4 Ways Hackers Can Get Past Your MFA

Multi-factor authentication (MFA) is a great way to step up every organization’s cybersecurity, offering a high level of protection from breaches, hacks, and unauthorized access.

For many people, MFA may just be the perfect cybersecurity solution—unfortunately, it’s not. 

MFA is great, but it’s not unhackable. It’s not the key to an impenetrable IT system.

In the words of Data-driven Defense Evangelist Roger Grimes, “It’s a good thing to have, it’s a good thing to use, but you can hack any multi-factor authentication method.”

MFA isn’t the all-in-one cybersecurity solution every organization wants to have, but it’s still a very useful one.

Before we dive into the common ways hackers get around MFA solutions, let’s have a recap on what MFA is and how it works.

What is MFA?

Multi-factor authentication is a security method in which a user is required to present two or more factors to an authentication mechanism in order to be given access to a computer, application, or program. 

In his KnowBe4 webinar, Grimes breaks down MFA into three distinct processes:

• Identity. This process involves you or your device providing an identifier that serves as a unique label within a particular namespace. This can be your username, email address, account number, etc.

• Authentication. This process involves you or your device providing one or more factors that prove that you have ownership and control over the identity. The factors can range from items you have, information you know, biometric features you possess, to places you’re located in.

• Authorization. This process involves comparing your (now-authenticated) access token against previously permissioned resources to determine whether or not you’re allowed to access particular protected resources. After you successfully provide the identity label and subsequently authenticate that you have sole ownership of that identity, the MFA mechanism authorizes you to have access to the device, application, or program.

  | More info here: What is MFA and How Can It Protect Your Practice?

Despite its convenience and security, MFA is still vulnerable to hackers who have managed to find loopholes in its mechanism.

The MFA Loophole

According to Grimes, no matter how you authenticate access—whether it’s through single-factor authentication, multi-factor authentication, biometrics, etc.—you will end up with the same kind of access control that everyone else gets, which is a text-based cookie called a session token.

All a malicious actor needs to do is get past the security mechanism of MFA, slip themselves in between the authentication and authorization processes, and then steal that session token from you.

They can then have complete access to your bank accounts, credit card accounts, corporate emails, work applications, and other accounts online. And because MFA involves completely different processes—often not linked to each other—underlying systems wouldn’t be able to detect the impersonation.

Network session hijacking is one of the most common MFA hacking methods and has been effectively used by malicious actors for decades. They can do this by:

• Reproducing, guessing, or predicting your session token
• Stealing your session token at the endpoint (device)
• Stealing your session in the network communication channel

To be more specific, here are four of the most common ways hackers are getting past MFA solutions.

Man-in-the-Middle Attack

Hackers’ go-to technique to hijack a session is through a man-in-the-middle (MitM) attack.

Hackers execute MitM attacks by inserting themselves and their tools in between the client (the potential victim) and the server. They wait until the client carries out the authentication process on the legitimate server and when the resulting access session token is issued, they steal it, use it, and take over the user session.

It Could Happen to You

Here’s a sample man-in-the-middle attack that could happen to anyone who falls for the attacker’s tricks:

1. A malicious actor convinces you to visit a fake website that looks just like your bank website. This rogue site sends over anything you input to the real bank website. 
   
   
2. You receive a prompt to enter the MFA credentials.
   
   
3. You enter the credentials on the hacker’s fake site, and the hacker relays it to the real website.
   
   
4. The hacker is now signed into the real site and kicks you out of the session.
   
   
5. The hacker takes control over your online bank account and changes anything that you can use to take back control of it.

How You Can Defend Yourself

An important thing to remember when connecting to the Internet is this: Make sure your connection is secure because cyber attacks are more likely to occur over connections that aren’t.

Only visit secure websites. Make sure the sites you visit are secure. Here are two ways to find out that they are:

• Their web address or URL starts with HTTPS and not just HTTP.
• They have a padlock symbol on the left portion of the browser's address bar. 

Remember, the letter S stands for secure, which means these sites have the mechanism to encrypt data and prevent attackers from intercepting communications.

Man-in-the-Endpoint Attack

Man-in-the-endpoint attacks are similar to man-in-the-middle attacks…the difference lies in where the stealing takes place. Instead of inserting themselves between you and the server, hackers using man-in-the-endpoint attacks execute their cybercrime on your device.

It Could Happen to You

Here’s an example of a man-in-the-endpoint attack. It’s a technique that hackers have been using since the 1990s:

1. A malicious actor uses a phishing scam to get you to upload malware to your computer. The malware allows the attacker to monitor your browser activity and take control of your computer.
   
   
2. The attacker lurks undetected in your device and waits until you perform a particular activity that can benefit them, such as signing into your online bank account.
   
   
3. You sign into your online bank account using your user and MFA credentials.
   
   
4. After you successfully sign in, the attacker uses your computer to set up a second hidden browser session without your knowledge.
   
   
5. Because they have full control of your online bank account, the attacker transfers your money to a bank account of their choice, and proceeds to close your account.
   
   
6. The attacker can also gain access to your emails, so they can intercept any confirmation emails you receive from your bank.

How You Can Defend Yourself

Keep a careful eye out for phishing scams. With cyber attackers getting more and more creative, spotting a phishing scam before you actually fall for it is tough…but it can be done.

With regular employee cybersecurity training, you should be able to recognize a phishing scam, know how to respond to it, and know how to avoid similar attacks in the future.

For a more detailed explanation on what phishing attacks are and how you can protect yourself and your practice from it, check out this blog post.