Can Multi-Factor Authentication Be Hacked?

In September 2022, Uber fell victim to a targeted attack by the hacking group “Lapsus$”. This group have also claimed responsibility for attacks against Microsoft, Cisco, and Samsung. In the Uber attack, the hackers reportedly managed to gain access through a contractors’ account, successfully bypassing the MFA (multi-factor authentication) security precautions. This recent case highlights that MFA isn’t completely un-hackable and that some MFA factors are easier to bypass than others.

MFA is a simple, but effective, means of protecting critical accounts. It cross-references at least two ways of verifying a user’s identity to grant them access to their account. We are encouraged to set up MFA on our digital accounts to enhance our security posture because, according to Microsoft, implementing MFA can block over 99.9% of account compromise attacks. But what about that 0.01%? Just how secure is MFA?

But before we highlight how it can be exploited, let’s quickly explain how MFA works. MFA requires each user’s identity to be independently verified at least twice, before giving them access to their account. It will usually cross-reference something you know (e.g., a password) with something you have (e.g., an authenticator app) or something you are (e.g., a fingerprint or faceID). An attacker may have discovered a user’s password, but without also having their fingerprint, for example, they will not be able to gain access to that user’s account.

To learn more about how MFA works, you can read our article here.

So, how can attackers hack or bypass your MFA security to gain access to your users’ accounts? In this article, we’ll explore several methods that are available to hackers and suggest ways that you can secure your business’ accounts against these threats.

How Can MFA Be Hacked?

Not all MFA is made equal, and some methods of user verification are easier for threat actors to bypass than others. Here are some of the most common methods they use:

Social Engineering

Technically, this isn’t hacking. This is more like exploiting human nature. In this instance, an attacker will pose as “someone from IT” or another trusted user. They will then use this position of trust to manipulate users into sharing important account details. They might explain that the user needs to share their password or OTP for “the IT department” to reconfigure, update, or secure your account. Once the user has given over their details, the attacker can access their account and your corporate network. They might even change that user’s password, meaning that they lose access to the account.

These attackers might warn a user that their account has already been hacked, or is at risk of being hacked, if they don’t share their details with the “trusted user” who can act to prevent this. Ironically, this leads users to give the hacker everything they need to bypass their MFA and infiltrate your corporate network.

Spoofed Landing Page

A spoofed landing page is a fraudulent site that is designed to look like a reputable, trusted site that you already know and use. It could be LinkedIn, Facebook, Gmail, or another popular site. When you attempt to login on this site, your access will be denied, and your account details will be stored by the malicious actors. The malicious actor can then use the details that you have provided to bypass the MFA security on the genuine website or account.

Sometimes you can identify a spoofed site from the URL. It will be designed to read almost identically to the genuine site, with one or two typos, taking you to a very different site on the internet. For example, LinkedIn.com could become Linked1n.com, Llnkedln.com or Linkdin.co. In a busy workday, when you glance at this URL, it looks legitimate, and you enter your details without a second thought.

Spoofing is not limited to landing pages, but could also describe an account, user or email that appears valid, but is not. With a spoofed email address, the hacker will pose as a trusted user and attempt to use social engineering to mislead users into sharing private details. This example shows how hacking strategies are constantly evolving and employing new tactics to exploit you.

Man-In-The-Middle

A man-in-the-middle attack involves a hacker being able to monitor the communication between your device and a server, often an ISP. This might begin with a spoofed landing page which connects the user to the proxy server. Rather than accessing the content you need directly, you will be redirected through the hacker’s (proxy) server, before heading to the intended server. This allows the hacker to act as a man-in-the-middle and monitor everything you do. Once you are connected to this server, the attacker can react instantly and plant malware on the user’s device. Alternatively, they might lurk within the network, monitor your communication and search for further security loopholes.

For more information as to how man-in-the-middle attacks operate, you can read our article here.

SIM Swap

One-time passcodes (OTPs) are a common way of verifying identity by MFA solutions. This is usually a six- or eight-digit code sent to you via SMS. By entering the code, you verify that you are in possession of the cell phone that is linked to the named user, which suggests that your identity is authentic.

Hackers can, however, contact your mobile provider and convince them to perform a SIM swap. This will result in the messages intended for the user, being redirected to the hacker. They can then access your account using the verification code that was intended for you. It takes a degree of social engineering to persuade the mobile carrier to change the SIM; the hackers will also have to know the rest of your account details before attempting this method. They could obtain these details on the dark web, using a database of credentials harvested during a previous data breach, or by using a spoofed landing page.

MFA Prompt Bombing

This method of hacking exploits the (lack of) patience and attention of an account admin or user. Some MFAs will send a notification to a cell phone linked to the device. If you are trying to log in, you can accept the notification to confirm that you are trying to login. If you are not trying to log in, you can decline the notification and prevent whoever is trying to access your account from gaining access.

Hackers can exploit users by sending hundreds of notifications to annoy and frustrate the user until they press accept. While this will stop the notifications, it will also grant a hacker access to your accounts. This is the type of attack that Uber fell victim to earlier this year.

How Can You Protect Your Business From MFA Hacking?

MFA Set Up

By setting up your MFA with robust policies, you can increase the strength of protection guarding your users’ accounts. Biometric factors – like fingerprint sensors, faceID, and typing analysis – are the hardest factors to impersonate and will therefore make it much harder for hackers to infiltrate your accounts. Incorporating contextual and behavioral analysis can also help to prevent unwanted intrusion. This logs factors such as a user’s usual location and login times. Any logins that do not fit with the pattern of expected behavior will be flagged as suspicious and stopped.

Time-based one-time passcodes (TOTPs) are significantly more secure and harder to hack than OTPs due to the limited time that a hacker has to steal the codes before they reset. From an end-user’s perspective, the implementation of TOPTs makes very little practical difference.

Hardware Authentication Keys

Using hardware keys, particularly ones that utilize FIDO 2 principles, are some of the most secure identification methods. It is very difficult for a hacker to gain access to the information, and the physical hardware that is required for this type of attack. Hardware keys are often designed to be tamper-proof to ensure your account is kept safe. FIDO 2 is a passwordless standard that is easy to use, and very secure. It uses public key cryptography, which makes it virtually impossible for a hacker to find a way to access your account.

For a rundown of the Top 5 Security Keys, read our article here.

Login Attempt Limits

There should be a limit on the number of times that a user can wrongly enter a password or an OTP, before they are locked out. This prevents a hacker from making repeated attempts to either brute force their way in or be accepted via prompt bombing. This is a very simple feature to configure, but can offer a significant level of security in return. It will also identify valid users who are struggling to access their account and may need some more IT support.

Security Awareness Training

One of the most important principles to adopt is a natural caution. Even with advanced security solutions in place, hackers are constantly looking for ways to bypass your security set up and exploit your position or your information. Therefore, ensuring all employees have undergone security awareness training can help to defend against credential-harvesting threats that make it into your inbox. Phishing or social engineering attacks can be prevented by cautious and alert users. Steps can be as simple as reading the URL before clicking on it, or logging into your account directly through your internet browser, rather than via a spoofed link.

If you’re interested in learning more about security awareness training, read our article here.

Summary

After reading this article, you might be questioning the point of MFA if it can be hacked in so many ways. And it’s true: no cybersecurity tool can guarantee that it is impenetrable 100% of the time. Hackers are continually searching for vulnerabilities and ways to access sensitive data. However, an account that uses MFA will be much harder to attack than an account without it.

Complacency is one of the biggest threats to your cybersecurity. If you are reliant on MFA alone to keep your company safe, you are likely to fall victim to an attack coming from an area that you did not expect. You should be constantly looking for ways to tighten your security, just as hackers are constantly looking for ways to bypass it. This will ensure that if you are the victim of an MFA hack, you will be better placed to remedy the situation and protect your vital assets.

The bottom line is that MFA is not un-hackable, but having it in place does make it a lot harder for attackers to access your users’ accounts. If your organization has a robust MFA solution in place, an opportunist hacker may well look for easier targets.

To help you find the strongest MFA solution for your business, we’ve put together guides to the best products on the market, which you can find below: