3 main tactics attackers use to bypass MFA

Notable security breaches have bypassed MFA to compromise taxi broker Uber, games company EA, and authentication business Okta, according to SE Labs.

CISOs must bolster MFA protections

SE Labs advised CISOs to step-up their efforts against attacks on systems protected by MFA in response to increased attacker activity to exploit failure points.

As is often the case when compromising systems, attackers have not reinvented the wheel to circumvent MFA, or 2FA (two-factor authentication), as it is also known. The old school methods of social engineering, malware, and phishing are working just fine.

The good news is that many attacks can be defended with strong policy enforcement, robust end-point protection, and user education. Unfortunately, with many corporate and home users believing that MFA is virtually unbreakable, they are potentially the weakest link in a company’s defenses.

“MFA is still one of the best security measures people can use since the password was invented, but as organisations shore up their defences deploying it, so attackers are switching tactics and working hard to find ways around it,” says Simon Edwards, CEO of SE Labs. “As part of the need to ensure continuous improvements to their systems, CISOs should take notice of the increasing threats against MFA, in particular they should look to upgrade away from SMS style authentication.”

How attackers bypass MFA

The ‘Approve Sign-in’ method of MFA is very popular with users because it is a simple click. For that reason, it is also favoured by attackers. Once they have a user’s stolen credentials either from their own reconnaissance or bought on the dark web, the attacker simply enters them in repeatedly. It is only a matter of time until they catch someone distracted, tired or fed-up with receiving multiple messages. With one click by the user, they are in.

Sometimes, attackers use phishing emails to persuade unwary users to enter their one-time passcodes into a fake website. Or they obtain stolen copies of the SIM card and simply receive the codes directly. Using SMS for 2FA is particularly vulnerable to attack, and while companies should actively take steps to start using other types of authentication, SE Labs believe it is still better than not using MFA at all.

Otherwise known as session hijacking or cookie hijacking, the attacker doesn’t need to engage in the MFA process at all. While there are several different methods of carrying out an attack, given the increased use of encryption on websites, it is mostly likely that malware is initially used to steal the cookies from the target. Once the attacker has this information, they simply need to wait until the victim logs in correctly and then take over the connection.