Multi-factor authentication (MFA) is an authentication protocol that asks users for additional factors in order to login to their accounts. Such additional factors include:
Something you know: This might include a password, PIN number, or an answer to a security question.
Something you have: This could be a mobile phone, hardware token, fob, security key, etc.
Something you are: This includes biometric information such as fingerprints, facial recognition, retina scan, or voice recognition.
Users are required to provide at least two of these additional factors to verify their identity.
How can Cybercriminals Bypass Multi-Factor Authentication?
Hackers can bypass MFA in much the same way as they would for two-factor authentication, where there is just a username and password. Below are some of the most common ways that MFA can be bypassed:
Social Engineering
Social engineering techniques, such as phishing, is a common way for attackers to obtain credentials. For example, in some cases, they will try to login to an organization’s cloud service provider, which sends an SMS message with the verification code to the account owner. The hacker will then send an email to the account owner asking them for the verification code. Of course, in order for this to work the hacker must convince the user that they are a trusted entity. In some cases, the hacker will send an email to an unsuspecting employee in order to obtain some basic personal information. Using this information, they might then try to call the service provider and explain that they have been locked out of their account, and they want help getting back in.
Consent Phishing
Another social engineering technique that is becoming popular is known as “consent phishing”. This is where hackers present what looks like a legitimate OAuth login page to the user. The hacker will request the level of access they need, and if access is granted, they can bypass MFA verification.
Brute Force
One of the main benefits of multi-factor authentication is that it makes it a lot harder for hackers to brute-force-guess account passwords. Although it makes it harder, it doesn’t make it impossible. For example, hackers may look for photos of the user on social media, which can they can use to bypass MFA that uses facial recognition as an additional factor. In some extreme cases, they may try to find the fingerprints of the user by dusting a smooth or non-porous surface with fingerprint powder and then taking a photograph of the prints using a high-resolution camera.
Exploiting Generated Tokens
Many online services use authentication apps, such as Microsoft Authenticator and Google Authenticator, to generate temporary tokens which can be used as an authentication factor. In some cases, these services will keep a list of authentication codes, which are used by the service provider in the event of an account lock-out. Hackers will try to obtain this list by exploiting poor data security practices in order to bypass MFA.
Session Hijacking
Session hijacking is where an attacker steals session cookies, which contain a user’s authentication credentials. Session cookies are used by many web applications to provide a customized browsing experience and track the user’s activity. These session cookies remain active until the user logs out, and are sometimes sent to the server over an insecure connection. Hackers can easily find out if the session cookies are not secure, and are able to steal these cookies via a man-in-the-middle attack. Once they have access to a session cookie, they can bypass MFA.
SIM Hacking
Cybercriminals are able to gain access to your mobile device using one of three methods: SIM-jacking, SIM swapping, and SIM cloning, which are explained in more detail below:
SIM-jacking: Hackers will send a piece of spyware-like code to a target device using an SMS message. If the user opens the message the hacker will be able to spy on the victim, thus potentially gaining access to their credentials.
SIM swapping: The hacker will contact your mobile service provider and ask for a replacement SIM card. Since it is not uncommon for users to request new SIM cards, perhaps because they are upgrading to a new device, the service provider may oblige and send them a new card. Once the hacker has the new SIM card, they can use it to gain access to your account, assuming the account uses SMS verification as one of the MFA factors.
SIM cloning: This is where the hacker gains access to your physical device, removes the SIM card, and using smart card copying software, copies the SIM data onto a blank card. The hacker will then insert the newly created SIM card into their phone, and receive phone calls and text messages to that SIM, including MFA authentication codes.
How to Strengthen Multifactor Authentication
Given that the easiest way to bypass MFA is to convince users to hand over credentials and/or personal data, it is crucially important that your employees are trained to identify social engineering attacks, such as phishing emails, suspicious phone calls, and SMS messages. Below are some more tips to strengthen MFA:
Choose your authentication methods wisely
If you want to be extra secure, it’s probably a good idea to avoid SMS-based authentication altogether, as SMS OTPs are easier to compromise than other methods. If you do want to use SMS verification, consider setting up a SIM card lock, which means that a PIN number is required to modify your SIM card. Try to use biometric authentication whenever possible. After all, few hackers will bother to dust your door knobs with powder in order to get a copy of your fingerprint.
Use adaptive multi-factor authentication
Consider using adaptive multi-factor authentication (AMFA), which is a more contextual approach to MFA. With AMFA, each request is validated by examining the user’s geolocation, IP reputation, device, and login behaviors.
Use complex passwords, restrict access and monitor logon attempts
Make sure that your users are using strong and unique passwords. Passwords should either be long alphanumeric strings with upper and lower case characters, or a passphrase that is difficult to guess. It’s always a good idea to ensure that users are granted the least privileges they need to perform their roles. That way, if an adversary does manage to bypass MFA, there’s less damage they can cause. Ensure that you have a way to detect and respond to anomalous logon attempts. Some sophisticated real-time change auditing solutions are able to detect and respond to events that match a pre-defined threshold condition. For example, If x number of logon attempts occur within a given time-frame, a custom script can be executed to disable a user account, shut down the affected server, and anything else that will help to contain the threat. These solutions can also work on cloud-based environments.
How to Use Lepide to Protect Privileged Accounts
Privileged accounts require more levels of protection than multifactor authentication. You need to be consistently monitoring the activities of privileged accounts, and tracking when permissions to sensitive data are changing. Lepide can help you do this.
With Lepide, you can identify employees that have access to sensitive data and find out where they are getting that access from, whether that’s directly or indirectly (through nested groups, for example). Lepide will then analyze the behavior of these users to determine whether they require that level of access. If not, the permissions will be considered excessive.
Lepide can also spot anomalies in the behavior of these users so that you can quickly detect and react to what might be the signs of privilege abuse.
If you’d like to see how the Lepide Data Security Platform can help you protect your privileged accounts, schedule a demo with one of our engineers.