Skip to main content

Back to Blog

Hacking MFA the Technical Way and How to Guard Against These Attacks

Multi-factor authentication (MFA) requires several elements in order to function as real security for your data systems. Each factor in a multi-factor system must be appropriately protected because malicious actors can take advantage of a weak link to dismantle your protection. In part one of our series on the vulnerabilities of multi-factor authentication, we talked about the social engineering tactics hackers use to gain access to MFA-protected accounts. In part two, we will be going through a few of the ways hackers use to gain unauthorized access via technical methods – employing computer systems and technological know-how to overcome MFA security.

This list isn’t comprehensive, but it gives a good sense of the limitations of MFA and the approaches businesses can take to protect themselves, their employees, and their customers against technical MFA hacks today and in the future.

Hijacking Using Technical Modifications and Guesswork

Shifting the MFA User’s Identifier

Suppose your MFA solution doesn’t corroborate user identity with the authentication factor used to log into a system. In that case, the user’s identifier could be modified or swapped out with a bad actor’s. This is typically referred to as a subject hack as the victim’s user principal name (UPN) is the piece of the puzzle being hijacked by the hacker.

Unless administrators know to look for and log UPN updates, this kind of breach can be challenging to track. We already know that authenticators like passwords need to be secured, but we must also remember to protect and monitor other authentication attributes like a user’s unique identifier lest they be modified and exploited.

Brute Force Attacks

We’ve talked about brute force attacks before, like the low and slow password spraying campaign. But it’s still worth mentioning that these attacks can crack MFA security as well. If a bad actor can intercept or otherwise defeat the “something you have” authentication factor, the chances are high that they will be able to guess at the “something you know” factor until they gain access to the account. A modern password policy can help harden the “something you know” layer to reinforces this line of defense. Account lockout features can also help control attempts like this.

Guessing the Unique Session Token

Unique session tokens, commonly referred to as “cookies,” are unique identifiers that specify a specific user’s session on a website. When websites use MFA, users with legitimate access are assigned a unique, randomized token after MFA verifies their access to the site. Unfortunately, some of these supposedly MFA-protected sites use predictable, sequential tokens which hackers can simply guess. If an attacker guesses the session token, they can bypass MFA altogether. Defending against this one is simple: be sure that user session identifiers are actually unique and random!

Simulating Time-Valid Codes

A common MFA solution used to protect highly sensitive or classified systems is a code generator. Commonly formed on a token or device, this authentication method requires a user to input a randomly generated code within a short window of time to verify their identity. This code is usually a string of numbers formed from a starting seed value. The seed value is the key to the entire system, so if a hacker can access the seed value database, they can emulate a valid token. MFA seed value databases must be heavily guarded against outside threats to safeguard these systems.

Malicious Software and Hardware Hacks

Man-in-the-endpoint attacks involve bad actors gaining administrative access to a victim’s device either through malware or by compromising hardware directly. When hackers have this access, it’s best to assume that everything on the device has been compromised.

Bancos trojans is one type of man-in-the-endpoint attack that is typically utilized to steal funds electronically from a victim’s bank account. Hackers use trojans to monitor the victim’s browsing until they detect a login to a banking website. Then, the malignant software will create a hidden browser session to run in the background after the user has performed MFA. The rogue session works behind the scenes to transfer the victim’s money into the attacker’s account.

This is one example of what can be done when attackers gain unauthorized access to a victim’s operating system or device. Once they are in the system with this level of control, anything is possible, and MFA security measures will do you no good.

There have also been cases where MFA is compromised when rogue actors get their hands on the MFA hardware. Trusted equipment was physically modified so that it did not provide any of the expected protection to end-users or encryption keys were stolen and compromised. Electron microscopes can even be used to read encryption keys at the molecular level.

One Weak Factor Can Break the Chain

Guarding against these direct MFA hacks means understanding that they can happen in the first place. Then, you need to have a process in place to defend your system against phishing and malware attacks. Train your employees how to recognize the tactics attackers use to trick victims into installing malignant software. Be sure that your vendors have policies and procedures in place to prevent rogue actors from tampering with hardware.

Above all, know that MFA security can be breached. Be ready for cybercriminals to take a swing at each authentication factor you have in place. Taking additional measures to harden each layer in your multi-factor system, like embracing a robust password security policy, will go a long way toward erecting a resilient cybersecurity strategy overall.