MFA-Minded attackers continue to figure out workarounds

Multifactor authentication (MFA) has been promoted in recent years by banks, software vendors and website operators as a means to improve your overall security, but it is not a “silver bullet” and users must be aware that hacks continue. This is the warning from tech website darkreading.com in the light of a rising number of security vulnerability reports.

MFA is the process by which a user is required, when logging in to a service, to provide an extra form of identification besides their password. This additional ID could take the form of a code that is texted to their mobile phone, a fingerprint or a PIN generated on a security fob. The security rationale behind this is that you provide not only something you know (your password), but also something you have, a trusted device (or body part) that cannot easily be duplicated.

However, as online users become increasingly aware of multifactor authentication (MFA), attackers are devising new ways to circumvent the technology — and often with great success.

In September 2020, for example, security firm Proofpoint reported its disclosure of critical vulnerabilities in Microsoft WS-Trust that could be used to circumvent MFA on cloud services that use the technology — chief among them, Microsoft 365. An attack could have allowed a cybercriminal to use credentials obtained from phishing and credential dumps to log into Office 365, Azure, and other Microsoft services, Proofpoint claimed.

Such vulnerabilities are one way of working around the additional security provided by MFA. While security experts underscore that MFA improves the overall security of online users, exploitable vulnerabilities and poor user decisions can undermine those protections.

“When it comes to cloud security, MFA is not a silver bullet,” said Or Safran, senior threat detection analysis at Proofpoint, in an analysis of the vulnerabilities. “As more organizations adopt the technology, more vulnerabilities will be discovered and abused by attackers. However, MFA can improve overall security posture, especially when combined with people-centric threat visibility and adaptive access controls.”

So, as always, the onus falls partly on the user regardless of the complexity of the security solution in place. The most common type of MFA attack is to intercept the one-time passcode. Real-time attacks use a man-in-the-middle proxy to grab the one-time password that the user enters into what they believe to be a legitimate site. Another common approach is simply to steal the security token sent to the user to simplify future logins.