By now, we all know the multi-factor authentication (MFA) drill: from online sign-ins to payment orders, the minute we confirm our instructions, our mobile phone alerts us to an sms message, giving us the second step required to verify the authenticity and ensure the security of our initial online activity. We confirm our request, resting assured that any possible fraudulent action or threat has been averted. But has it?
The precise answer is ‘most probably’, which is good, but not what most of us want to hear. For although MFA is now standard, and highly effective as a means of protecting users against online fraud, the fact is, hackers are a resilient, resourceful, and extremely clever bunch; and they seem to have infinite energy and a bottomless desire to beat every new security measure that cybersecurity professionals develop with the greatest care.
Indeed, cyber criminals have found more than one way to sabotage the MFA authentication process. The most common one is known as ‘MFA fatigue’ or ‘MFA push spam’. What happens in this case is that the user gets not only ONE verification notification, but several, gets confused and frustrated, and eventually accepts one or the other ‘trap notification’, which welcomes the hacker with open arms.
Another method is the ‘attacker-in-the-middle (AiTM)’ technique, a sophisticated phishing approach that basically hijacks the users cookies to log in to their accounts without the need for repeated MFA. ‘Man-in-the-endpoint’ attacks use malicious software to bypass MFA, while ‘SIM swapping’ is used for phone-based MFA attacks which are particularly hard to detect. Even major organisations such as Uber, Microsoft and Cisco have fallen victim to scammers who managed to bypass MFA.
This is not to say that MFA is useless. On the contrary, it is absolutely necessary as it grants organisations a security layer that is not invincible, but nevertheless powerful. The key is to implement MFA within your organisation, but to support it with other measures that are far less technical but equally important. For example:
- Limit the number of times a user can request and accept muti-factor authentication in sequence
- Regularly clear out dormant accounts
- Stick to Single Sign-On (SSO) wherever possible
- Offer your users regular security awareness training, so they become more familiar with these hacking techniques and can recognise and report any red flags.