Latest News

Are you assuming multi-factor authentication (MFA) will keep you 100% secure? Think again. Despite how effective MFA is at preventing cybercriminals from gaining access to your accounts, it’s not entirely foolproof. 

The Unfortunate Reality Of Password Security



Despite the fact that passwords are the most direct way to access a user's private information, most passwords in use today are simply not strong or complex enough. 

Passwords protect email accounts, banking information, private documents, administrator rights, and more — and yet, user after user and business after business continue to make critical errors when it comes to choosing and protecting their passwords.

A report showed that 86% of more than 2 million breached passwords were identical to passwords that had already been breached.  In the end, creating and using strong passwords can be frustrating — the more secure they are, the more difficult they are to remember. The more memorable they are, the greater threat they pose to the business. 

What’s The Better Way To Approach Password Management?

MFA is a superior way to keep your data more secure — after all, it blocks 99.9% of identity-based attacks. 

MFA requires the user to utilise two methods to confirm that they are the rightful account owner. There are three categories of information that can be used in this process:

• Something you have: Includes a mobile phone, app, or generated code
• Something you know: A family member’s name, city of birth, pin, or phrase
• Something you are: Includes fingerprints and facial recognition

How Does A Multi-Factor Authentication Solution Work?

1. The user logs into the session with primary credentials.
   
   
2. The session host validates credentials with Active Directory.
   
   
3. Then, it sends credential validation to the cloud via the login app.
   
   
4. The MFA client sends its secondary authentication to the user. User approves.
   
   
5. The MFA client sends approval back to the session host via the login app.
   
   
6. The user accesses their session very securely. 

Is MFA Foolproof?

While MFA is infinitely better than single authentication methods, it’s not unhackable. Its immense popularity over the past few years has led to an assumption that it’s a foolproof solution, and that’s simply not the case. 

If executed properly, a range of conventional cybercrime techniques from phishing to trojans can effectively circumvent the security capabilities of an MFA solution. That’s why you can’t just assume an MFA solution is keeping you secure. You have to understand how it may be vulnerable and how you can play a role in its effectiveness as a security layer. 

12 Ways MFA Solutions Can Be Hacked

1. Session Hijacking: The cybercriminal gains access to the same session that the user has already authorised. This can be achieved by simply sending a phishing email that tricks the user into giving up the access token before it has expired.
   
   
2. Guessing The Session Token: When a user properly authenticates access to a website or service, they will receive a session token, which is usually a URL string or a keycode. Hackers can potentially guess that code by studying the types of tokens the website in question generally issues and looking for common factors. Once they have established a pattern for the unique identifiers, they can simply brute force their way through an MFA solution.
   
   
3. Proxy Hijacking: This is essentially a Man-in-the-Middle (MitM) attack, in which the hacker squats on a shared wireless network, sends phishing emails to users, and intercepts their activity from that point.
   
   
4. False Authentication: This is by far the simplest method, in which the hacker just fakes the authentication process. As with other social engineering methods, they create a fake website that looks similar enough to the legitimate service to trick the user into providing the necessary info and sharing the unique access token.
   
   
5. Man-In-The-Endpoint: In this scenario, hackers gain admin access to a device and can then follow any activity the user undertakes — including authorising MFA for access.
   
   
6. Trojan: As with the previous method, this type of attack starts with a cybercriminal gaining admin access to a device. From there, they open a hidden browser session and monitor the user’s activity. Once an access code has been issued, the hacker uses it to authorise their session and leaves the user locked out.
   
   
7. MFA Software Modification: With admin access to a device, hackers can also make direct changes to the way the MFA solution operates. In this scenario, they hack into the MFA solution to weaken or disable its capabilities.
   
   
8. MFA Hardware Modification: This is similar to the previous method, but in this case, the hacker modifies installed MFA hardware to negate its security capabilities.
   
   
9. SIM Swap: A popular method for hacking, hackers that execute a SIM swap transfer a users’ data and authorisation to their own mobile device. From there, they can act as the legitimate user, access private data and more.  As mobile devices are often where users receive MFA tokens, SIM swaps have become especially dangerous in recent years. Cybercriminals that successfully take over a user’s SIM can then receive MFA tokens when they log in to that user’s accounts.
   
   
10. SMS Rogue Recovery: To execute this type of attack, a hacker only needs the target’s email address and associated phone number. They then send a falsified SMS recovery message that requests an authorisation code in response. They then prompt the email client to send a forgotten password recovery verification to the user’s phone, which the user then sends to the hacker, giving them access to the email account.
    
    
11. Duplicate OTP Generators: MFA solutions often use one-time-passwords (OTPs) to authenticate users. These codes are issued in response to a login request and must be used within a short time frame before they expire. By hacking into the database that stores critical info for these processes (known as “seed value”), the hacker can then generate their own valid OTPs.
    
    
12. Over The Shoulder: Last and certainly not least, many MFA authentication tokens are simple enough to see by peeking over the user’s shoulder. Cybercriminals operating in public spaces (often while passively executing Man-in-the-Middle attacks) can get lucky by watching a user type in an access code.

These are just twelve of a vast range of methods cybercriminals can use to bypass MFA systems. For the most part, these are simply updated versions of older attack vectors that have been directed to specifically circumvent MFA security capabilities. The bottom line is that while MFA solutions are a recommended part of modern security, you shouldn‘t assume they will keep you secure no matter what. That is why at CyberUnlocked we recommend multiple layers of security to protect your business.

Need Expert Assistance Implementing And Managing An MFA Solution?

If you're unsure about how to implement a multi-factor authentication solution, don't try to handle it all on your own. CyberUnlocked will help you evaluate your password practices and security measures as a whole to make sure you're not taking on any unnecessary risks.