Multi-factor Authentication (MFA) has remained one of the most consistent security best practices for decades in the digital world. Whether it is accessing your social media account, internet banking, or a corporate application; implementing an additional layer of authentication over your password is an accepted best practice across the globe. MFA comes in three categories which are something you know (password), something you have ( a security token or a smartphone), and something you are (biometrics). This extra layer of security is used to prevent attackers from gaining access even if they have compromised a user’s password, as one level of authentication is no longer sufficient. 

However, cybercriminals have started adapting to this layer of security, and new threats are emerging that put even MFA authentication at risk. In this article, we will go into the details of these new threats and what they mean for modern security. 

Attacks against MFA

Despite MFA’s benefits, it is not fool-proof, and attacks against MFA systems have started to gain prominence where attackers can subvert this additional layer of security either directly or via other methods. These attacks have become dangerous enough for the FBI to issue an advisory about such attacks. Some of the common attacks are listed below: 

• SIM swapping in which cybercriminals socially engineer customer service representatives of banks to port their phone numbers to a number belonging to the cybercriminal. Instead of attempting to attack the MFA layer, they change the authentication to their number, allowing them to carry out wire transfers, change credentials, and other financial fraud. 
• Another attack involves bypassing the multi-factor authentication altogether by alerting the web URL of a banking application. By changing the URL, the attackers could avoid the need to enter a PIN, allowing them to commit financial fraud. 
• Other attacks involve man-in-the-middle techniques where a cybercriminal can hijack the session between a valid user and the accessed platform. By monitoring the communication, they can intercept tokens and even initiate transactions acting as the user. 
• An MFA fatigue attack is when an attacker already has access to a user’s credentials but attempts to flood the user’s device with MFA notifications. The intent is to frustrate the user and get them to approve blindly without checking the action that is being authorized. 

Along with attacks, new toolkits are also available that can automate phishing attacks against MFA protection. Muraena and NecroBrowser toolkits can act as proxies and monitor traffic, such as passwords and even MFA tokens. The ability to automate attacks via these toolkits makes them appealing to cybercriminals who would use them to scale their operations. 

Is MFA still a reasonable control?

Despite the attacks mentioned previously, it must be stressed that MFA remains a powerful control that can easily block the wide variety of attacks that target users via social engineering. Attacks specially tailored towards MFA are still rare and require extensive planning. Due to the increased efforts required, attackers have not yet adopted them at scale.

 Microsoft has stressed the rarity of such attacks and recommends using MFA as a valid control stating that it stops 99.9% of attacks targeting users, which is a reassuring statistic​. Google also provided similar stats, mentioning, “We found that an SMS code sent to a recovery phone number helped block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks.”

However, it must be stressed that MFA is not a silver bullet and must be used with other controls like good awareness about social engineering attacks and good browser/smartphone security hygiene. Users must remain vigilant about new techniques, such as Deepfake scams and fake AI-generated audio messages, which attackers are now adopting as another sophisticated type of social engineering attack. In these attacks, attackers can impersonate the image or voice of an authorized person and use it to trick users and customer service representatives into handing over their authentication tokens. Due to the attacker appearing as a trusted individual, the success rates of these attacks are often higher than regular social engineering attacks. 

Additionally, keeping your browser and smartphone devices protected and patched at all times is essential and forms part of a strong security posture. Ensure that you have security software running on your devices that alerts you if an attacker attempts to take over your device as part of an account takeover. 

Conclusion

MFA is and will continue to be a security best practice in the future due to its robust security against attacks like account takeover and phishing. Industry benchmarks like Zero Trust and PCI DSS continue to refer to it for forming a solid security foundation for a company. MFA Attacks will continue to evolve. However, user awareness and technologies like AI can help augment MFA with more intelligent context-driven data that can help prevent such attacks. To stay protected, users must remain vigilant and adopt a robust security awareness culture and technical controls like browser and device security.

Frequently Asked Questions