Hackers are finding ways to bypass multi-factor authentication. Here’s what to watch out for


Image: Getty/MoMo Productions

It’s often said that the most important thing you can do to protect your accounts and your wider network from hackers is to use multi-factor authentication (MFA).

Indeed, one of the most common ways cybercriminals use to break into networks is by using phishing attacks to steal passwords or simply by guessing weak ones. Either way, as long as they’re using a real password, many systems will assume it’s safe to grant them access.

MFA creates an additional barrier for attackers because it requires the user to additionally verify that the login attempt was indeed made by them. This verification can be done via an SMS message, an authenticator application or even a physical security key. If the attacker has the password, but not the verification message or the physical device, the system won’t let them in and they can’t go any further.

Using MFA protects against the vast majority of account takeover attempts, but recently there has been an increase in cyberattacks that aim to evade multi-factor authentication security. According to Microsoft, in a single campaign, 10,000 organizations have been targeted over the past year.

One option for hackers who want to circumvent MFA is to use the so-called adversary-in-the-middle (AiTM) attack which combines a phishing attack with a proxy server between the victim and the website they are trying to connect to. . . This allows attackers to steal the password and session cookie which provide the extra level of authentication they can exploit – in this case to steal emails. The user just thinks they logged into their account as usual.

“Note that this is not a vulnerability in MFA; since AiTM phishing steals the session cookie, the attacker is authenticated to a session on behalf of the user, regardless of the login method used by the latter,” as Microsoft notes of this particular campaign. .

This is because the attackers didn’t break the MFA themselves, they managed to circumvent it by stealing the cookies and are now able to use the account as if they were the user, even if they leave and come back later. This means that despite the presence of multi-factor authentication, it is unfortunately rendered redundant in this situation – and that’s bad for everyone.

SEE: A winning strategy for cybersecurity (ZDNet special report)

So while multi-factor authentication is mostly a deterrent, these attacks show that it is not infallible.

“Even though security features such as multi-factor authentication (MFA) add an extra layer of security, they should not be viewed as a silver bullet to protect against phishing attacks. With the use of phishing kits (AiTM) and smart evasion techniques, hackers can bypass both traditional and advanced security solutions,” said security firm ZScaler in its analysis of a similar attack.

And there are other scenarios that can also be exploited to bypass multi-factor authentication, because in many cases a code is required and a person has to enter that code. And people can be tricked or manipulated even as technology tries to protect us.

“Ultimately, whether it’s a number or information, as soon as the user sees it, it becomes something they know and if it’s something they know, it’s something the striker can steal,” explains Etay Maor. , Senior Director of Security Strategy at Cato Networks.

It takes a bit more effort from the attacker, but it is possible to enter these codes. For example, SMS verification is still a common MFA method for many, especially for things like bank accounts and phone contracts. In some cases, the user must read a code over the phone or enter it into a service.

It’s a potentially complex process, but it’s possible for cybercriminals to spoof helplines and other services that request codes from devices, especially if people think they’re talking to someone trying. to help them. This is why many services will preface an SMS code with a warning that they will never call you to ask for it.

“It’s not that surprise attackers are attacking the human side, the human components of the system. Busy people, stressed people, all kinds of things influence the decisions we make,” says Oz Alashe, CEO and founder of CybSafe.

SEE: The biggest cybercrime threat is also the one no one wants to talk about

Another method that cybercriminals can exploit to circumvent MFA is through the use of malware that actively steals codes. For example, hackers could gain access to an account using Trojan malware to see a user access their account and then use the access they have from the infected device to go about their business.

It is also possible that they take control of the devices without the victim’s knowledge, using the authenticator app and using the provided code to remotely access the account they are looking for from another machine.

With regard to the network or the account, because the authentication was used correctly, it is the legitimate user who uses the service. But there are signs that networks and information security teams could be in place to watch out for, signs that something is wrong, even if the correct details are used.

“The system itself would have to determine if that person isn’t logging in normally from here or at that time and therefore do we need to do another level, another layer of verification before giving them access ?” Alache said.

While not completely foolproof, using multi-factor authentication is still a must as it stops a significant number of account takeover attempts. But as cybercriminals get smarter, they’re going to go after them more and more — and that requires additional layers of defense, especially from those responsible for securing networks.

“It’s good, it’s recommended because you won’t be the lowest fruit. But you should definitely augment it with additional layers of security because, like any other siled security solution, it can be bypassed and you can’t think everything is secure, just because of a single layer of security,” says Maor.

And the technology can’t do much, especially when attackers explicitly try to manipulate people into making bad decisions. This also needs to be taken into account, especially as more of what we do shifts to the cloud and other online services.

“It’s a very important challenge for society at the moment, as we go digital more and more, we have an incredible opportunity to continue to make good use of technology. But we also have to address these challenges in terms of resilience. and human-looking.” says Alache.

“People are wonderful, they want to be helpful, so they get screwed sometimes,” he adds.


About Geraldine Higgins

Check Also

New crackdown on fraud and money laundering to protect UK economy

The Economic Crime and Corporate Transparency Bill will bolster the UK’s reputation as a place …