Classic methods of multi-factor authentication (MFA) are hardly enough to keep hackers away. Attackers are increasingly able to circumvent security mechanisms and capture access data.
In order to put a stop to hackers, companies are increasingly relying on MFA. The combination of various factors is said to make identity theft more difficult. However, attackers have now developed a variety of tactics to circumvent the security mechanism’s controls. HYPR provides an overview of the most popular methods.
phishing: With phishing, hackers are now able to steal passwords and one-time passwords (OTP) in combination, although MFA logic dictates that these should be explicitly separated. For example, passwords are »fished« on fake websites, while at the same time a login process is carried out on the real website. Because this process requires real-time interaction between attacker and victim and is therefore labor-intensive, hackers are increasingly using automated phishing toolkits. Phishing is now also used for SMS text messages on mobile phones: smishing.
SMS OTP attacks: Because of its ease of implementation, the one-time SMS token is one of the most common MFA methods for online credit card payments, for example. However, SMS OTPs are particularly vulnerable, for example to so-called SS7 attacks that exploit vulnerabilities in mobile networks. There are now special bot services that steal OTP codes, causing damage in the millions.
Accidental Push Accept: This type of traffic increased by 33 percent compared to last year, according to the Passwordless Security Report By HYPR. Organizations often implement MFA that uses push notifications to protect employees and customers. The process is simple: after entering the password, the user receives a notification that is “pushed” to the smartphone and then authorizes access. Push notification attacks then work as follows: hackers are in possession of the valid credentials such as username and password and bombard the victim with notifications for authentication on the smartphone until they agree by mistake or frustration. The method is successful, especially for busy people who don’t pay much attention to the content of push notifications.
Fake IT help desks: This type of attack is an example of hackers testing how secure MFA is in an organization before launching targeted attacks. In this method, attackers pose as employees to find out what methods are used to verify a password reset. Along with information like the victim’s login, the hackers then know exactly what details they need to perform a password reset and subsequent account takeover.
robo calls: Hacking services praise the method of robocalls with a success rate of over 80 percent. These automated telephone calls are made automatically using computer software. Using constantly updated templates, robocalls can effectively mimic what a person’s bank or insurance provider sounds like and convince victims to submit their details. Robocalls are particularly successful in exploiting account data or credit card numbers, but attackers are also increasingly targeting information for MFA.
Man-in-the-middle attacks: In the man-in-the-middle attack (MitM), hackers latch onto the data traffic of two communication partners and pretend to both parties that they are dealing with the other party. By infiltrating vulnerabilities in Internet communications, attackers can intercept information being sent. This typically includes login and account information, as well as credit card numbers. Combined with other methods such as phishing kits, hackers are increasingly successful with this attack technique.
SIM swapping: In the SIM swapping attack, hackers pretend to be the actual customer to the mobile phone provider in the online portal or by telephone in the customer service center and order a new SIM card. With the new card, which works with the victim’s cell phone number, they can make calls and receive text messages, thus gaining access to various online services on behalf of the victim. After all, resetting the password often works by verifying the user via an SMS or a call to the mobile phone.