ADVERTISEMENT

Security pros overestimate MFA: 6 techniques hackers are using to bypass it

Hackers have found multiple ways to bypass multifactor authentication (MFA), while nine out of ten security professionals still believe that MFA provides complete protection against account takeover, cybersecurity firm warns.

Verification code, two-factor authentication, 2FA
Ernestas Naprys
Ernestas Naprys Senior Journalist
Dec 31, 2024 2 min read
  • Phishing attacks: Cybercrooks trick users into entering MFA codes or their login credentials into websites that are controlled by attackers.
  • MFA fatigue attacks: Once threat actors have obtained a user’s password, they initiate a barrage of MFA push notifications. They attempt to confuse users. Victims often approve the access request just to make the notifications stop.
  • Session hijacking: Attackers use infostealer malware and other means to steal session cookies post-authentication. This makes the preceding MFA-based authentication irrelevant.
  • SIM-swapping: If users rely on SMS-delivered codes for MFA, hackers might attempt to transfer the target’s phone number to the attacker. To accomplish this, the threat actor needs to socially engineer the mobile carrier or have an insider at the organization.
  • Social engineering: Another way hackers can obtain sensitive credentials is just by asking. Companies often provide a way for remote workers to reset their passwords and MFA configurations without having to show up in person. Without proper online identity verification, attackers can trick the IT helpdesk into handing over spoofed employees’ credentials.
  • Adversary-in-the-middle attacks: Attackers intercept session tokens using tools, like the specialized phishing kit Evilginx. Those tokens are then relayed to legitimate services, which grant attackers access.
ADVERTISEMENT
Konstancija Gasaityte profile Marcus Walsh profile Ernestas Naprys jurgita
Get our latest stories today on Google News
Add us as your Preferred Source on Google.

What can you do?

ADVERTISEMENT