For criminals trying to conduct account takeover fraud via credential stuffing, multifactor authentication (MFA) adds hurdles, but attackers have discovered ways to bypass MFA, meaning that MFA by itself does not eliminate the threat of account takeover. Enterprises need to take additional measures to bolster the security of MFA, including bot mitigation and the monitoring of contextual risk.
Regardless of its weaknesses, MFA is a significant step forward because password-only authentication has clearly failed. We humans simply cannot remember long strings of characters, and so we take shortcuts, choosing simple, predictable passwords and reusing passwords across applications, all of which has led to many security breaches.
However, with the failure of passwords and the adoption of MFA, we have seen a rise in attacks against MFA such as:
Real-Time Phishing Proxies
In a real-time phishing proxy (RTPP) attack, fraudsters use phishing messages to fool users into visiting an attacker-controlled site that looks like a trusted site, enticing the user to enter their credentials and approve the second factor authentication request, whether that is an SMS message or a push notification. The RTPP forwards the credentials to the target app and gains access. For a demo of the attack, see this video by hacker and security consultant Kevin Mitnick, and for background on the growth of real-time phishing proxies, see the F5 Labs Phishing and Fraud Report.
In MFA bombing attacks, the attacker tricks the target into giving them their authentication code by sending multiple fraudulent requests for the code. This works best against authenticator apps that rely on push notifications because the user can so easily make the flood of requests stop through the press of a button. Attackers sometimes combine MFA bombing with social engineering to encourage users to accept the push notification and grant access.
Attackers have even bypassed biometric authentication. After all, we leave our fingerprints all over the place, on nearly every smooth surface we touch, where they can be collected and replicated using anything from a 3D printer to gummy bear ingredients. Security researchers have also demonstrated the spoofing of facial and voice recognition as well as iris scanning. While vendors have developed anti-spoofing techniques such as liveness checks to detect bypass attempts, any given biometric device might become vulnerable as attackers advance the state of the art.
SIM swapping involves fraudsters exploiting the ability of service providers to transfer a phone number to another device. The fraudster gathers personal information on the victim and then social engineers a support person to transfer the victim’s phone number to the fraudster’s SIM. With control over the victim’s phone service, the fraudster receives the text messages intended for the user, which allows them to intercept one-time passwords (OTPs) and bypass MFA.
Because MFA is a significant improvement over password-only authentication, it is here to stay, so cybersecurity practitioners must address its vulnerabilities.
A good way to start is by mitigating bots. Exploiting password reuse, attackers deploy bots to test stolen credentials against logins, a technique defined by OWASP as credential stuffing, which gets them past the first factor in MFA. Attackers also use bots in RTPP attacks to forward OTPs to the target site before they expire. MFA bombing likewise is an automated attack that depends on bots. Through an effective bot management solution, a security team can take away a critical tool that attackers rely upon to scale MFA bypass techniques.
Another way to mitigate the vulnerabilities of MFA is to consider contextual risk. Contextual risk can be determined by the user’s IP address, ISP, location, the time of day, device, functionality accessed, and behavior, all of which can be used to calculate a risk score as a user moves through an application. The higher the score, the stricter the authentication requirements, which might culminate in disabling an account.