Research shows that multi-factor authentication can block up to 100% of automated bots, 99% of bulk phishing attacks and 66% of targeted attacks. Enforced MFA by Google is said to have cut account compromise by half in just a few months. But MFA is, unfortunately, not impenetrable.
Cybercriminals use a variety of tools and tactics to break through this extra security layer and rob unsuspecting victims. Today, we look at three common ways cyber actors can breach MFA, and we show how to fend off these attacks.
Phishing specially designed to steal one-time codes
Many people think MFA is enough to defend against phishing scams designed to steal our passwords. In fact, that’s exactly why it’s there, right?
Consider this. Scammers impersonate your bank with a crafty email that gets you to access a link. Behind that apparently official link is a spoofed version of your bank’s website designed to steal your login information. Its appearance is mimicked so well that you have no obvious reason to think it’s a fake. As you enter your credentials, the scammers immediately grab them and use them to access your account on the bank’s real website. The bank tries to make sure it’s you who’s trying to login, so the MFA mechanism kicks in, prompting you to enter your authentication code. You comply, unsuspectingly. As you type in your unique code in the spoofed site, the scammers grab your code and use it to access your account on the bank’s real website. From there, it’s only a matter of time before they empty your account.
· It’s easy to fall for a trick like this, so it’s important to use a trusted security solution that detects these scams and prevents your interaction with them. This applies to your iOS or Android device as well.
· As a general rule, be wary of messages that try to induce a sense of urgency to get you to act in one way or another. These scams typically impersonate the companies you do business with, like your bank, your telecoms operator, or your local retailer.
· When in doubt, contact the company directly and ask them if they really sent you that message.
SIM swapping (SIM hijacking)
Here’s an even nastier method attackers use to go after your one-time codes.
As the FBI warned as recently as last week, cyber crooks have ramped up their efforts to deploy SIM swap schemes and steal millions of dollars from unsuspecting US citizens.
SIM swapping can follow a variety of routes. A popular method is to pay off a mobile carrier employee to switch the victim’s number to a SIM card in the criminal’s possession. Other times, criminals use phishing to deceive telco employees into downloading malware used to hack carrier systems and perform SIM swaps. And the list goes on. The key trick is to get your number ported to the attackers’ SIM card.
From there on, every MFA code you get, they get. This lets them impersonate you, shop in your name, change your passwords and take over your accounts, and – as described earlier – empty your bank account.
· The first and simplest thing you can do to prevent this is to avoid posting your phone number online. But since data breaches are so common these days, there’s a fair chance your number is found in at least one data dump on the dark web.
· Consider using non SMS-based multi-factor authentication methods, like biometrics, physical security tokens, or standalone authentication applications.
· A solution like Bitdefender Digital Identity Protection can help you deadbolt your online persona. DIP scans the web for unauthorized leaks of your personal data, monitoring to see if your accounts are exposed and making it easy to take action before disaster strikes.
Mobile malware is far from being a myth. Both iOS and Android, the two prevailing mobile OSes today, have weaknesses that hackers regularly exploit to steal victims’ data – including one-time passcodes resulted from MFA.
Malware designed to steal MFA codes typically tries to gain clipboard access, meaning that, as soon as you copy a code to paste it, the data is sent to the attacker’s server. If the attacker already has your login information captured from a previous social engineering scheme or from a data dump bought on the dark web, they just have to use your MFA code before you do. Make no mistake, there are specialized automation tools called bots that will always beat you to it, meaning it’s a race you basically can’t win once your MFA code has been generated.
Other types of malware have keylogging behavior, like the notorious FluBot and TeaBot banking Trojans. They abuse accessibility features to capture information directly from the phone’s screen.
The infamous espionage tool Mandrake is another example. It re-draws what the user sees on the screen to hijack taps. What users perceive as accepting an End-User License Agreement is actually a complex series of requesting and receiving device permissions. With those permissions, the malware gets complete control of the device and all the data on it.
· Refrain from sideloading apps on your Android device. While the ability to install apps manually is a major strength Android has over its arch rival, iOS, it’s also an Achilles’ heel.
· Keep your phone’s OS updated at all times. It’s one of the best defenses against hackers exploiting newly discovered weaknesses.
· Always have a trusted security solution running on your phone to detect malware and suspicious communications between your device and the web