be a reputable source that needs their information.
SIM Swapping
SIM swapping occurs when hackers contact the victim’s phone carrier and effectively convince it to redirect texts and calls to a new SIM card. Then, the attacker can receive one-time codes or use other methods to log in to an account via MFA. The first line of defense is the carrier, and cybercriminals are continually developing new techniques to trick these companies.
Session Cookie Hijacking
Session cookie hijacking is when hackers steal session cookies while a user is logged in to their account. Once they log out, the attacker remains connected and never has to sign in again because the browser continues to recognize the user’s device. The criminal then has full access to the account without ever having to go through MFA.
MFA Fatigue
When attackers try to access an account, they sometimes aim to cause MFA fatigue in the user. This tactic occurs when the hacker repeatedly sends MFA authentication codes to someone’s email or phone number until the person gets sick of it and reluctantly agrees to grant access to stop receiving notifications. The cybercriminal now has full admittance.
Brute Force
Brute force is a technique in which attackers randomly enter password combinations and PINs until one works. If the MFA code is a PIN, then hackers can guess it more easily. Some attackers have access to commonly used credentials they could attempt, but a four-digit number is simpler. While this is not a polished method, it can be effective if the user does not set up strong passwords or utilizes weak MFA methods.
Examples of MFA-Related Breaches
There are several real-life examples of MFA-related breaches. One occurred simply because the victims did not have multifactor authentication. A team of experienced hackers infiltrated multiple cloud systems because none of the organizations had MFA set up. While MFA can still be hacked, it is essential to have some form of secondary protection to make it harder for attackers to access accounts without authorization.
Another instance occurred when a group of hackers impersonated reputable companies and gained access to victims’ accounts via single sign-on and MFA codes. They used a tactic called voice phishing, or vishing, in which they made calls pretending to be IT staff and effectively tricked employees.
How to Strengthen MFA Strategy
While users should still have MFA, there are ways to strengthen its effectiveness. The key is to use tactics like deliberately providing incorrect answers to security questions so the hacker cannot figure them out by looking up the victim’s personal information.
To prevent carrier-related incidents, users should choose a provider with a robust security protocol. In phishing, people must learn to identify suspicious emails and phone calls to avoid disclosing sensitive information. One sign is if the hacker mentions a time limit for providing information, like if they say someone has one hour to comply or all their account data will be lost.
Protect Accounts With Robust MFA
MFA is an essential tactic in modern cybersecurity, but it is still hackable if attackers use these methods. Users should audit their own MFA tactics to ensure they are as secure as possible. As threats evolve, it is crucial to stay up to date on the newest attack trends and prepare accounts accordingly.
