In previous communications, we've pointed out that one of the best ways to protect your data (both business and personal) is to implement MFA (multi-factor authentication). If you're not familiar with this term, it's an additional layer of security when trying to access an account, regardless of its type.
For example, after you enter your username and password, you will receive an SMS with a code that will guarantee that you are the owner of the account. You will be able to access the account only after you enter the code you received.
Why is this a secure system? Because an attacker would have to gain access to your mobile phone, in addition to the username and password itself.
This functionality comes 'by default' in all serious services and products. For example, in Microsoft 365, this is an essential, easily configurable pillar that ensures account protection.
Okay, but that doesn't mean there aren't ways to bypass MFA. Here are some:
AITM (Adversary-in-the-middle) Attacks – is a type of attack that is based on the victim accessing a compromised network (Wi-Fi at a coffee shop) or a cloned application/site.
Imagine receiving a link to a post on Facebook, when you access it, you get a notification that you are not logged in. You enter your username and password, receive the MFA code, and then you are redirected to the desired content.
Well, the Facebook login page was just a clone, and behind the scenes, the attackers were manually entering the data you provided (including the SMS code) into the official Facebook.
MFA prompt bombing – I was saying that one type of MFA is the code received via SMS, but there are other types based on an app that you install on your mobile phone. Depending on the company you created your account with, they use the MFA app differently. Some ask for a code from the app, some send you a notification where you have to choose from 3 numbers, and others just a yes/no notification.
As the name suggests, this method bombards users with notifications to accept the login and relies on the fact that to stop the notifications, the user will click yes.
Service desk attacks – a 100% social attack. Attackers contact the support center of the companies where you have your account, after spying on you for a long period of time and becoming familiar with the MFA reset process of those companies.
Knowing this data, knowing the process and creating an 'urgent' setting (a crying child in the background can work wonders) they can easily fool a call-center representative who is most often an inexperienced student.
SIM swapping – a method similar to the one above. Only this time, accounts protected by SMS-based MFA are targeted. In this situation, attackers contact the mobile provider, impersonating the victim. Using the techniques described above, they manage to transfer the SIM or create an eSIM and gain access to the phone number, and therefore to the codes received on that number.
It's mandatory to use MFA these days, but it's equally important to know how it works and how it can be exploited by hackers. The fact remains that security needs user attention to remain effective.
If you want to learn more about security, contact us using the form below!