How safe and effective is multifactor authentication against a cyber breach?

While MFA can significantly reduce cyber security risks, it is still susceptible to multiple exploitation methods.

cyber security, identity management, security

Lee: MFA is by no means completely secure. A website can simply fake the whole MFA routine

Contrary to many who think multifactor authentication (MFA) is an effective safeguard, MFA can be hacked in many ways.

To be clear, using MFA is usually a good thing. Almost any MFA solutions significantly reduce some kind of hacking risk.

For that alone, MFA should be used when strong authentication is needed, where it can be used. But there is a common, mistaken impression that using MFA means you are much less likely to be hacked and that simply is not true.

General MFA Hacking

Here are some hacking techniques that work against the vast majority of MFA solutions.

  • Man-in-the-Middle Attacks

The vast majority of hacking techniques against MFA have to do with social engineering the end user. The easiest MFA bypass method is to trick the victim into connecting with a fake, man-in-the-middle (MitM), proxy website before they get connected to the legitimate website they intended to go to. It is not hard to trick a person into connecting to a malicious website with an email asking them to click on a button or to verify some sort of normal-sounding information.

When the victim connects to the fake website, everything the victim does is proxied to the real website and everything the real website wants to send to the victim goes through the MitM site as well. The proxy site knows all and sees all, including the user’s login credentials.

  • Man-in-the-End-Point Attacks

If your computer or device is exploited by malware or a hacker, anything it and you can do, the hacker or malware can do as well. That includes piggybacking on legitimate logins, stealing session cookies, and instituting new transactions and permissions.

The most common form of these types of attacks is what is known as ‘bancos’ or banking trojans. They get onto your computer just like any other piece of malware and then when you go to a bank, stock trading site or some other location, they wait for you to successfully log in and then start a second, hidden browser session and steal all your money.

  • Faked Authentication

Here’s one of the hardest types of attacks to stop for 80% of MFA solutions. An attacker can trick a person into visiting a fake website that looks like a legitimate website where the user would normally use their MFA login. But instead, the website simply fakes the whole MFA routine, from asking the user to input their MFA login, to acting as if the MFA login was successfully accepted.

The website can then post additional, fake actions and requests, such as, “You must update your credit card information” and then prompt the user to re-enter their credit card details. It can be hard for an MFA provider to prevent a faked authentication event from occurring.

  • Recovery Attacks

Almost every major MFA login method allows that login to be recovered using a method that is less secure than using MFA. Re-activating new MFA instances and/or logging in while the current MFA solution is not available is the number one request of any vendor using an MFA solution.

Because of this, almost every vendor that uses MFA allows users to temporarily bypass their MFA solution to get logged in or to request a new MFA solution.

  • Buggy MFA

All MFA involves programming, and all programming has bugs, which means it can be exploited by someone who finds the vulnerability.

Almost every MFA solution we investigated had one or more vulnerabilities, which eventually became publicly known, that have been used to bypass the MFA solution. Even if your favourite MFA solution doesn’t have any known, published, bugs, it likely has them.

Specific Techniques Against Specific Types of MFA

Many different MFA attacks are specific to a particular type of MFA.

SMS-Based

SMS-based text messages make the world go around, and SMS-based MFA is probably the most popular type of MFA solution used on the Internet. You go to some website, it sends you an SMS code that you then type back into that website, and it lets you in.

The problem is that SMS (and voice calling) have very poor authentication. They rely on an underlying protocol called SS7 which is weakly authenticated. It allows phone numbers to be spoofed and calls and messages to be eavesdropped on.

Another common attack against SMS-based MFA solutions is known as a SIM swap attack. Turns out that hackers can use various tricks to move your SIM and its information to their phone.

When this happens, your phone stops working, but before you notice no-one has called you for a while, a hacker could have put your MFA account into account recovery mode and have the reset PIN texted to your phone number or simply log in to a site of yours that uses SMS-based MFA.

In any case, the authentication information headed for your legitimate phone gets re-routed to their phone and they use that SMS-provided information to take over your account.

All-in-all, SMS-based MFA methods are considered among the easiest types of MFA to compromise.

OTP-Based Attacks

One-Time-Password (OTP) tokens and phone apps (like Google Authenticator) send 4- to 6-digit codes which are updated regularly.

The OTP codes are generated using random information, which is stored in a database and on the MFA OTP device, for instance. If attackers can access the database where the OTP “seed” secret is stored, they can create additional, unauthorised instances of the OTP device or instance.

Smartcards

Smartcards are the original MFA device. These credit card-sized MFA tokens contain a cryptographically secure microchip, which protects the stored secrets. Except, if hackers can physically access your smartcard, they can steal your secret encryption keys.

There are likely hundreds to thousands of people who know how to compromise your smartcard if they can get physical access. This is not to say smartcards are bad. They are not.

They are a great MFA solution and have worked for decades to protect some of the top security networks. But just like all MFA solutions, they can be hacked.

Passwords Are Here to Stay

It seems every year since 1990, there are at least a few articles predicting the end of passwords. But most people will be using a combination of many passwords and multiple MFA solutions, for various logins, for at least the next ten years.

I do not see a passwordless society (too many sites and services only accept passwords) and none of the things that would replace them work on even 2% of the world’s websites and services.

Plus, the things that replace passwords can all be hacked. I think we will see fewer passwords over time, but it will be quite some time, if ever, before no one is using a password.

Advice for successful MFA

Whenever you use or administrate MFA, make sure that the involved users understand the common ways they can be hacked and educate them to recognise, avoid and report those types of attacks.

A little knowledge is a beautiful thing. You would not ask your end users to use passwords without a few hints on how they can be hacked and abused. You should do the same with your MFA solutions.

MFA can be a highly effective way to safeguard your organisation’s data, but that doesn’t mean it’s un-hackable.

Ronald Lee is Managing Director, Asia at KnowBe4

Internet Explorer Channel Network
News Related

OTHER NEWS

'The Church I so loved has lost its way. I simply HAD to leave': In his own words, former Bishop of Rochester Dr Michael Nazir-Ali explains his dramatic defection from CofE to Catholic church

Michael Nazir-Ali, 72, was the Bishop of Rochester from 1994 until 2009 He wants to be in a 'church where there is clear teaching for the faithful' Married father-of-two could be ordained as Catholic priest next month Says he had considered a switch across denominations 'for some years' Read more »

As a new film about the iconic 1960s designer hits cinemas, her best friend of 70 years paints a vibrant picture of what they really got up to back in the day: How Mary Quant helped me mend my broken heart By Shirley Conran

Mary Quant became one of the biggest fashion icons of the 20th CenturyShirley Conran was 22, when she met Mary in 1954 in London’s boho ChelseaShe says their friendship weathered birth, divorce and hidden difficulties Adds that Mary would often guess when she felt gloomy and send a surprise  Read more »

The one lesson I've learned from life: Armistead Maupin says don't try to keep up, just keep open

Armistead Maupin, 77, who lives in London, is best known for his 1970s column Writer says he spoke to himself through his character Mrs MadrigalSays let go of what you think is a secret; other people will see themselves in you  Read more »

DR MAX PEMBERTON: Why I'm so glad Emma lost her match!

Emma Raducanu was knocked out of her last competition in CaliforniaDr Max Pemberton says string of successes could've made her complacent NHS psychiatrist adds that Emma is teaching us how to approach our failures  Read more »

Meet the Mary Poppins of packing up: When a bitter divorce forced LUCY CAVENDISH to sell her family home, she called in a ‘mindful mover' to help her sift through her precious memories — with heartwarming results

Caroline Harley is the brains behind 'mindful' removals company Good SortsShe charges £45 an hour to help you re-assess everything you ownLucy Cavendish called Caroline to her five-bedroom cottage in Oxfordshire The 54-year-old and her four children have lived in the home for 20 years  Read more »

Struggling to lose weight? STOP dieting like a man! With just nine weeks to go until Christmas, this top hormone doctor shares her revolutionary slimming plan which will give every midlife woman food for thought

Dr Sara Gottfried has been helping women who feel frazzled for past 15 years Claims many diet plans fail because they are designed by men for men  Has devised a hormone-focused diet for midlife women to shift excess poundsRules include eating moderate amounts of protein and abstaining from alcohol  Read more »

Most of us are wary of having wrinkle busting injections in our face, but... Would YOU have Botox for your hair?

Ondine Cowley introduced Botox for Hair at Nicky Clarke’s Mayfair salonTreatment promises a smoothing effect and to youthify hair in the process Linda Kelsey explains why she will definitely be going back when it grows out Read more »

Paulene struggles to pay the bills each week and new research finds she's not alone

© Provided by ABC NEWS Paulene and her daughter, Tabitha, are exhausted from “just surviving”. (ABC News: Rachel McGhee) Queensland single mother Paulene dreams of the day she can afford ... Read more »

Nationals won't rush backing climate plan

Deputy Prime Minister Barnaby Joyce insists the Nationals will not rush a decision on backing a plan to cut carbon emissions with some MPs still unconvinced. © Kelly Barnes/AAP PHOTOS ... Read more »

Federal government rolls out international Covid vaccination passport

© Provided by Daily Mail MailOnline logo The countdown to the return of international travel has taken off with the rollout  of Covid-19 international vaccine passports. Australians desperate to head ... Read more »

'We have to recognise there could be a copycat-style attack': Tory MP Tobias Ellwood doubles-down on call to pause face-to-face meetings with constituents following murder of Sir David Amess

Tory MP Tobias Ellwood has doubled-down on his call to pause face-to-face meetings with constituentsHe told Channel 4 'there could be a copycat-style attack' following the killing of Sir David Amess on FridayDefiant Tories including Home Secretary Priti Patel have insisted that MPs must keep meeting votersSir David, 69, was allegedly stabbed to death by a suspected terrorist in Leigh-on-Sea, Essex  Read more »

Queen of sustainability! Kate Middleton recycles £4,290 Alexander McQueen dress she first wore in 2011 to attend Prince William's Earthshot Ceremony in London

Kate Middleton, 39, stunned at the Earthshot Prize Awards at Alexandra PalaceDonned a dress by Alexander McQueen she first wore in 2011 at the BAFTAsKept her jewellery minimal and sported a healthy, natural makeup with nude lip Read more »

Indigenous leaders warn of deaths, loss of culture if COVID-19 spreads in remote Aboriginal communities

© Provided by ABC Health First Nations artist and leader, Djambawa Marawili AM, has warned of deaths and the loss of culture  and languages if COVID-19 speads to remote communities in Arnhem ... Read more »

Pope Francis says violence 'is a defeat for everyone' as he condemns the killing of MP David Amess during his Sunday greeting

At the window of the Apostolic Palace the Pope waved to the public in St Peter's Square and gave his Sunday greetingHe condemned the violent and fatal attacks in Norway, Afghanistan and  England Pope Francis said:  'Let's remember that violence generates violence'His calls for peace come on the day a special church service was held for MP David Amess, who was fatally stabbed on Friday at a constituency surgery in Leigh-on-Sea Read more »

Missing millionaire Melissa's Caddick's hairdresser husband is mocked for claiming the 'love of his life' ISN'T a conwoman and plugging his own MUSIC in 'cringeworthy' interview

Social media users slam 'cringeworthy' TV special with fraudster's husband Anthony Koletti, 39, was married to multi-millionaire swindler Melissa CaddickIn February her foot washed up on a remote beach on the South Coast of NSWMr Koletti believes she was murdered and lays blame at ASIC investigators Read more »

Thousands of Queenslanders hold the key to opening the state's borders by Christmas

© Provided by ABC Health Queensland tourism operators want borders opened on December 1, in time for Christmas. (Supplied: Steve Edmondson) Queenslanders’ ability to make cross-border plans for Christmas will depend on ... Read more »

Chris Brown's exciting new TV venture

© Provided by Are Media Pty Ltd Dr Chris Brown has spent much the past year exploring the world closer to home. With travel restricted, he’s taken to the streets ... Read more »

Blind Sports and Recreation president Maurice Gleeson wins lifetime achievement award

Every story Maurice Gleeson tells ends with an inspiring life lesson.  One of his favourites is: “Changes and challenges are always going to be a part of our lives”. “It’s ... Read more »

Long-term renters pushed out of the housing market by record rent and house prices

Kate Smith and her husband will never make any more money than they do now but already their dream of owning a home is beyond reach. The 35-year-old teacher lives ... Read more »

Sydney news: More freedoms from today as NSW passes 80 per cent vaccination target

Here’s what you need to know this morning. More freedoms from today Further restrictions have been lifted for people who are fully vaccinated after New South Wales hit its 80 per ... Read more »

Brisbane's Aqua English program helps refugees overcome trauma and learn to swim

© Provided by ABC News Sarah Scarce has run the Aqua English program in Brisbane for 15 years. (ABC Radio Brisbane: Edwina Seselja) When Manahil Hassan Hamuda sees water, she ... Read more »

Get ready for outdoor entertaining! As summer draws near, eBay launches a massive sale on popular items - including a $54 picnic basket set and $850 off swimming pools

With the warm weather upon us, eBay Australia has launched a massive sale on its outdoor entertaining range that will is sure to bring family and friends together. Bargain hunters ... Read more »

Berejiklian corruption hearings begin

The corruption inquiry that prompted former premier Gladys Berejiklian’s shock resignation is set to begin testing the allegations against her, with another former premier and a current government minister among ... Read more »

Australia could see Covid surge from new variants even after 80% vaccination when border reopens

If the Australian international border is reopened while highly transmissible Covid-19 variants are circulating overseas or locally, large and disruptive outbreaks will still be possible after 80% of people aged ... Read more »

NSW is opening up further from Monday – what extra freedoms do people have now?

NSW now has more than 80% of its adult population fully vaccinated which means a raft of new freedoms came into effect from Monday 18 October. © Provided by The ... Read more »

Extracurricular activities benefit kids from poorer families most but access a problem, Australian study finds

Children from disadvantaged families benefit most from extracurricular activities but are much less likely to have access to sport, arts or cultural pursuits, Australian researchers say. © Provided by The ... Read more »

Awkward moment Melissa Caddick's husband tells bombshell interview the missing conwoman 'didn't have a FOOT to stand on' - after her severed limb was found washed up on a beach

Anthony Koletti says there is long list of suspects who may have killed his wifeMelissa Caddick vanished as the net closed in on her $30million financial fraudShe ripped off the life-savings of family and friends and then disappearedHer rotting foot washed ashore but husband does not believe she killed herself   Read more »

Sydney didn't just get on the beers for freedom: Police seize 119 bags of cocaine and make 17 arrests on the first weekend out of lockdown

Over the weekend NSW Police netted 94.2g of cocaine worth $50,000It was the first weekend Sydneysiders could head to pubs in almost four months  Cocaine was found by change on patrols not a targeted drugs operation Read more »

Beers are on me: Pub worker sprays an entire keg of beer through his van after it erupts in his hands - and soaks a customers in the process

The moment a beer keg explodes in the back of a man's 4WD is caught on film Social media users were in hysterics over the mishap at a WA breweryA man and a woman were both saturated by the erupting beer barrel  Read more »

Australia's east coast in for MORE severe thunderstorms this week

© Provided by Daily Mail MailOnline logo Australia will be hit by another week of wild weather with rain and thunderstorms to batter the east coast.  The Bureau of Meteorology ... Read more »

Boy kayaker's body recovered from WA river

The body of an eight-year-old boy who had been kayaking in Western Australia’s south has been recovered from the water by police divers. © James Ross/AAP PHOTOS Police divers have ... Read more »

Queensland penthouse apartment with nightclub and bar for sale

A penthouse with stunning views and an unusual entertainment room is on the market in Queensland. Emil Juresic from NGU Real Estate told 9News the six-bedroom, six-bathroom property at 83/45 ... Read more »

NSW Premier Dominic Perrottet announces wife is pregnant with seventh child

The recently elected New South Wales Premier Dominic Perrottet has announced his wife is pregnant with their seventh child. “Exciting family news,” Mr Perrottet said in a post on Facebook ... Read more »

Twist in the search for Cleo Smith, 4, who vanished from WA campsite

© Provided by Daily Mail MailOnline logo A desperate search to find a little girl who vanished 24 hours ago from her family’s tent has taken an alarming turn as police ... Read more »

Nine closes in on $600m NRL TV rights deal

Media giant Nine Entertainment Co could pay up to $600 million over five years to the NRL under a deal that would return the value of the broadcast rights for ... Read more »

Hairdresser husband of conwoman Melissa Caddick claims she was murdered by a furious investor and says she was the REAL victim and blames cops for her death

Anthony Koletti says there is long list of suspects who may have killed his wifeMelissa Caddick vanished as the net closed in on her $30million financial fraudShe ripped off the life-savings of family and friends and then disappearedHer rotting foot washed ashore but husband does not believe she killed herself  Read more »

Dom Perrottet is having a SEVENTH child - devoutly Catholic NSW premier announces his wife Helen is pregnant with their sixth daughter

NSW Premier is expecting a seventh child with his wife Helen due next yearDominic Perrottet announced 'exciting family news' on Facebook on SundayDevout Catholic leader said he and Helen were 'thrilled' about the baby girl  Read more »

Usman Khawaja scores big Sheffield Shield century for Queensland against South Australia

A ton of defiance from Usman Khawaja has inspired a remarkable Queensland revival in their Sheffield Shield clash against South Australia, just as Australia is looking for an opener for ... Read more »

What you can do in NSW from tomorrow now we've hit 80 per cent

New South Wales has ticked over the long-awaited 80 per cent COVID-19 vaccine target, unlocking a new set of freedoms from tomorrow. These include changes to how many people you ... Read more »

Fears little Cleo, 4, who went missing from her family's tent in the middle of the night could have been abducted as baffled police search vans and caravans in the campground – after her mother issued a desperate plea

Cleo, four, was last seen by her family at 1.30am on Saturday morningThe family were camping at the Blowholes campsite near Carnarvon, WAPolice on Sunday were seen searching caravans and cars leaving the campsite Ellie Smith, Cleo's mother, has pleaded for anyone with information to call police  Read more »