SE Labs

Special Edition
Computer security testing comment and analysis from SE LABS Ⓡ

3 ways attackers bypass Multi-Factor Authentication

And 3 ways to stop them.

bypass Multi-Factor Authentication

Multi-Factor Authentication (MFA) is much more popular than it used to be. It’s easy to use and the enhanced security that it provides is supported by many services. But it’s not bulletproof. It is possible to bypass Multi-Factor Authentication.

How to get past the best security measures since the password was invented

The proliferation of mobile devices that support MFA in various different ways has helped make it a convenient option for users and life much harder for attackers, who need to develop ways to get around it. So, of course, they do.

In this report we examine how attackers manage to bypass Multi-Factor Authentication, a security measure that seems rock solid on the face of it.

Over the last few years, notable security breaches have bypassed Multi-Factor Authentication to compromise taxi broker Uber, games company EA and (ironically) authentication business Okta.

Even as far back as 2013 there was a bank robbery case in India, in which criminals obtained copies of customers’ SIM cards and intercepted security codes.

MFA 101

Multi-Factor Authentication (MFA) is an additional step that makes logging into a system more secure. It adds another stage to the process, so having a username and password isn’t enough. You also need to know, do or have something else too.

‘MFA’ is a general term. Many people also refer to it as ‘Two-Factor Authentication’ (2FA).

Typical examples of MFA in action involve logging in with a username and password and then performing one or more of the following tasks:

  • Insert a USB security key.
  • Type a temporary code.
  • Click an approval button in a mobile app.

Adding another stage (or ‘factor’) to the login process makes it much harder for attackers. Not only do they need the username and password, but they also need access to something else, which could be a security dongle/key, the user’s mobile phone or access to their email account. Unless the attacker has physically attacked the user, it’s very difficult for them to obtain access to any of these.

Why aren’t passwords enough?

Usernames and passwords can be stolen and used by an attacker. Although encryption is available to prevent attackers reading the passwords easily, there are many ways to decrypt stored passwords. And some systems don’t use encryption, which is very bad practice.

Passwords are also hard to remember, especially in large volumes. This encourages users to choose weak passwords or re-use the same password for multiple accounts. Weak passwords are easier and faster for attackers to guess (which they do automatically with computers, not their brains!) Re-used passwords increase the impact when one service is breached and the data is leaked. If your commonly used password is known, it can and will be abused.

Security vs. convenience

It’s always worth using multi-factor authentication where you can, at work and with important personal accounts. Whatever the weaknesses and risks, which we’ll discuss below, it’s better than not using it at all.

Users may resist using MFA, particularly if it makes life harder. Using multiple ‘factors’, such as plugging in devices and then typing in codes, is time-consuming, can be error-prone and disrupts workflow. This makes it annoying.

Some online banking services provide great examples of how MFA can make users’ lives more secure but much less convenient. For example, to create a new payment you may need to follow these tasks:

  • Enter the new payee’s details.
  • Insert a bank card into a bespoke card reader.
  • Enter a valid Personal Identification Number (PIN).
  • Scan a QR code on the screen with the card reader.
  • Type in a code on the computer, as shown on the card reader.

Logging into an account is rarely as onerous but it is still more work than loading a webpage and letting the browser fill in the details.

For more tips on password management and other ways to stay safe,
see our Bluffer’s Guide to Cyber Security.

At one end of the scale, you may be expected to receive a code by text message (SMS) or email, and then type it into a computer. Or you might need to dig out your keyring and insert a USB security key into a laptop, which hopefully has a (working) USB port.

At the other, a mobile app will alert you that someone is logging in and ask if you wish to approve or deny access. This is one of the easiest, least impactful options, but it has its vulnerabilities, as we will see…

How attackers bypass Multi-Factor Authentication

1. By being annoying and tricky

It’s really easy to click an “Approve Sign-In” message on your phone. That’s what makes it one of the most attractive methods of MFA – for users and attackers. There are no codes to type in. You just click ‘OK’.

However, attackers who have stolen your username and password can keep trying to log in with your details, which will trigger many alerts on your phone. If you are distracted, tired or otherwise not paying attention you may be inclined to click these notifications simply to stop them. And if you don’t, attackers may use other social engineering techniques to convince you or your team members to do so.

There is some additional information on MFA fatigue attacks reported by PortSwigger.

2. Getting in the middle of things

Phishing emails can send victims to websites designed to trick them into entering their one-time codes into fake websites. An alternative approach is for attackers to gain copies of victims’ mobile SIMs, either via social engineering or corrupt/ incompetent telecoms employees.

In both cases attackers can intercept 2FA codes and log in. (This is a type of ‘Man-In-The-Middle’ attack).

This method of attack has been known for years, so some experts advise against using SMS for 2FA. We argue that if you don’t have a choice, it’s better to use SMS than not to use 2FA at all.

3. Session cookie theft

Otherwise known as ‘session hijacking’ or ‘cookie hijacking’, this technique bypasses MFA by jumping in on an already authenticated session. In other words, the victim logs in correctly and the attacker then takes over the connection. The attacker doesn’t need to engage with the MFA process at all!

There are a number of ways attackers can do this, although the increased use of encryption on websites means that one of the most likely methods involves malware that steals the cookies directly from the target.

Hackers may use the cookies themselves or steal vast numbers from lots of victims and sell them on the dark web. Those with a more targeted approach (as happened with the EA breach – see above) will buy and abuse them.

Sign up to our monthly business and personal security newsletters.

3 ways to stop attackers bypassing Multi-Factor Authentication

1. Resist the urge

If you use approval-based MFA apps, like Microsoft Authenticator, resist the urge to approve any notifications unless you are actively logging in at the time. Social engineering attacks will put you under pressure, but resist. The more pressure you detect/ feel, the less likely that it’s your IT department calling or messaging you.

Using ‘Do Not Disturb’ or ‘Focus’ modes on your mobile devices reduces the chances that you’ll fall for the technique while off duty. And you can ignore out-of-work-hours emails too. Bonus!

There is some additional advice from Microsoft on how to defend your users from MFA fatigue attacks.

2. Avoid SMS-based 2FA…

…if you can. Some services rely on it still, and it’s better than nothing. But given the choice, opt for apps like those from Google and Microsoft.

Over the years increasing numbers of services have taken MFA seriously. They may have used SMS when you first signed up but then later introduced better methods. Go through your old but essential accounts (email and file storage) services to see if they have introduced app-based MFA options.

If you run systems that provide SMS-only authentication, start working towards upgrading!

3. Run a good anti-malware program

As well as other things, you want to stop attackers stealing authentication cookies. You can see lists of the best in our endpoint protection tests, which we publish every three months for free.

For more information about protecting your organisation against advanced attackers please subscribe to our free newsletter and podcast.

Featured podcast:

Find out more

Free security test reports

Stay in touch

Get tested

Discover how we work with large organisations and security vendors.

  • Do you run a large organisation’s security infrastructure and want an assessment?
  • Are you a security vendor that needs certification?
  • SE Labs anti-virus certification can help security vendors access Windows Early Launch Antimalware (ELAM).

Please contact us now.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

info@selabs.uk

Press