Understanding Multi-Factor Authentication and Potential Security Risks
Multi-factor authentication (MFA) is a security measure that adds an extra layer of protection beyond just a username and password. It requires users to provide multiple verification factors to gain access to an account. This significantly reduces the risk of unauthorized access, even if your password is compromised.
Types of Authentication Factors
Multi-factor authentication requires the verification of two or more factors to authenticate an identity.
The three categories of authentication factors are:
Knowledge-Based Factors: Authentication elements only you as the owner of your identity would know. This may include an additional password (beyond the initial login sequence), a personal identification number (PIN), or an additional security question (e.g., what street you grew up on, the name of your first pet).
Possession-Based Factors: Authentication elements only you as the owner of your identity would possess. This typically consists of an additional device (e.g., mobile phones, tablets). Security keys, tokens, or cards are also used in higher security environments.
Inherence-Based Factors: Authentication elements only verifiable with your own body. Inherence-based factors may include fingerprints, thumbprints, or handprints. They may also include facial recognition, eye-recognition (via retina or iris scans), or voice recognition.
Nowadays, security breaches are becoming increasingly sophisticated, challenging even the most robust security measures. Multi-Factor Authentication (MFA) has long been hailed as one of the most effective ways to protect accounts and sensitive information. However, recent trends show that attackers are finding ways to bypass MFA, leaving users and organizations vulnerable to cyber threats.
Lets explore how hackers are bypassing the MFA.
1. Session Hijacking
Tokens are what users receive post the MFA verification to prove their identity. Bad actors target to steal session cookies/tokens that are stored on user devices. By stealing these cookies, attackers deceive web browsers into thinking they're the legitimate users, cleverly bypassing MFA protection.
How attackers launch session Hijacking attacks?
Sniffing Network Traffic: Attackers can use packet sniffing tools on unencrypted Wi-Fi networks to capture data flowing between your device and the website, including session cookies that identify your login.
Cross-Site Scripting (XSS): Attackers can inject malicious scripts into websites you visit. These scripts can steal your session cookies or redirect you to a fake login page that captures your credentials.
Session Prediction: In rare cases, attackers might be able to guess or predict your session ID, especially if it's weak.
Session Fixation: Attackers can exploit vulnerabilities in a website's session management to force it to use a predetermined session ID. If you then log in with that same session ID, the attacker can hijack your session.
How to Prevent Session Hijacking Attacks?
Beware of Public Wi-Fi: Avoid using unencrypted public Wi-Fi networks for sensitive activities like online banking or accessing financial accounts. If you must use public Wi-Fi, consider using a VPN (Virtual Private Network) to encrypt your internet traffic.
HTTPS is Your Friend: When logging into websites, make sure the address bar displays "HTTPS" instead of just "HTTP". The "S" indicates a secure connection with encryption, making it much harder for attackers to sniff your data.
Log Out Properly: Don't just close the browser window when you're done with a website. Always log out explicitly, especially on shared or public computers.
Keep Software Updated: Regularly update your operating system, web browser, and other software to patch security vulnerabilities that attackers might exploit.
Be Wary of Links and Attachments: Don't click on suspicious links or open attachments from unknown senders. Phishing emails are a common way for attackers to trick you into revealing your login credentials or clicking malicious links that could compromise your device.
CVS Health, one of the largest pharmacy chains in the U.S., experienced a significant data breach in 2021. Attackers gained unauthorized access to customer accounts, compromising personal health information of millions of individuals.
2. SIM Swapping
swapping involves convincing a mobile carrier to transfer a victims phone number to a new SIM card controlled by the attacker. This grants attackers access to MFA codes sent via SMS.
How Attackers Launch SIM Swapping Attacks?
SIM swapping attacks involve social engineering and exploiting weaknesses in mobile carrier procedures. Here's a breakdown of how they typically occur:
Information Gathering: Attackers gather your personal details like name, address, date of birth, and potentially even the last four digits of your Social Security number. This information can be obtained through various means:
Phishing Attacks: Deceptive emails or messages designed to trick you into revealing personal information or clicking malicious links.
Social Media Scraping: Attackers might gather information from your public social media profiles or exploit data breaches.
Buying Information: Personal details are sometimes sold illegally on the dark web.
Social Engineering the Carrier: With the stolen information, attackers impersonate you by contacting your mobile carrier. They might claim: Lost or stolen phone Damaged SIM card Need for a SIM swap to a new device (which they control). Social engineering tactics like urgency or providing seemingly accurate details can convince the carrier representative.
Porting Out Your Number: Once the carrier is persuaded, they might deactivate your original SIM and activate the attacker's SIM with your phone number. This essentially cuts you off from your number and any services linked to it.
How to Prevent SIM Swapping Attacks?
Be Wary of Unsolicited Calls or Messages: If your mobile carrier contacts you about SIM swaps you didn't initiate, be cautious and verify the request directly with the carrier through a trusted phone number listed on their website.
Add a PIN or Password to your Account: Many carriers offer the option to set a PIN or password that needs to be provided before approving SIM swaps. This adds an extra layer of security.
Limit Account Linking to Phone Number: Avoid linking critical accounts (banking, social media) solely to phone number verification. Use security keys or authentication apps for stronger MFA (Multi-Factor Authentication).
Consider eSIM (embedded SIM): If available from your carrier, switching to an eSIM can be more secure as it's digitally linked to your device and cannot be physically removed.
Be Mindful of Social Media Sharing: Avoid sharing personal details like birthdates or addresses publicly online, as this information can be valuable to attackers trying to impersonate you.
Report Suspicious Activity: If you suspect your SIM has been swapped, contact your mobile carrier immediately to report it and regain control of your number.
In 2019, a SIM swapping attack targeted cryptocurrency investor. Attackers hijacked victims' phone numbers, bypassed MFA, and drained cryptocurrency wallets worth millions of dollars.
3. Adversary-in-the-Middle (AiTM) attack aka MitM attack
AiTM phishing involves creating a deceptive website that acts as a "proxy" between the user and the real website. After entering the password, the phishing site proxies the MFA screen to the user (to enter SMS code or OTP). Using the stolen code attacker successfully authenticates, further obtains the session cookie, injects it into their browser and skips the authentication process even if the target’s MFA is enabled.
How Attackers Launch AiTM Attacks?
Attackers use various methods to position themselves in the middle, including:
Unsecured Wi-Fi Networks: Public Wi-Fi networks without proper encryption are prime targets. Attackers can set up fake Wi-Fi hotspots or exploit vulnerabilities in existing ones to intercept traffic.
ARP Spoofing: This technique tricks your device into sending data to a malicious server instead of the intended destination.
DNS Spoofing: Attackers redirect your web traffic to a fake website that looks legitimate, allowing them to steal your login credentials.
How to Protect Yourself from AiTM Attacks?
Avoid unencrypted Wi-Fi: Use a VPN (Virtual Private Network) on public Wi-Fi to encrypt your internet traffic.
Look for HTTPS: When accessing websites, ensure the address bar displays "HTTPS" instead of just "HTTP". The "S" indicates a secure connection with encryption.
Use strong passwords: Implement strong and unique passwords for all your online accounts.
Be cautious with links and attachments: Don't click on suspicious links or open attachments from unknown senders. Phishing emails are a common way for attackers to trick you into revealing sensitive information or clicking malicious links that could compromise your device.
Keep software updated: Regularly update your operating system, web browser, and other software to patch security vulnerabilities that attackers might exploit.
In 2016, cybercriminals targeted a large financial institution using a MitM attack. They intercepted SMS-based MFA codes sent to users' phones, enabling them to access accounts and initiate fraudulent transactions.
In 2017, there was a confirmed data breach at Equifax that exposed over 143 million Americans. As a result, Equifax created a website called equifaxsecurity2017.com to let customers see whether the breach impacted them. The issue was that the website used a shared SSL for hosting—with thousands of other websites using the same certificate. DNS (through fake websites) and SSL spoofing took place to redirect users to a phony website or intercept data from the site.
4. MFA Fatigue Attack
This technique is used where a bad actor is already in possession of a user's password and wants to bypass the MFA. In this case, an attacker would send repeated MFA requests to exhaust the user hoping that they will eventually accept it. While this sounds very trivial, it does work, and this technique has been successfully leveraged in LAPSUS and several other high-profile attacks.
How Attackers Launch MFA Fatigue Attack?
Credential Theft: Attackers first need to obtain your login credentials, typically through phishing attacks, credential stuffing, or buying them on the dark web.
MFA Bombardment: With your username and password, attackers attempt to log in to your account. Since MFA is enabled, they won't be granted immediate access. However, they can trigger a constant stream of MFA push notifications or verification codes to your phone or email.
Exhaustion and Approval: The attacker's goal is to overwhelm you with a barrage of MFA requests, hoping you'll get tired of approving them and eventually just allow access accidentally.
How to Protect Yourself from MFA Fatigue Attack?
Stronger Second Factor: If your MFA option offers a choice, opt for one-time passwords (OTP) generated by an authenticator app instead of push notifications. OTPs require manual entry, adding an extra step that attackers can't bypass easily.
Context-Aware Approvals: Some MFA systems provide context about the login attempt, such as location or device used. Pay attention to these details before approving an MFA request, especially if it seems suspicious.
Review Login Attempts: Regularly check your account's login history to identify any unrecognized attempts. This can be an indicator of someone trying to bombard you with MFA requests.
One example of a high-profile MFA fatigue attack is the September 2022 Uber breach by Lapsus$, a hacking group notorious for their social engineering attacks. More recently, the threat actor group Midnight Blizzard has waged MFA fatigue attacks in targeting service desks and other accounts
5. Phishing Attacks
Phishing remains one of the most common methods used to bypass MFA. Attackers send fraudulent emails or messages impersonating trusted entities, tricking users into revealing their credentials or MFA codes.
How Attackers Launch Phishing Attacks?
Spoofed Emails: Attackers create emails that appear to be from legitimate companies, banks, or even government agencies. They meticulously copy logos, fonts, and layouts to make them seem genuine.
Sense of Urgency: Phishing emails often create a sense of urgency or panic. They might claim your account is compromised, requires immediate action, or has limited-time offers to pressure you into acting quickly without thinking critically.
Malicious Links and Attachments: The email will typically include a link or attachment that appears relevant to the email's subject. Clicking the link directs you to a fake website designed to look like the real one, while opening the attachment might download malware onto your device.
Mass Phishing: Attackers may send bulk phishing emails to a large number of recipients, hoping to catch a few unsuspecting victims.
Spear Phishing: This is a more targeted approach where attackers research their victims beforehand, personalizing the email content with specific details to increase trust and the chances of success.
Fake Login Pages: When you click the malicious link in the email, you'll land on a fake website that resembles the real one. Here, you'll be prompted to enter your login credentials, unknowingly giving them away to the attacker.
Malware Downloads: Attachments might contain malware that steals your data or tracks your activity on the device.
How to Prevent Phishing Attacks?
Scrutinize the Sender: Don't trust email addresses or sender names at face value. Check the email address carefully for any inconsistencies. Legitimate companies will use their own domain name in the email address (e.g., info@[company name].com). Be wary of generic email addresses or those with misspelled domain names.
Mouseover, Don't Click: Hover your mouse over any links before clicking. The actual destination URL will often be revealed at the bottom of your browser window. Look for suspicious or misspelled URLs.
Don't Open Unknown Attachments: Refrain from opening attachments from unknown senders or those you weren't expecting. Even if the email appears legitimate, be cautious.
Verify Information Directly: If an email claims to be from your bank or another trusted source, contact them directly through a verified phone number or website (not the ones provided in the email) to confirm its legitimacy.
Strong Passwords and MFA: Use strong and unique passwords for all your online accounts. Enable Multi-Factor Authentication (MFA) whenever available. This adds an extra layer of security by requiring a second verification code before granting access.
Keep Software Updated: Regularly update your operating system, web browser, and other software to patch security vulnerabilities that attackers might exploit.
In July 2020, Twitter suffered a high-profile security breach where attackers compromised numerous high-profile accounts, including those of Barack Obama, Elon Musk, and Bill Gates. The attack began with a sophisticated phishing campaign targeting Twitter employees. Attackers used social engineering tactics to trick employees into divulging their credentials.