Think multi-factor authentication can’t be hacked? Think again

Multi-factor authentication (MFA) is a good way to protect online accounts, but that doesn’t mean users should let their guard down, warns a security expert.

MFA is generally stronger than simple password protection because users must provide two or more different sources to prove their identities.

“But if someone tells you it’s unhackable, you shouldn’t rely on them,” said Roger Grimes, a Data-Driven Defense Evangelist at KnowBe4 at a recent ITWC webinar.  “Most people are startled when they see how easy it is.”

Grimes said organizations should train their users to beware of potential scams, even if they’re using MFA.

How hackers get around MFA

Social engineering is responsible for 70 to 90 per cent of all data breaches and it is no different with MFA, said Grimes. One of the most common attacks is called “network session hijacking.”  In this case, hackers use phishing emails to trick users into signing on to a fake website, then steal the users’ credentials and session token to take over their accounts.

Similarly, another popular hack is to use phishing emails to gain access and unleash a virus on endpoints. “If the computer gets compromised, it’s game over,” said Grimes. “They could do anything you can do.”  Last year, one group of hackers stole $100 million this way, he added.

MFA methods that send authentication codes to cell phones via SMS are also vulnerable. For example, in the “SIM swap” scam, hackers get your logon information through a phishing email or call and then steal your SIM card information. This allows them to receive your SMS verification codes and reset your account password. “This happens thousands of times a day,” said Grimes.

Account recovery questions, such as those that ask for your mother’s maiden name, are one of the worst forms of authentication. “These should be outlawed because most of the answers can be looked up,” said Grimes. “They can be guessed 20 per cent of the time or found on social profiles.”

Biometrics used for authentication are also a common target for hackers. “Your fingerprints are everywhere, and once stolen, it’s compromised for life,” Grimes said.

How to defend against MFA attacks

The first line of defence is to include MFA hacking awareness in security training for employees. Employees should learn about how to spot rogue links and to check if a URL is legitimate.

Although it can be difficult, users should try to avoid SMS-based applications. If they do use them, they should minimize any public posts of the phone number they use for account recovery. People should never trust someone who is calling unexpectedly or sending an SMS verification. They should also be suspicious if they’re asked to type an SMS pin code back into SMS, said Grimes. Usually, the code is entered on a web site.

As for recovery questions, “don’t answer them honestly,” said Grimes. People should deliberately use wrong answers and write them down or store them in password managers

The bottom line is that people have to realize that “nothing is unhackable,” Grimes said.  “You can’t throw away your brain just because you’re using multi-factor authentication.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Cindy Baker
Cindy Baker
Cindy Baker has over 20 years of experience in IT-related fields in the public and private sectors, as a lawyer and strategic advisor. She is a former broadcast journalist, currently working as a consultant, freelance writer and editor.

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now