MFA under siege: keep your protections up-to-date


Compromised multi-factor authentication (MFA) was behind some of last year’s biggest cyberattacks, including breaches at casino giants MGM and Caesars. Yet some companies are just adding it as an extra layer of security.

Roku, a streaming service, has announced it is introducing mandatory MFA for all its users after discovering a second breach in as many months that exposed 567,000 accounts. The security step, which so far had been optional, was added after cybercriminals used a method known as credential stuffing to steal user login information.

Credential stuffing is an automated cyberattack where fraudsters use stolen usernames and passwords from one platform and attempt to log in to accounts on others.

The number of Roku accounts cybercriminals managed to breach using this method may seem astonishing, but it is less surprising when considering that “123456” is still the world’s most commonly used password.

In that context, an additional security layer requiring at least two steps to verify a user’s identity is better than not having it, as the streaming service found out the hard way. Its chosen verification via email is considered safer than SMS-based MFA, which is good news.

The bad news is that it is exposed to similar vulnerabilities, including phishing attacks. If not transmitted using secure protocols, unencrypted messages could also be intercepted by unauthorized third parties.

"Anything with a password can be hacked, so MFA doesn’t enhance a person's protection. Hackers are continually evolving their tactics, and even with MFA, there are still vulnerabilities,” said Zarik Megerdichian, data privacy expert and founder of the personal privacy firm Loop8.

Some MFA protections are harder to crack for threat actors than others. With cybercrime evolving alongside technology, companies are advised to focus on the latter. Unfortunately, many do not and continue to use security methods that were once thought of as top-standard but are becoming obsolete.

Some MFAs are better than others

“We need to start with the understanding that not all MFA is created equal,” said John Gunn, chief executive at the cybersecurity firm Token. “You cannot compare the meager security of a one-time password sent via SMS to a BYOD mobile phone with the superior security of a dongle or next-generation MFA device.”

Verification via SMS texts is still one of the most widely used MFAs – even when cybersecurity experts started issuing warnings several years ago that just a good password may offer better protection, especially if a password manager is used.

X stopped sending out SMS codes to non-paying subscribers in March last year when it was still Twitter. This has caused some controversy, but the company was right to start phasing out SMS verification.

It was reported last month that millions of one-time SMS authentication codes sent out to users by Google, Facebook, TikTok, and Airbnb were leaked online. Some of the codes dated back to as recently as July 2023. In 2019, Twitter’s own chief executive at the time, Jack Dorsey, fell victim to a SIM swap attack.

Companies like Apple and Google no longer use SMS-based authentication, having eliminated it a while ago. Google lets users choose from a number of ways, which include an authenticator app or a security key.

Using a security key, which can be built directly into a user’s device or plugged into a computer’s USB port, may be the safest of those, if not the most convenient. Authenticator apps are tied to a device but may be a golden middle between the protection they offer and practicality.

When it comes to organizations, many still rely on legacy MFAs, which makes them exposed to some very real threats. “Absolutely nowhere else does anyone rely on solutions that are two decades old as their main line of defense against cybercriminals,” Gunn said.

This is particularly concerning given that even organizations with the most advanced MFA protections can be hacked using other methods, such as unpatched common vulnerabilities and exposures, remote desktop protocol attacks, or insider actions.

“Most of the headline-making attacks you read about – MGM, Caesars, Johnson Controls, Uber, Hanes, and the rest – were all because cybercriminals defeated the organization’s legacy MFA,” Gunn said.

According to the Cybersecurity and Infrastructure Security Agency (CISA), 90% of data breaches are the result of phishing attacks, which may result in compromised credentials and failed MFA. Only one in five organizations believe that they can effectively prevent identity threats, another study showed.

In addition to different phishing tactics, sophisticated malware could be used to bypass MFA protections, according to Megerdichian, the data privacy expert. “This wouldn't be possible by using biometrics,” he said.

Barrage of attacks

Cyberattacks targeting – or bypassing MFA protections altogether – have soared recently and are increasingly sophisticated. The social engineering campaign that affected authentication protections at MGM and Caesars resulted in one of last year’s biggest cyberattacks.

Earlier this year, a third-party breach hit MFA authenticator Cisco Duo. The company warned customers that a threat actor had gained access to its vendor systems and obtained a set of MFA SMS logs pertaining to customer accounts.

Meanwhile, threat actors might have exploited a bug in Apple’s password reset feature to target users with so-called MFA bombing attacks. The technique involves flooding users with MFA prompts in the hope that they finally accept one. This is also called an MFA fatigue attack.

Another emerging threat includes bypassing MFA altogether. Threat actors were found to be leveraging a new tactic to help them access user credentials without knowing them already or launching an MFA authentication challenge.

This type of attack includes the use of infostealers, a form of malware, to hijack a web session through cookie theft. Google has moved to respond to the new threat and said it was developing a new Chrome feature that would bind cookies to a single device.

Cybersecurity experts also warn that bad actors will increasingly rely on artificial intelligence to carry out attacks and that some are already using it to craft convincing phishing emails. To stay safe, everyone else should keep up as well.


More from Cybernews:

Can technology save us from an ecological apocalypse?

Imposter syndrome is the “thief of potential”

Inside Russia’s plans to create a local Xbox

Solar farms in space move one step closer

Grindr named in UK lawsuit over sharing HIV data

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked