Skip to main content

Back to Blog

Mixing It Up – Defending Against a Blended MFA Attack

Most businesses employ multi-factor authentication (MFA) security measures to protect their systems and accounts. We’ve talked about the best ways to use MFA effectively and how important it is to protect each layer to keep the bad actors out while still granting your employees and users the access they require. Unfortunately, many businesses believe MFA is all they need to form an airtight cybersecurity strategy. In reality, you must take a proactive approach to protect each layer in your MFA solution or you are just as susceptible to being hacked as if you were relying on a single factor to secure your systems.

In the first and second installments of our series exploring the methods hackers use to break through these defenses, we discussed social engineering and technical tactics. Here in part three, we will cover attacks that blend these two methodologies – hacks that can be done with either social or technological tricks that break through MFA.

Turning Your Cookies Against You: Session Hijacking

What is the world coming to when you can’t even trust a cookie? Well, your chocolate chips might still be okay, but session cookies can be stolen and used to get around MFA security. This type of attack works against MFA by allowing an authorized user to log into a web application or browsing session with their legitimate credentials. Then, a scammer copies the victim’s unique session cookie to hijack the connection. This method takes advantage of HTTP stateless protocol, which forces application designers to create a unique session ID to track the state of their users once they’ve verified their identity and logged in. Without a session ID, the user would have to authenticate at every new page as they moved about their account.

There are several methods hackers use to steal a session cookie. Technical tools like network protocol analyzers can be used as a sniffer to intercept a session token from the network communication channel between the website and the victim. An unauthorized user can also predict the session’s unique token ID, essentially guessing their way into the system, which we discussed in our technical hacks blog post. Attackers might also trick users into installing malware onto their computer, monitoring transactions and creating additional illegitimate sessions running in the background without the victim knowing.

To defend against session hijacking, keep your website browsers updated and patched and use cybersecurity tools to protect websites from threats. Ensure your employees always properly log out of a session once they are finished. And, as we’ve said before, always be sure that session identifiers are unique and randomly generated to prevent scammers from guessing them.

When Recovering an Account Leaves Your System Vulnerable

Employees can lose their RFID tokens. People forget their passwords. A fingerprint identifier can get damaged and stop working. Unfortunately, account recovery options make it easy to access an account when an element in the MFA security chain breaks down, creating vulnerabilities for hackers to exploit. We’ve talked before about how security questions are easier to guess than a password. Well, it turns out that any account recovery system is susceptible to bad actors in one way or another if it hasn’t been secured as well.

Social engineering can be used against tech support to “recover” an account. MFA hosts could be tricked into sending recovery security codes to emails that are already under a hacker’s control. Answers to security questions are difficult for legitimate users to remember but simple for hackers to discover via social media. The fact of the matter is, when your recovery system is less secure than your MFA, the entire system is vulnerable.

Again, educating your workforce about social engineering tactics is one significant way to guard against these attacks. Another is working with your MFA solution provider to make sure account recovery is just as secure as the MFA solution itself. It wouldn’t hurt to establish a password protection strategy that assists employees with choosing secure and uncompromised passwords when they forget their password and need to select a new one.

Swapping out the SIM

A notorious blended MFA hack involves stealing a user’s cell phone SIM (the phone’s unique identifier) and swapping it over to a hacker’s phone. This attack can be orchestrated through technical or social means. Attackers have tricked cell phone providers into giving them access to a victim’s phone and, consequently, their SMS. Once a hacker has access to the victim’s SMS, any MFA method utilizing text messaging verification for that user has been compromised.

Due to this inherent weakness, NIST does not encourage SMS-based authentication. Avoid SMS-based MFA whenever possible. Be aware of social engineering and email phishing tactics used to obtain personal information from your employees, and make sure the cell phone provider your business works with has procedures in place to prevent malicious SIM swapping activity.

Awareness is the First Step, Stronger Passwords Help Too

There are many ways around and through MFA. To reduce your chances of succumbing to an attack, you should be aware of these weaknesses and prepared to supplement your security efforts in other ways. By itself, MFA won’t protect your systems from all threats. It is one part of a comprehensive plan of action for cybersecurity. To properly safeguard your system, you need to be proactive in fortifying each layer of MFA security, starting at the top with strong password hygiene.