How hackers are circumventing multi-factor authentication - and organizations should upgrade now

Why multi-factor authentication can't provide 100 percent protection

The numbers are frightening. There are currently around 24.6 billion stolen login pairs - the combination of login name and password - for sale on the darknet. Cyber criminals can easily take advantage of the leaked data and abuse it for their own purposes. The Digital Shadows Research Team's "Account Takeover" study shows a dramatic 64% increase in stolen credentials subsequently offered for sale compared to 2020. The use of weak credentials poses a significant risk in this regard; they are almost playfully exploited by cyber attackers. With brute force attacks, the automated, simple trying out of password combinations or password keys, simple passwords without MFA can be cracked relatively easily. Modern high-performance computers speed up the process. The result: industrial espionage, identity theft, extortion with ransomware.

Recently, many companies and organizations have upgraded their security systems and made multi-factor authentication (MFA) mandatory. This involves implementing one (or more) additional authentication measure(s) in addition to entering a username and password, such as sending a one-time PIN to the smartphone or through the use of authenticator apps. MFA significantly increases the level of access security compared to using user and password alone. However, even MFA is not an "absolutely reliable seat belt" and can provide a sense of deceptive security. Cybercriminals have now developed a variety of tactics to circumvent the controls of the security mechanism and render the MFA ineffective as a result.

Seven tactics criminals use to bypass multi-factor authentication

Tactic 1: SIM Swapping - Your SIM is now my SIM!

The SIM card in your smartphone or tablet is a personal object that exists only once? Wrong thinking. In SIM swapping attacks, cybercriminals impersonate your mobile carrier as a customer and order a new SIM card in your name via phone or online customer portal. The new SIM card is then linked to your mobile number - and the attackers can effortlessly receive your SMS or make calls. This gives the cybercriminals access to all online services associated with your phone number, and they can reset passwords or verify themselves.

Tactic 2: Phishing - Leveraging MFA in an automated way.

Multi-factor authentication reliably separates passwords and one-time passwords (OTP). Actually. Using phishing techniques, cybercriminals are now able to steal passwords and one-time passwords in combination. For this, cybercriminals rely on two-pronged attacks. While passwords are being stolen on a fake site, they are simultaneously entered on the real website for the login process. However, the system only works in real time via interaction between the victim and the attacker. This highly labor-intensive method is often supported by automated phishing toolkits.

Tactic 3: Man-in-the-middle attacks - watch out, hacker is reading along

For man-in-the-middle attacks, cybercriminals hook into two parties' communications. While each party thinks they are communicating with the "correct" counterpart, the hacker in the middle taps into the information being sent. In this form of cyberattack, the hacker gains complete control over the traffic. The info can include login credentials as well as account information or your credit card number. Man-in-the-middle attacks become particularly dangerous when combined with other methods.

Tactic 4: Robocalls - Data transfer on call

Robocalls, or robotic calls, are automated phone calls made through computer software. By using constantly revised templates, robocalls specifically mimic how employees or staff of banks or insurance companies, for example, sound in person. Potential victims are persuaded to provide their data, such as login, account, or credit card information, in this fake-confidential "conversation environment." In hacker circles, the technique has a success rate of over 80 percent.

Tactic 5: SMS OTP attack - Widely used and therefore so vulnerable

The use of one-time passwords (OTP) sent via SMS is still prevalent in the realm of multi-step authentication, although this type of two-factor authentication should be avoided. What looked like a solid and strong authentication process when it was first introduced is now easily bypassed by mobile authentication apps (the far more secure method of transmission). Online banking in particular switched from mobile TANs to app-based solutions a while ago. This is because, unfavorably, one-time passwords via SMS are particularly susceptible to successful cyberattacks that quite specifically exploit existing vulnerabilities in mobile networks. In addition, there are problems with reliability: SMS messages can sometimes take a long time to be transmitted and can even disappear (e.g., in regions with poorly developed mobile networks). The sender then never knows for sure whether a message has been delivered.

Tactic 6: Falsify IT help desks - research before the attack

Hackers also want to use their own resources as efficiently as possible. Before cybercriminals launch an attack on a company, they usually test out how securely the company's MFA is set up. In this social engineering method, cybercriminals impersonate employees themselves to find out the procedure for a password reset. In parallel, login credentials are tapped. At the end of the day, the cyber attackers have all the information needed for a password reset and subsequent takeover of the victim's access.

Tactic 7: Accidental Push Accept

Accidental Push Accepts appear to be one of the trends among cybercriminals in 2022. Push messages to the smartphone are used by numerous companies around the world as a simple method of authentication. The user receives a "pushed" notification on his smartphone after entering his password and only has to confirm it by touch - and access is authorized. With Accidental Push Accepts, hackers shamelessly exploit the possibility of push messages: They are already in possession of the valid credentials and only need confirmation via the push message. The victim is then "bombarded" with notifications without ceasing until he accidentally or frustratedly agrees. A lot really helps in this case, because inattentive or stressed people in particular would rather click away the annoying message than pay attention to its content.