Hackers are finding ways around multi-factor authentication. Here's what to watch for

MFA provides a significant barrier against cyber attacks - but isn't infallible.
Written by Danny Palmer, Senior Writer
Image: Getty/MoMo Productions

It's often said that the most important things you can do protect your accounts and wider network from hackers is to use multi-factor authentication (MFA). 

That's because one of the most common ways cyber criminals breach networks is by using phishing attacks to steal passwords or simply by guessing weak ones. Either way, so long as they are using a real password many systems will assume it's safe to give them access.

MFA creates and additional barrier to attackers because it requires the user to additionally verify that the login attempt was really made by them. This verification can be via an SMS message, an authenticator app or even a physical security key. If the attacker has the password, but not the verification message or physical device, then the system won't let them in and they can't get any further.

Using MFA protects against the vast majority of attempted account takeovers, but recently there's been a surge in cyber attacks which aim to dodge past multi-factor authentication security. According to Microsoft, in just one campaign 10,000 organisations have been targeted in this way during the last year

One option to for hackers who want to get around MFA is to use so-called adversary-in-the-middle (AiTM) attack which combined a phishing attack with a proxy server between the victim and the website they're trying to login to. This allows the attackers to steal the password and session cookie which provides the additional level of authentication they can exploit - in this case to steal email. The user simply thinks they have logged into their account as usual.

"Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker gets authenticated to a session on the user's behalf, regardless of the sign-in method the latter uses," as Microsoft notes of that particular campaign.

That's because the attackers haven't broken the MFA themselves, they've managed to bypass it by stealing the cookies, and are now able to use the account as if they were the user, even if they go away and come back later. That means despite the presence of multi-factor authentication, it's unfortunately being made redundant in this situation – and that's bad for everyone. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

So while multi-factor authentication is a deterrent most of the time, these attacks show that it isn't infallible. 

"Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be considered as a silver bullet to protect against phishing attacks. With the use of advanced phishing kits (AiTM) and clever evasion techniques, threat actors can bypass both traditional as well as advanced security solutions," said security company ZScaler in its analysis of a similar attack.

And there are other scenarios which can be exploited to bypass multi-factor authentication too, because in many instances, a code is required, and a person needs to enter that code. And people can be tricked or manipulated even while the technology tries to protect us.

"At the end of the day, whether it's a number or it's a piece of information, as soon as the user sees it, it becomes something they know and if it's something that they know it's something the attacker can steal," says Etay Maor, senior director of security strategy at Cato Networks. 

It takes a little more effort from the attacker, but it's possible to grab these codes. For example, SMS verification is still a common method of MFA for many, particularly for things like bank accounts and phone contracts. In some cases, the user is required to read out a code over the phone or input it into a service. 

It's a potentially complex process, but it's possible for cyber criminals to spoof helplines and other services which ask for codes to devices – especially if people think they're talking to someone who is trying to help them. It's why many services will preface an SMS code with a warning that they'll never call you to ask for it. 

"It's not that surprising attackers prey on the human aspect, the people components of the system. People being busy, people being stressed, all sorts of things influence decisions we make," says Oz Alashe, CEO & Founder of CybSafe.

SEE: The biggest cyber-crime threat is also the one that nobody wants to talk about

Another method cyber criminals can exploit to bypass MFA is by using malware which actively steals codes. For example, the hackers could gain access to an account by using trojan malware to watch a user gain access to their account, then use the access they have from the infected device to go about their business.  

There's also the potential for them to take control of devices without the victim knowing, using the authenticator app and using the code that's provided to remotely access the account they're after from another machine. 

As far as the network or account is concerned, because the authentication has been used correctly, it's the legitimate user using the service. But there are signs which networks and information security teams could be set up to watch for, signs something might not be right, even if the correct details are used. 

"The system itself should consider whether this person doesn't normally log in from here or at this time and, therefore, do we need to do another level, another layer of verification before we provide them access?" says Alashe.  

While it isn't totally infallible, using multi-factor authentication is still a must as it stops a significant amount of attempted account takeover attempts. But as cyber criminals get smarter they're increasingly going to go after it – and that requires extra levels of defence, particularly from those responsible for securing networks. 

"It's good it's recommended because you won't be the lower hanging fruit. But you definitely need to augment it with an additional layers of security because, just like just like any other siloed security solution, it can be circumvented and you can't think everything is secure, just because of one security layer," says Maor.  

And technology can only do so much, especially when attackers are explicitly attempting to manipulate people into making bad decisions. That needs to be taken into account too, especially as more of what we do shifts towards cloud and other online services. 

"This is a really important challenge for society right now as we increasingly digitize we've got an incredible opportunity to continue to put technology really good use. But we've also got to address these challenges when it comes to resilience and the human aspect," says Alashe. 

"People are wonderful, they want to be helpful, so they'll get tricked sometimes," he adds. 


Editorial standards