How Attackers Break Your Multi-Factor Authentication Protection and 7 Strategies to Protect Yourself

by | Nov/16/2022

One of the best ways to thwart bad actors from logging in is to enable Multi-Factor Authentication (MFA), a.k.a. Two-Step Login. But attackers are bypassing that protection.

If you know what MFA is, you can skip this paragraph. The most common first step of MFA is for users to enter their username and password. They receive a text message with a code to complete the login process. Alternatively, the user might have an authenticator app on their phone that provides a code. Another option is for the user to receive a “push” notification asking the user to approve the login through the app. The latter is sometimes referred to as one-tap login. There are other options for the factors, including approving specific computers, geo-location, USB hardware keys, and biometrics, including fingerprints, facial recognition, and iris scans. There are pros and cons to each.

Summarized steps you can take to help protect yourself from attackers bypassing multi-factor authentication:

= Know how to protect yourself against a thief stealing a phone if MFA uses text or email messages as the second step.
= If supported, instead of a code number from a text message or authenticator app, consider using a USB token, fingerprint, or facial recognition for the second factor.
= Reduce the duration a code is valid. For example, perhaps change the code every 60 seconds so an older code won’t work.
= Limit the number of failed login attempts in a specific period.
= Implement web content filtering to help protect users from being exposed to fake login screens.
= Limit logins to specific countries.
= If users primarily use the same device, restrict logins to specific devices.
= Train users to beware of fraudulent login prompts.

Please see the details below:

If MFA to sends a text message to a stolen phone, the thief might see the text message. For websites or services that only support text messages for the second step, consider investing in an inexpensive flip phone with a different phone number to receive text messages. Similarly, if MFA involves an email, and the thief can easily access your email on the stolen phone, it defeats the purpose of MFA. Therefore, if you set up the two-step login with email as the second step, use an email address that requires some other form of authentication on the phone to access email messages. Ensure email messages do not pop up on the preview screen when received.

Another way attackers bypass MFA:
Step 1: Trick the user into clicking a link that takes the user to a fake login screen for Microsoft 365, LinkedIn, or any other valuable site.
Step 2: The user enters their username and password into the fake login form. Now the attacker knows the user’s login name and password.
Step 3: The attacker’s computer pulls up the genuine login form and enters the username and password the victim just provided.
Step 4: The legitimate website sends the user the text message, sends a push notification, or performs another second factor the user is used to. The user expects this, and the process seems normal to them.
Step 5: The attacker can create a fake form for the user to enter the code from their text message or app. When the victim enters the data, the attacker’s computer inserts the data into the genuine website. If the user received a push notification, they could approve the login because the user believes they are indeed logging into the site.
Step 6: The attacker is logged in and has the user’s full access. The attacker needed no previous knowledge of the user’s username, password, or text key.

One strategy to fight his kind of attack is to use a second factor that isn’t a text code. For example, a user doesn’t need to enter a code if the second factor is a fingerprint or USB token plugged into the computer. The user cannot enter that information into a fraudulent login screen.

Another common strategy attackers use to bypass MFA is to reduce the time an OTP (One Time Password) code can work without the user requesting and receiving a new text message or generating a new code in the authenticator app. Shorter expiration times mean the attackers must use the stolen credentials and second factor to log in more quickly.

Another strategy, though slightly less effective but can be used in conjunction, is to limit the number of failed login attempts within a period. An example rule is if there is a failed login attempt for a user account three times in a row within five minutes, lock their account so they cannot try logging in again for ten minutes.

A useful cybersecurity control that is underutilized is conditional access by country. If your users will always log in from specific countries, block logins from all other countries. That will make it more difficult for foreign adversaries to compromise your users’ accounts. Identifying a user’s location is sometimes referred to as geolocation.

Another method to bypass MFA is to use social engineering to trick the user into disclosing their username, password, and code or another second factor. A typical example is for a bad actor to contact a user, impersonate a technical support person, and ask the user to provide the information to help prevent some fake problem that doesn’t exist. Some trusting users walk the attacker through the login process, bypassing the protection of MFA.

Another strategy bad actors use is called MFA fatigue. The hacker will make so many attempts to log on that the user finally tires of receiving push notification alerts. The fatigued user approves the login to make their phone be quiet, and the attacker is in the system.

Attackers could use SIM Swapping to reroute calls and text messages to their phones. Therefore, text and callbacks can be less secure than other second factors. However, many sites only offer those two options.

As your IT team can tell you, there are more technical ways for attackers to bypass MFA by creating person-in-the-middle attacks using something called a proxy. Another strategy attackers can utilize is captured authentication cookies or tokens. Authentication can rely on digital key values that must be kept secret inside servers. If attackers get access to the keys, they can gain access.

Your IT Team can implement some form of web content filtering and configure it to block communications with known malicious sites and attacker command-and-control servers. This isn’t perfect because attackers frequently change command servers, but it helps.

Using SSO (Single Sign On) reduces the number of opportunities an attacker has to trick the user. Of course, the flip side is that if an attacker successfully gains access to the single sign-on, the attacker won’t need any other credentials to access everything the user can access.

User training is essential, as is keeping the computer safe.

As you can see, using MFA does not mean your authentication process is secure. Whenever a new security control is invented, someone finds a way to break it. The strategies above will help you be more secure.

Alert your friends to some of the ways attackers can bypass MFA. They might decide to consider using USB keys, biometrics, or cryptographic codes stored in a computer or hardware.