How Hackers Are Beating Multi-Factor Authentication Simply By 'Annoying' Users
According to a security firm called Mandiant, "many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor"
Scammers are using a new approach to beat multi-factor authentication. Considered a key defence against hackers, multi-factor authentication (MFA) is dependent on an additional factor to provide access - whether it is a fingerprint, a one-time password, or even a physical key - essentially adding an extra layer of security.
While MFA is considered a strong line of defence against hackers, recent hacks including the Lapsus$ data breach (that affected Microsoft, Nvidia) and Russian state-backed hackers like CozyBear (behind the attack on SolarWinds) have proven how it may be misused.
How can multi-factor authentication be misused?
A detailed enquiry into MFA by Ars Technica explained how it may be used by hackers. Multi-factor authentication runs on a framework called FIDO2. It allows users to use their cameras and fingerprint readers and security keys to get access to an account. While these FIDO2 mechanisms may be robust, the older forms of MFA are not.
These include one-time passwords that are sent over SMS or via mobile apps like Google Authenticator or via push notifications on a device. After adding their password, users have to either add their one-time password or click on a push prompt to access their accounts.
Also read: Apple & Meta Gave Sensitive User Data To Hackers Posing As Officials, Report Says
It appears that the last form of authentication is being misused by hackers. According to a security firm called Mandiant, "many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor."
What essentially happens is hackers issue multiple multi-factor authentication requests until the user gets annoyed and clicks on it under the false assumption that it may be a glitch or harmless. When that happens, hackers instantly gain access to your account.
Also read: Hackers Tricked 300,000 Android Users To Steal Passwords: Here's How
Since there are no limits on the amount of calls/texts that can be sent as part of MFA, hackers can keep trying until a user gives in. This is called "MFA Bombing" and targets users at odd hours - when they may be trying to sleep.
MFAs that run on FIDO2 have lesser chances of being hacked this way. If one thing recent hacks have shown to us, it is that companies need more robust mechanisms to prevent such breaches.
What do you think about the merits of multi-factor authentication? Let us know in the comments below. For more in the world of technology and science, keep reading Indiatimes.com.
References
Goodin, D. A. T. (2022, March 30). A Sinister Way to Beat Multifactor Authentication Is on the Rise. Wired.