MFA: It’s more vulnerable than you think

by Egress
Published on 27th Sep 2022

It’s easy to assume that multi-factor authentication (MFA) is sufficiently secure. However, it can often be far more vulnerable than you think. Some types of MFA are actually the same authentication repeated twice, and threat actors can also utilize spoof websites, phishing, smishing, and more to steal victims’ information. Here are some of the risks and vulnerabilities you need to consider. (This is also a topic we covered in our report, How to turn a hacker's toolkit against them.)

Why MFA can go wrong

The problem with MFA is that it’s only as secure as its implementation – something that’s true of any security process. Good MFA uses multiple different identification methods to log in. It should be a combination of:

  • Something a person knows (a security question or password)
  • Something a person has (security card or phone)
  • Something a person is (an ID method using biometrics, like a face match or fingerprint scan)

Poor MFA is when the types of identification aren’t different, so there’s still only one layer of security. In email two-factor authentication, for example, while the user has to provide a password and verification code, getting hold of that code relies solely on the user knowing their email login. 

Even if a website sends the verification code to a user’s phone instead, SMS can be intercepted, and SIM-swapping or smishing could mean a threat actor can access the user’s messages. If that happens, they can use the authentication code to access the application the victim is trying to get into – as well as any other personal data they might have stored in their messages.

How threat actors can subvert MFA

Cybercriminals have become adept at stealing 'something a person knows'. Phishing attacks target users to steal account credentials, and these compromised usernames and passwords are frequently dumped online for bad actors to access. It's also possible to find answers to security questions online. 

Jack Chapman, Egress VP of Threat Intelligence, recently explained: "As people have connected and shared more online, however, it’s easier than ever to find out the answers to these questions – and cybercriminals are counting on this! It’s incredibly simple for them to use social media platforms, such as Facebook, to research individuals and gather open-source information (OSINT), and cybercriminals have even created scams to con people into sharing these details in a single comment or post. For example, generating your ‘superhero name’ by sharing your first pet’s name and the street you grew up on, or sharing X number of random facts about yourself that actually correspond to answers to popular security questions."

As MFA has evolved, so have cybercriminals' methods for stealing this information, such as when MFA is 'something a person has'. Threat actors can use sophisticated tools for stealing MFA tokens that require minimal effort on their part and are freely available to those looking for them. The malicious actor will generate a link payload that will take the victim to a spoof page that looks almost indistinguishable from the website or application they’re looking for. The target will use their chosen MFA method, and then input their credentials and their MFA token thinking they are logging in as normal. The threat actor steals the information for immediate use on the real website or app.

Fit-for-purpose MFA

MFA that isn’t fit for purpose can cause problems for organizations of all sizes. In a 2020 hack of SolarWinds, a large IT management company, attackers intercepted a software patch and managed to steal single sign-on private keys, enabling them to bypass MFA checks. The attack affected major global clients – including upper echelons of the US government – and a total of 18,000 customers that had downloaded the patch.

However, there are also plenty of cases where MFA could have made all the difference. A well-known group of ransomware hackers infiltrated Colonial Pipeline using an inactive account that didn’t have MFA. The attack meant that Colonial Pipeline was forced to shut down 5,500 miles of natural gas pipeline, leaving 10,000 gas stations without fuel.

Additionally, a breach of BJC Healthcare in 2020, which affected 19 hospitals and cost the organization over $2.7m, led to BJC being ordered to implement MFA after the investigation found its cybersecurity practices had been severely lacking. 

Education is key

Much of the issue regarding improper MFA implementation can be traced back to a lack of up-to-date cybersecurity education. With flexible working and BYOD more popular than ever, threat actors are targeting remote employees with malware and spam – proper training could help employees make the most of MFA to help improve security and reduce the chance of a data breach.

The 2022 Verizon Data Breach Investigations Report revealed that 82% of data breaches involved a human element, so knowledge is a key part of fit-for-purpose MFA implementation and the safe use of email, cloud applications, and websites in general. And yet, many people haven’t received any additional training on how to handle cybersecurity threats. Training that covers these areas should be mandatory and your organization’s cybersecurity policies should be freely accessible to all employees.

Making the most of MFA

A key thing for IT teams to remember is that properly implemented MFA can prevent a hacker from gaining access to the business in the event of an employee downloading some malware or clicking through a phishing campaign, which is a statistically significant occurrence. A 2020 study found that 26.5% of recipients who were sent a malicious email clicked on a link within it; MFA could help prevent the consequences of these errors.

For employees, especially when using personal devices for work, the best advice is to come up with strong passwords that aren’t something personal like the name of a loved one or a date – these are easier for threat actors to figure out through social media presence. Plus, be aware of any information you might be sharing knowingly or unknowingly, including data visible in the background of a photo within the workplace

MFA can be extremely effective when done well. Still, it’s important to be aware that MFA isn’t the catch-all solution. You have to ensure that the multiple factors being authorized are distinctly different for optimum security – any weakness in that system invites threat actors to choose you as their next target.

Find out more in 'How to turn a hacker's toolkit against them'

MFA vulnerability is one topic we explore in our report 'How to turn a hacker's toolkit against them'.

Download your copy today >