Multi-factor authentication (MFA) is important and useful in securing accounts, but we cannot depend solely on MFA. Social engineering exploits human weaknesses to bypass MFA.

We’re often told to turn on multi-factor authentication (MFA) to secure our accounts, and not to disclose our one-time password (OTP) to anyone. While these remain best practices, are accounts and data automatically secure just because of MFA?

According to Proofpoint’s latest 2023 Human Factor report, MFA bypass actually accounted for more than a million messages per month.

This is because social engineering techniques can be used to bypass MFA. This can involve stealing the victim’s security/recovery questions’ answers with a fake website, or fabricating a story by acting like the victim to disable the MFA.

CybersecAsia finds out more about MFA bypass and social engineering from Philip Sow, Manager, Systems Engineering, South East Asia and Korea, Proofpoint.

How is it possible that even the strongest passwords cannot protect users from social engineering?

Sow: Passwords are one of the first critical barriers between a person, a threat actor and a successful cyber attack. However, even the strongest of passwords is not enough.

Proofpoint believes the human factor is most important in cyber defence because people – not passwords – are the most critical variable in today’s cyber threats. The World Economic Forum found that 95% of cybersecurity incidents occur due to human error, and threat actors are well aware of this liability too.

This is why threat actors rely heavily on social engineering, leveraging a collection of techniques to manipulate human psychology, because they know that people are the easiest way into an environment and the weakest link in the attack chain. This approach involves exploiting human nature and using human emotion (usually fear and urgency) to trick or threaten users to take actions such as giving up account credentials, handing over sensitive data, running malicious code, and transferring funds.

Philip Sow, Manager, Systems Engineering, South East Asia and Korea, Proofpoint

For instance, threat actors could pretend to be an IT support personnel or other trusted service provider to trick targeted users into divulging their passwords, nullifying the effectiveness of even the strongest password.

Social engineering is so successful because it takes advantage of targeted users’ inability to detect an attack then leverages their human nature. Hence, beyond the importance of creating strong passwords, users need to be educated with cybersecurity awareness training so they can spot and avoid such attacks, safeguarding themselves and their organisations.

What are some of the most common types of MFA attacks, and how do they work?

Sow: MFA has seen widespread adoption in the consumer space as organizations seek to neutralize brute-force password attacks and phishing. While MFA has become more ubiquitous and user-friendly with advancements in technology, threat actors have not been resting on their laurels either, choosing to target MFA as well as looking for ways to bypass MFA with evolving phishing kits.

Phishing kits are software developed to aid threat actors in harvesting credentials and quickly capitalizing on them. They offer threat actors the ability to deploy an effective phishing page regardless of their skill level, and can even be purchased for less than a cup of coffee.

The kits are pre-packaged sets of files that contain all the code, graphics, and configuration files to be deployed to make a phishing page. Designed to be easy to deploy as well as reusable, phishing kits are usually sold as a zip file, ready to be unzipped and deployed without a lot of “behind the scenes” knowledge or technical skill. The kits can collect data such as users’ credentials (username and password), browser language, browser user agent, GeoIP of the visitor, and screen resolution.

And, as reported in Proofpoint’s 2023 Human Factor Report, Proofpoint researchers found that phishing kits had evolved to gain a powerful new capability in early 2022 – bypassing MFA.

Is biometric authentication the future of MFA? What are its strengths and limitations?

Sow: As we move forward in security, we are seeing an increasing shift towards facial recognition and other forms of biometric authentication. 

Biometric authentication aims to balance security and convenience. It allows near-frictionless authentication by quickly recognizing the user’s unique fingerprint, iris, face, or other physical characteristics. It also offers a stronger level of security to users as biometric features are more challenging to duplicate than a regular password.

However, biometric IDs can also be spoofed in a variety of ways. For example, researchers have designed a machine learning algorithm to generate fake, “master” fingerprints that target the type of fingerprint sensors commonly found in smartphones. Additionally, deep fakes are another rising technology trend that threat actors could adapt to bypass biometric authentication. To complicate things, a targeted user cannot simply “change” their biometric data if a threat actor has compromised it, unlike a password.

What can organizations put in place to protect users against phishing kits that bypass MFA?

Sow: MFA is still an integral part of defense depth, and activating it remains best practice. Hence, organizations need to take steps to protect users from MFA fraud especially with threat actors now more equipped, creative, and motivated than ever. To do so, organizations should implement a multilayered, people-centric approach that spans the entire attack chain. This will involve:

    • Conducting cybersecurity awareness training: MFA Phishing kits help sell the social engineering aspect of scams by giving the target user the confidence that they are logging into a real site. Thus, organizations need to educate their employees so they can identify and avoid falling for social engineering attacks. Employees should also realize that they have a role to play in protecting their organization from cyber attacks, and are in essence the gatekeepers to sensitive company information.
    • Building a robust email fraud defense: Even with the best user training, email fraud can be tricky to detect. Organizations should invest in a solution that utilizes the latest technologies in machine learning and artificial intelligence to detect attacks. They should also manage email based on custom quarantine and blocking policies so threat actors do not even get the chance to reach out and manipulate employees with social engineering.
    • Partnering with a threat intelligence vendor: Focused, targeted attacks call for advanced threat intelligence. Organizations should adopt a solution that combines static and dynamic techniques to detect new attack tools, tactics and targets – and then learn from them.