Exploring the potential threats to multi-factor authentication

Thursday, 25 January, 2024

decorative: a person holding a phone that has information about the scooter they are sitting on

The limitations of Multi Factor Authentication

Multi Factor Authentication (MFA) is something we hear about constantly. From securing personal accounts to protecting enterprise systems, the use of MFA has become widespread in order to protect personal and business data. If you haven’t already read my previous article on MFA, I encourage you to do so. Titled ‘What is multi-factor authentication?’ , it provides an in-depth exploration of MFA alongside its advantages.

However, as with most security measures, MFA is not foolproof and can be bypassed or compromised, posing significant risks to your data. So, let’s have a look at the different ways people might compromise or bypass MFA, and next time, we’ll introduce passkeys, their benefits and other key information.

SIM Cloning

The first common way of compromising MFA is “SIM cloning”, used by malicious actors to copy the information which is stored on a SIM card. Malicious actors duplicate the SIM card’s data onto another card, allowing them to have access to the victims’ phone number and network services. By intercepting the victims’ SMS messages, the actor can gain unauthorised access to sensitive accounts whilst MFA is enabled.

SIM cloning takes place in various steps and methods. One of the most common initial steps for malicious actors is to gain access to your information. This can be carried out in a multitude of ways including phishing, social media research or malware attacks. Once an actor gains access to your information, they can either impersonate you and directly contact your SIM provider, or they can make a fraudulent call to you, posing as your mobile service provider. In both cases they will either deceive you or the mobile provider into providing SIM details, enabling them to execute a SIM Swap or cloning operation. Once the SIM clone has been carried out, all one-time passwords (OTP) or SMS verification messages will be directed to their cloned SIM. If your password was compromised or easily guessed, and SIM cloning took place, your account would be under full control of the attacker.

MFA Fatigue Attack

A form of cyber security exploit, MFA fatigue attack occurs when an individual receives a very large number of MFA requests - so many that they get frustrated, and that might result in them being careless. That’s what the bad actors are hoping for. They hope that by sending many MFA requests, they will persuade the individual to approve just one of the requests - which gives them access to accounts. MFA fatigue attacks usually take place where the user is required to approve or decline requests using an authenticator, for example Microsoft and Google authenticator. Attackers are able to carry out phishing attacks in order to get hold of email addresses and passwords and then carry out MFA fatigue attacks in order to get through the final MFA barrier.

Poorly applied MFA

Not all MFA limitations are directly related to the end user. If MFA is not set up correctly or if the implementation of MFA were to be buggy, then this could lead to a bypass method for attackers. As most authentication codes are either 4 or 6 digits, attackers could carry out a brute force attack. This is when random numbers are bombarded into the authentication code input. Eventually the attacker will come across the right code and will gain access to an account. This would only be possible if the implementation of MFA was set up incorrectly allowing multiple attempts without a time limit. In other cases, a code sent to another user may work with a different user. Attackers can take advantage of this by using their own code to access another account. Although the chances of these happening are fairly low, if MFA isn’t set up correctly or contains bugs, then they can be easily bypassed.

Credential stealing malware

Attackers may be able to create software or apps designed to trick users into downloading malicious malware. This malware will be specifically designed to find MFA codes as and when they are sent to the user. If the malware were to be downloaded by a user, the MFA codes could be sent to the attacker allowing the attacker to have access to MFA codes and possibly their accounts. This makes the second layer of authentication (MFA) less effective and can lead to connected accounts or systems to become compromised. For example if an attacker were to gain access to MFA codes used to log into Google accounts, the attacker would have access to other accounts/websites which use Single Sign On (SSO) which links back to the google account.

In conclusion, while Multi-Factor Authentication (MFA) is great for security, it’s not entirely perfect. Things like sim cloning, MFA fatigue, and not setting it up right can cause problems. Therefore it’s important that when using MFA other security measures are not forgotten and are implemented alongside MFA. As technology develops, there’ll be different tools and security measures being introduced. It’s important that companies try and implement the new technologies to ensure their data is kept safe and not stick to old security practices such as using traditional passwords without MFA and other measures.

Headline Photo by Kumpan Electric on Unsplash