Our knowledgeable team will support your organization, allowing your staff to get the most out of your technology.
We implement layers of protection to ensure your organization is secure.
Using best practices, we proactively protect your organization from becoming a victim of cybercrime.
As a Datto Blue Diamond Partner we secure your data with industry leading backup and disaster recovery solutions.
LeadingIT understands the technology needs of your business and offers computer, network and cybersecurity support to help you get the most out of your technology.
Read why businesses small and large across Wisconsin, Illinois and Indiana choose LeadingIT.
Working at LeadingIT means joining a group of people obsessed with taking on the real challenge of cybersecurity and helping businesses.
Stay up to date on the latest security threats your business faces and get tips on how to stay protected and informed.
Multi-factor Authentication (MFA) has long been touted as a robust security measure, significantly enhancing account protection beyond simple password-based systems. In fact, MFA can block over 99.9% of account compromise attacks.
However, as cybersecurity evolves, so do the tactics of malicious actors. Cybercriminals are increasingly finding ways to exploit weaknesses in MFA systems, highlighting the need for continued vigilance and improvement in security practices.
Understanding MFA and Its Importance
MFA requires users to provide two or more verification factors to gain access to a resource such as an online account. While MFA significantly improves security, it’s not impenetrable. Let’s explore some of the ways cybercriminals are exploiting MFA weaknesses.
1. Social Engineering and Phishing Attacks
One of the most common tactics used to bypass MFA is social engineering, particularly through sophisticated phishing attacks. Cybercriminals create convincing fake login pages that not only capture passwords but also intercept MFA codes.
Best Practice: Implement robust phishing awareness training for all users. Use email filtering systems to detect and block phishing attempts. Encourage the use of password managers that can detect when a website’s URL doesn’t match the legitimate site.
2. SIM Swapping
For MFA systems that rely on SMS or voice calls, SIM swapping poses a significant threat.
Best Practice: Move away from SMS-based MFA to more secure methods like authenticator apps or hardware tokens. Encourage users to set up strong security measures with their mobile carriers, such as requiring in-person verification for SIM changes.
3. Man-in-the-Middle (MitM) Attacks
In MitM attacks, cybercriminals intercept communication between the user and the authentication server. They can capture both the password and the MFA code in real time, using them to gain unauthorized access.
Best Practice: Use strong encryption protocols (HTTPS) for all authentication processes. Implement certificate pinning in mobile apps to prevent interception. Educate users about the risks of using public Wi-Fi networks for sensitive transactions.
4. Exploiting MFA Fatigue
Some cybercriminals exploit “MFA fatigue” by bombarding users with push notifications, hoping they’ll eventually approve one just to stop the notifications. This technique, also known as “MFA bombing” or “push notification spam,” takes advantage of user frustration and complacency
In 2022, Uber suffered a significant breach where the attacker used MFA fatigue to gain initial access to their systems.
Best Practice: Implement number matching in push notifications, where users must enter a code displayed on the login screen into their authenticator app. Set limits on the number of push notifications sent within a specific timeframe. Provide clear, contextual information in push notifications about the login attempt.
5. Bypassing MFA Through Account Recovery Processes
Many MFA implementations have account recovery options that can be exploited. Attackers might use publicly available information to answer security questions or exploit vulnerabilities in the recovery process itself.
Here’s something to think about: An attacker would have up to a 43% chance of successfully guessing a user’s security answer within ten attempts, depending on the language and question asked.
Best Practice: Strengthen account recovery processes by requiring multiple forms of verification. Avoid using easily guessable security questions. Consider implementing a waiting period or manual review for MFA disabling requests.
6. Exploiting Weak Second Factors
Not all second factors are created equal. Email-based MFA, for instance, can be compromised if the email account itself isn’t adequately protected. Similarly, security questions often rely on information that could be easily researched or guessed.
Best Practice: Phase out weaker MFA methods like SMS or email in favor of stronger options like FIDO2-compliant hardware keys or biometrics. If using software tokens, ensure they are protected by device encryption and biometric unlock.
Conclusion: MFAs Are Only Part of the Solution
While MFA remains a crucial layer of security, it’s clear that it’s not a silver bullet. As cybercriminals continue to evolve their tactics, organizations must stay informed about potential vulnerabilities and adopt a multi-layered approach to security. This includes using the strongest MFA methods available, regularly updating security protocols, and providing ongoing education to users about emerging threats.
LeadingIT is a cyber-resilient technology and cybersecurity support provider. With our concierge support model, we provide customized solutions to meet the unique needs of nonprofits, schools, manufacturers, accounting firms, government agencies, and law offices with 20-200 employees in the Chicagoland area. Our team of experts solves the unsolvable while helping our clients leverage technology to achieve their business goals, ensuring the highest level of security and reliability.
Do you need cybersecurity support to protect your business? Leave a message for us and we will get back to you right away.