Skip to main content

Back to Blog

How Social Engineering Tactics Can Crack Multi-factor Authentication

Multi-factor authentication (MFA) is one of many tools in your cybersecurity toolbox. Strong MFA will form layers of security between bad actors and your data systems and accounts. But if you’re relying on MFA to guard your system from cyber threats alone, you could be more at risk than you realize. MFA can be powerful protection, but it isn’t infallible. It can be hacked in multiple ways. One type of attack doesn’t require coding at all. It relies on the victim to give up the information a hacker needs to break into the system. These social engineering attacks are expected to increase in the coming year, so your organization needs to be prepared.

In part one of our series on MFA security vulnerabilities, we’re talking about how scammers wield social engineering techniques against MFA and what you can do to defend your systems against this threat.

Classic Social Engineering Methods that Fool Tech Support

Security systems are only as good as the gatekeepers controlling them, and human beings can make mistakes. Tech support engineers are there to assist customers in every way. More often than not, they are taught to make the customers happy first and foremost. This leaves systems vulnerable to fast-talking scammers who can leverage this customer relationship to their advantage. As one of the oldest tricks in the book, hackers have perfected the art of deceiving real people into granting them unauthorized access to MFA-protected accounts.

The scenario goes something like this. A fake user calls the support desk for help getting into “their” account. The tech support engineer asks for identification, and the individual posing as a real user spoofs their phone number or has another piece of data to “prove” they are whom they say they are. The hacker claims they lost their MFA token or forgot their password. They demonstrate an immediate, urgent need to bypass the MFA protections and access their account. Tech support then grants this access, giving everything the scammer needs to infiltrate the system.

A good defense against this intrusion method is to educate your employees about these social engineering tactics and have hard and fast policies and procedures in place for when a security bypass should and shouldn’t take place.

Falling for the Doppelgänger: How Decoy Websites Trick Victims

Another social engineering tactic tricks employees into logging into a fake website with their real credentials. The process usually begins with a phishing email or another way to get the legitimate user to click on a link to a website that is the doppelgänger of a real MFA-protected site. Once the victim is on the decoy site, they are prompted to enter their username and password. The login attempt “fails,” so your employee inputs their MFA security question answer or code. Now, all of this data is in the hacker’s possession.

The victim believes they have logged into a legitimate version of the website because the attacker can simply redirect them back to the correct page. Some MFA solutions try to eliminate this vulnerability by only sending an authentication code when a trusted website makes the request. In this case, the hacker simply types in the authorized user’s information into the trusted website themselves, so the system generates an MFA code at the same time the victim on the fake webpage expects it. Or, the MFA solution may require a user’s detected location to match the correct user’s, but hackers get around this by spoofing their location to match the user’s.

One way to protect against this kind of attack is to make sure your employees are wary of any links they receive in their email, even when the email seems to be from a trusted source. Let your employees know that they can type out a URL rather than click on any links. This is good practice to avoid email phishing scams in general. Also, we should be suspicious when a website we typically have no trouble logging into, prompts us for an MFA token. If a site we usually trust looks off in any way, leave the page and start fresh.

Your Security Questions Are Not Actually Secure

The effectiveness of security questions was called into question by Google way back in 2015. Since then, many major tech companies like Google do not use them anymore. Unfortunately, many websites continue to employ them, despite the discovery that they are shockingly easy to guess (even by complete strangers). Answers are also simple to locate online via social media or previous data breaches. In fact, single-factor authentication is more secure than so-called “security” questions. It turns out that our mother’s maiden name and the name of our first pet aren’t nearly as difficult to guess as a strong password.

Remember that an MFA solution is only as impenetrable as its weakest authentication method. If security questions are one of them, the entire system is vulnerable to assault. The answer to the problem with security questions is simple – don’t use them.

The “Multi” in Multi-factor Authentication

The most effective deployment of multi-factor authentication uses three or more factors and requires that each factor is from a different category: something you know, something you have, and something you are. To keep your organization safe, you should also establish proper protections against the countermeasures deployed by hackers to penetrate these systems. We’ve outlined the social engineering strategies rogue actors employ to crack MFA. In this series, we’ll be taking a deep dive into each approach hackers use to defeat MFA security and what you can do to protect against them. Relying on MFA is not enough. To build an airtight cybersecurity strategy, you need many different layers working together to keep attackers out.