Is MFA the perfect security solution?
No.
So MFA can be beaten?
Yes it can
Interesting … How?
9 different ways……. and counting
1. MFA Prompt Bombing
One sophisticated method involves exploiting the push notification feature of modern authentication apps. Attackers, armed with compromised passwords, initiate login attempts to trigger MFA prompts on the legitimate user’s device. The aim is to capitalise on user fatigue or trick them into accepting seemingly legitimate prompts.
2. Service Desk Social Engineering
Social engineering comes into play when attackers deceive helpdesks by posing as users who’ve forgotten their passwords. If service desk agents fail to enforce robust verification procedures, they inadvertently provide a gateway for attackers to bypass MFA through a simple phone call.
3. Adversary-in-the-Middle (AITM) Attacks
AITM attacks involve tricking users into logging into fraudulent sites, enabling attackers to intercept passwords and manipulate MFA prompts. The ‘2FA pass-on’ technique allows them to gain access even after victims enter credentials on a fake site.
4. Session Hijacking
Similar to AITM attacks, session hijacking exploits legitimate processes. Attackers can steal session tokens or cookies, posing as authenticated users without the need for re-authentication.
5. Endpoint Compromise
Installing malware on an endpoint allows attackers to create shadow sessions, steal session cookies, and exploit recovery settings. If recovery methods, such as email links, are compromised, attackers can maintain prolonged access.
6. SIM Swaps
Recognising that MFA often relies on cell phones as a possession factor, attackers resort to SIM swap attacks. By tricking service providers into switching services to a SIM card they control, they hijack the victim’s cell service and gain access to MFA prompts.
7. Exporting Generated Tokens
Attackers may compromise the back-end systems responsible for generating and validating MFA tokens. This can involve stealing cryptographic “seeds” or collaborating with malicious insiders who provide session tokens for MFA approval.
8. Exploiting SSO (Single Sign-On)
SSO, while convenient for users, can be exploited by using compromised passwords to gain initial access. Once inside, attackers leverage SSO to access other sites and applications that would typically require MFA.
9. Finding Technical Deficiencies
MFA technology, like any software, is not immune to bugs and weaknesses. Exploits targeting specific vulnerabilities, such as those revealed through security advisories, can temporarily expose opportunities for circumventing MFA.
In conclusion, while MFA significantly enhances security, organisations must remain vigilant and proactive. Combining MFA with robust password policies, user education, and regular security audits can create a more resilient defense against potential circumvention attempts. Understanding these methods provides a foundation for organisations to fortify their security posture in an ever-evolving digital landscape.
So why use MFA?
Even with the methods listed above, it is still FAR more effective to have MFA in place than to rely on passwords alone. Just as a weak password is an easy gateway fo an attacker to start working on your MFA protection layer, absence of MFA just gives them a free entry after they have managed to get past your password.
A co-ordinated and resilient approach is required at all layers of your security to help protect your account.
How do I keep my account safe?
Mindfulness and attention to your security. Many of the angles of attack above you can have influence over, and this covers the majority of attacks that are seen being implemented.
If you are receiving prompts to accept MFA confirmations, but you are not 100% on the source, then DO NOT accept them. And change the password on that account – likelihood is that it has been compromised allowing an attacker through to the next stage.
When putting authentication details into a web page – are you sure that it is what it proports to be, is the URL correct (no slightly “off” spellings is it certified (that little lock in the address bar)
Be especially careful – or avoid using public Wi-Fi to log into sensitive accounts where AITM attacks could be being performed.
Keep your endpoint protection up to date and operating effectively, whatever antivirus platform you are using, make sure it is able to work at its best.
And be nice to your tech support. .. .All those questions they ask, or confirmations they need to be changing passwords or clearing MFA – they are required for YOUR protection. So understand when they need to verify who you are, or do something in a particular way to keep things secure.
Don’t wear them down or try and make them sidestep any security protocols – keep them fresh for when they have to do the same to someone trying to illegitimately access your account.
Summary
If you are having problems with your MFA or would like to talk to one of our experts contact us by clicking the button below and book your free 30 minute chat with us!!