MFA Can Be Defeated, but Use It Anyway

MFA Can Be Defeated, but Use It Anyway

Multi-factor authentication (MFA) can be defeated, but you should always use it anyway. While no IT security tool is 100% fool-proof, MFA is still one of the best ways to help keep your online accounts secure. Here’s what to know about MFA, how hackers try to bypass it, and how to identify an MFA scam. 

Using MFA, an attacker needs more than just a username and password to gain access to your accounts or devices.

When you turn on MFA for a service you change the security requirements.  MFA forces you to provide at least two proofs of identity when accessing a secure service for the first time on an unknown device.

Those two forms of authentication can come from any combination of at least two of the following elements:

  • “Something you know,” such as a password or PIN
  • “Something you are,” such as a fingerprint or other biometric ID
  • “Something you have,” such as a trusted smartphone that can generate or receive confirmation codes, or a hardware-based security device

For the most part, the MFA systems today use the first item (your password) and the last item (your smartphone).

Authentication methods include receiving a code via text message, using an authenticator app on your phone, or even receiving a phone call where you press a key for authentication.

How the authenticator app works is interesting. The process is governed by a well-accepted standard that uses the Time-based One-Time Password algorithm (TOTP). That algorithm uses the authenticator app as a sophisticated calculator that generates codes using the current time on your device and the shared secret. The online service uses the same secret and its own timestamp to generate codes that it compares against your entry. Both sides of the connection can adjust for time zones without problem, although your codes will fail if the time on your device is wrong.

How Attackers Can Bypass MFA 

There are several ways attackers can bypass MFA, including hacking your phone and prompt bombing.

If you receive a code via text message, cybercriminals can access that code if they’ve hacked your phone using a sim-swap. In this scenario, a hacker could employ any number of methods to change victims’ phone numbers so that any subsequent messages or phone calls – for instance, one with an MFA code – would be redirected to the new phone. That’s one reason experts are increasingly urging a move away from SMS.

If you use an authentication app on your phone, be aware of prompt bombing.  This often takes the form of receiving multiple notifications to confirm MFA with a touch of a button on your phone, but not always.

Methods of prompt bombing include:

  • Sending a bunch of MFA requests and hoping you finally accept one to make the noise stop.
  • Sending one or two prompts per day. This method often attracts less attention, but still increases the odds that you’ll accept the request.
  • Calling you, pretending to be part of your company or tech support, and telling you they need to send an MFA request as part of a company process.

There are even phishing toolkits that can be used in man-in-the-middle attacks to sneak past authentication protections.  This is yet another reason to be extra careful with the emails and texts you open and the sites you visit.

If You Suspect an MFA Scam

Only confirm MFA if you’re initiating the sign-in.  If you receive an MFA notification for an account you’re not trying to sign in to, immediately change your password for that account.

Why Using MFA is Worth It

It’s estimated that implementing MFA can block 99% of automated attacks. Yes, using MFA adds an extra step and can be frustrating. Still, the minor inconvenience far outweighs the time and expense of recovering from a major loss.

Use MFA on every online account you can, including social media, password managers, financial services, Microsoft, Google, email, and even shopping and online commerce accounts where you’ve saved a credit card number.

If nothing else, the extra effort to try and defeat MFA may cause an attacker to choose someone else.  That alone makes it worth it.

If you’d like to know more about how CRU Solutions can help keep your business safer, contact us.