MFA bypass methods and ways to protect against such cyber attacks

My name is Vasily Ognev, I am the head of multi-factor authentication (MFA) at MTS RED, a company that creates cybersecurity products and services. In the previous article, we discussed the shortcomings of traditional passwords: from users' love for overly simple combinations to brute-force password selection.

An effective solution to the problem is to use MFA technology, which requires that after entering a password (called a knowledge factor), an additional code is entered that is received on a personal device (the second factor or ownership factor). In this article, we will look at how hackers bypass MFA protection and what needs to be done to repel such attacks.

Attack on the weakest link

Often the weakest link in cybersecurity is a person. According to MTS RED and Phishman, about 80% of all incidents are caused by human error. Sometimes the user can be trained to avoid falling for the tricks of the attackers, sometimes it is better to configure the system to minimize the very possibility of these errors.

In 2022, a hacker broke into Uber's internal IT system and left a message in the company's Slack chat. The company toldhow the attacker managed to pass multi-factor authentication. Presumably, the hacker bought the login and password of a freelancer on the dark web, and then bombarded him with requests for approval of the second factor until he approved authentication. This method is called MFA fatigue attack or MFA bombing. It will only work in MFA systems, in which the user only needs to press a button to allow access to the protected resource. This attack vector arose with the advent of PUSH, since a user could accidentally press the confirmation button in a pop-up window or application.

To reduce this risk, the MFA solution should provide for a “step-by-step” authentication. In particular, it should request additional confirmation in addition to PUSH – a short PIN code or other options that do not allow authentication by simply pressing a button. A very effective method of countering this attack is to use a digital OTP (One-Time Password) as a second factor, which eliminates accidental confirmation. And in addition, it is considered good form to have a limit on the number of requests for entering the second factor (time blocking) in the MFA solution.

Another way to gain access to an account without MFA protection is to convince a person to provide a second-factor code using social engineering. Most often, the attacker simply poses as a technical support employee, but sometimes hackers build a slightly more complex scheme. For example, when attacking accounts of Gosuslugi users, attackers sent a message about blocking access to the service due to suspicious activity. The message included the phone numbers of “technical support” from which a call would be received to restore access and which you could call yourself. During such a phone conversation, the scammers asked the user to provide a code for passing two-factor authentication, stating that it was necessary “to check and restore” access.

It would take more than one article to describe all the social engineering schemes used to obtain the second factor code. The only way to avoid account hacking as a result of such attacks is to constantly remind users, whether they are company employees or relatives, about cybersecurity rules.

Exploiting service imperfections

Sometimes attackers exploit the imperfections of multi-factor authentication services. For example, the lack of a limit on the number of attempts to enter the second factor can lead to an attacker picking up the code by brute force. Such a vulnerability existed, for example, in Facebook. Researcher Gtm Mänôz reported that he took the phone of a hypothetical victim, indicated it as his own in the account and brute-forced the code sent to the “victim” in short messages (Facebook wanted to make sure that the phone was switched to another account). To avoid such situations, both the number of attempts and the time for entering the second factor should be limited.

Also, some early versions of 2FA and MFA systems generated one-time codes either using simple random number generators without even cryptography, or using the compromised SHA-1 as the underlying algorithm (and some solutions continue this practice today). When generating OTPs, it is very important that the codes are truly random and therefore unpredictable. Using legacy algorithms like SHA-1 can compromise this unpredictability, potentially allowing attackers to calculate or predict OTPs. Collisions in SHA-1 also make it unreliable for use in systems that require a high degree of uniqueness and unpredictability. A reliable MFA service should at least provide a choice of using strong cryptographic algorithms and avoid naive implementations when generating OTPs.

A separate problem is the use of SMS as a channel for delivering authentication codes. Firstly, there is no certainty that the attacker will not succeed in issuing a new SIM card with your number in his name. Perhaps this is what happened in storieswhen, after restoring access to his account on Gosuslugi, a person discovered that eight strangers had managed to register in his apartment through his account.

Secondly, the SS7 protocol used for SMS was created 50 years ago – it was not designed for modern cyber attacks. As a result, relatively few resources are required to intercept SMS, and then it is a matter of technology, how to enter them faster than the user, depriving him of access. If possible, it is worth avoiding the use of SMS and generating the second factor code directly on the device, as is done when using an OTP application or a hardware key.

Another potential risk associated with using SMS as a second factor is undeclared capabilities of mobile applications. They can get to the user's device from various dubious sources, as well as from the quite official AppStore and Google Play – malware is also periodically found there. Globally, many applications request access to read SMS, users are accustomed to this and often automatically grant permission for everything. Therefore, there is a risk that the user will install a malicious application that will intercept SMS and send them to the attacker's server.

In conclusion, I would like to say that according to Microsoft, MFA allows you to increase the reliability of the system many times over and repel 99.9% of attacks on accounts. However, the devil is always in the details, in this case, in the details of the implementation of multi-factor authentication. Therefore, when choosing a solution, you should always pay attention to where the second factor code is generated, how it is delivered to the user and how it is protected from existing attack vectors.