How Hackers Bypass MFA Using Social Engineering

By now, you’ve likely heard about multi-factor authentication (MFA). You’re probably using it for most of your sensitive accounts. All the cybersecurity blogs you read (including this one) told you that you should be good and protected now. But advances in cyber protection don’t stay “advances” for long. Hackers always catch up, it’s just a matter of time. MFA can be cracked now too, thanks to some simple social engineering tricks. If you’re using MFA, good for you—keep using it. However, you should be on the lookout for these tactics from hackers if you want to keep your data safe. Let’s look at the top ways hackers can bypass MFA and what you can do about it. Phishing is the most widely used social engineering attack because unfortunately, it still works. Hackers will send lookalike emails or text messages (also known as “smishing” or SMS phishing), tricking users into clicking on the link and entering their credentials. They can capture more than just usernames and passwords with this method—they can collect MFA codes as well. Example of This Cyberattack How to Protect Yourself from This Cyberattack Many MFA apps use push notifications to alert users when they need to authenticate during a login. This works well when it’s the user who’s trying to access their own account. But hackers have found a way to use this to their advantage. They attempt to log in over and over, generating several push notifications. People will either mistake them for a genuine prompt and accept it, or grow frustrated with the many notifications and accept just to make them stop. Once they accept, the hacker has account access. Example of This Cyberattack How to Protect Yourself from This Cyberattack An adversary-in-the-middle (AiTM) attack makes users believe they’ve logged into a genuine network, application, or website. However, the hacker snags their username and password, and can then manipulate the MFA function. Once the user enters their credentials on the fake site, the hacker enters them on the legitimate site, triggering a legitimate MFA request. The user, who just entered their credentials (on a fraudulent site), expects this MFA request and approves it. The hacker then gets access to their account. Example of This Cyberattack How to Protect Yourself from This Cyberattack MFA bypass attacks are common for customer service departments or support desks. The hacker calls the service desk pretending to be a customer who’s forgotten their password. They might pretend to be distressed to convince the service desk agents to bypass proper verification procedures. Attackers also call support agents claiming their phone is lost and request to enroll in a new device. The agent sends a password-reset link to the hacker-controlled device, and the hacker gets into the account. Example of This Cyberattack How to Protect Yourself from This Cyberattack What’s the device you use most often for MFA? Your cell phone. That makes your phone a prime target for MFA hacks. SIM swapping schemes are similar to service desk attacks. Hackers contact your cell phone service provider to ask to transfer your service and data to a new SIM card—a card which is under the hacker’s control. Basically, they steal your phone and all your phone app data. They can then crack every MFA you have set up with either your phone number or an authenticator mobile app. SIM swapping is one of the easiest hacks to do, according to Haseeb Awan , CEO of America’s most secure and private cell phone service. He says, “If you click on a thousand expensive neighborhoods in the US, you will find maybe 50,000 houses. You can go on White Pages and buy that data for 10 cents or something. It will give you the telephone number of everyone who lives in those houses. You just run a record, you run a couple of algorithms, and you’ll find everything. Now you have 50,000 people to play with. It’s somewhat simple. It’s a very easy attack to do.” Example of This Cyberattack How to Protect Yourself from This Cyberattack If you’re using MFA, then you’ve already taken a step toward better security. However, times change and technology evolves. MFA methods that worked 10 years ago are cracking as cybercriminals look for new ways to break into our accounts. Keep the tips in this article in mind and think seriously about the security of your online and offline accounts. Staying vigilant—and up to date on the latest security technologies—can keep your data safe.