Skip to main content
Security Scorecard

Hackers Are Using These 3 Techniques to Bypass MFA

Posted on December 7th, 2022

There’s no denying that multi-factor authentication (MFA) is an essential security measure that significantly improves an organization’s cyber posture. However, there is no silver bullet in cybersecurity. Though multi-factor authentication proves extremely helpful, determined and resourceful cybercriminals can still find techniques to bypass it.

Let’s look at some frequently-used methods cyber-attackers leverage to bypass MFA:

Social engineering

In a world where organizations are ramping up their defenses with advanced security measures, hackers increasingly rely on one weakness organizations can’t patch: humans.

After the hacker has obtained the login credentials, to bypass the additional authentication factor they may send phishing emails prompting the victim to authorize the log in or send over the code. There’s also a more advanced phishing technique where the hacker directs the user to an imposter website to bypass MFA. Here’s how that typically works:

This technique has been particularly active in recent months. It starts with a phishing email with an HTML attachment leading to the proxy server.

When the user enters a password into the proxy site, it sends it to the real server and then relays the real server's response to the user. Once the authentication is completed, the threat actor steals the session cookie the legitimate site sent, so the user doesn't need to be re-authenticated at every new page visited.

Over-the-phone verification is another social engineering technique used by hackers, although service providers have implemented measures to prevent it:

  • The hacker tricks the employee into sending basic personal details via a phishing email.

  • The hacker calls the service provider’s customer support, claiming to be locked out of their account.

  • After verifying a few personal details, the hacker can trick the vendor into granting them access to the employee’s account.

MFA fatigue attack

Push notifications to a user’s mobile device is a common authentication method. However, there is a way hackers can bypass it if they have the user’s login credentials.

An MFA fatigue attack involves bombarding an account owner with MFA push notifications until they slip up or are worn down psychologically and approve the login request. It sounds very simple, but it’s also very effective. Once an MFA request is approved, hackers can access the user's account and misuse it however they want.

The main goal of such an attack is to send an endless barrage of MFA push notifications to inflict a sense of fatigue on the account owner. MFA fatigue makes the victim approve the sign-in request accidentally due to muscle memory or knowingly to stop the endless push notifications.

SMS OTP attacks

In 2017, the NIST published a guideline warning against SMS OTPs (one-time passwords) for 2FA. But five years on, many organizations still use SMS OTPs because of their ease of implementation. If you’re one of those organizations, the cyber threats are too great to ignore, so it’s time to ditch SMS OTPs for more secure authentication solutions.

SIM swapping is a popular technique used to bypass SMS MFA. SIM swapping is a scam that starts with a malicious actor obtaining personal information through phishing or buying it from the dark web and calling your mobile carrier, claiming they have a new SIM card to activate for your account. They usually say the original SIM card was stolen or lost. Some may work out an elaborate story to sound more believable. Some have even paid off mobile service employees to give up client information.

The mobile carrier will ask for personal information which the criminal had already gathered to confirm their identity.

If the criminal persuades the mobile carrier’s customer service rep that they’re legit, they will reassign your phone number to their SIM. The criminal has essentially disconnected your phone number from your phone and assigned it to their SIM card, which they’ve popped into their device.

With that, they can reset account passwords and take control of any authentication request that goes to your phone via SMS. They can start accessing many accounts, including email, digital payment systems, social media, shopping, etc.

How to strengthen MFA

To prevent the scenarios covered in this article, you must strengthen your MFA. The easiest way to do that is by stopping hackers from ever getting to that stage in the login process through strong passwords. Simple and reused passwords are easy to bypass with brute force attacks or leaked credentials.

Large organizations must train employees on the importance of strong passwords and MFA handling. Employee training is a vital aspect of improving an organization’s cyber posture. Employees should learn to recognize social engineering attack patterns, and only confirm a login request after checking the attempted login details, such as location and operating system.

To prevent MFA fatigue:

  • Limit the number of authentication requests

  • Change your password or contact your service provider if you notice suspicious authentication requests

Biometric authentication is the safest, so it’s best to use it whenever possible. It’s much easier to bypass a 4-digit code than a fingerprint or face scan.

For organizations, authentication solutions like Okta or Google Authenticator are ideal, as they’re safer than SMS codes, and easier to set up than biometric authentication for every employee.

How SecurityScorecard can help

If cybercriminals bypass your organization’s MFA, you must act fast to minimize the damage. SecurityScorecard’s Incident Response service helps you effectively manage your data breach response by:

  • Stopping additional data loss

  • Document and record the incident and the process

  • Assist law enforcement/regulators

  • Notify affected parties under your industry requirements

  • Fix vulnerabilities and implement measures to prevent further attacks

Plan ahead by ensuring you have the necessary expertise and 24/7 support required when a cyber incident hits. SecurityScorecard conducts a cyber readiness review to ensure both parties are ready to take action quickly.

Return to Blog
Join us in making the world a safer place.