Hackers are Getting Around MFA

Hackers are Getting Around MFAMulti-factor authentication is an extra layer of security beyond a password that requires an authenticator or often a one-time password sent via text message. Any form of two-factor authentication (2FA) or multi-factor authentication is better than only relying on a password, but hackers are finding ways to get around MFA, and users should be aware of the signs of those attack vectors.

Hackers are bombarding users with MFA push notifications or phone calls, and it’s working. Attackers shared how they used the technique commenting, “No limit is placed on the amount of calls that can be made. Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.” Criminals reportedly used this technique to breach Microsoft and Nvidia recently. In the case of Microsoft, hackers were able to log into the company’s VPN from Germany and the US at the same time.

The bombardment technique works best in disruptive MFA requests like phone calls or push notifications. Criminals can continually push requests making users’ phones unusable until they accept. Attackers can also intercept SMS notifications, we covered SIM swapping on a previous blog post you can read here.

In all of these cases, the user’s password has been compromised. In order to make MFA requests, the hacker must already have the user’s password. Employees should be educated on this new hacking tactic to get around MFA, and also understand their password has been compromised and needs to be changed.

A new authentication technology called FIDO would fix this problem because the login requires a physical device. Most web services are not there yet, but a future without passwords is coming. Click here to read our blog post on A Future Without Passwords.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright