As MFA mandates grow, so do MFA bypasses

Multifactor authentication (MFA) is now a mandate for many regulations, cyber insurance policies, and presidential executive orders—just as attackers are finding ways to bypass it.

“It’s as though we waited to make sure that the hackers had a way around it before we decided to mandate it,” Stewart Baker, of counsel at Steptoe & Johnson LLP, said during a panel at the CISO-focused Shift Up Summit hosted in Manhattan this month, referring to MFA.

Here are some ways that attackers are getting around MFA:

MFA fatigue: Threat actors pepper the targeted user with alerts to confirm authentication, hoping that, like an exhausted parent tired of “Are we there yet?” the target will accept, just to make it all stop.

• An example: KrebsonSecurity reported on March 26 that some Apple customers received a plethora of push notifications, complete with Apple Support impersonators calling the individuals to say their account had been compromised and a one-time passcode required verification.
• Some numbers: Microsoft, according to its Digital Defense Report, saw approximately “6,000 MFA fatigue attempts per day” between June 2022 and July 2023.

SIM swaps: The SIM-ple plan here convinces the phone carrier to assign a victim’s phone number to a device in the attacker’s possession. An unauthorized party can then receive texts and voice communications associated with the number.

• An example: In January 2024, following unexpected access to the US Securities and Exchange Commission's X account, the SEC said it “determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack.
• Reaction: The Federal Communications Commission (FCC) now requires wireless providers to notify customers before they grant any requests for a SIM-card change.

Session-cookie theft: Infostealers swipe the browser hall-pass known as the “session cookie”—a stored string of characters that allows reentry without reentering a password.

• Gimme the numbers: SpyCloud’s 2024 identity exposure report, released on March 26, revealed the threat-detection company’s recapturing of more than 20 billion cookie records in 2023, “averaging more than 2,000 records per infected device.” “This indicates that leveraging malware-siphoned session cookies for next-generation account takeover is quickly becoming a valued tactic. As more organizations adopt passwordless authentication, we expect to see this method escalate,” the report read.
• How bad? With session-cookie swiping, one’s access may include anything that the user has access to. “And, of course, because almost everyone these days uses single sign-on technology, having that cookie usually unlocks pretty much every app within the company,” Chester Wisniewski, director and global field CTO at the cybersecurity company Sophos, told IT Brew.

What to do: For the cookie thefts, Wisniewski recommends shortening the amount of time that cookies are valid before they expire.

CISA’s gold standard for protecting multifactor methods, overall: “phishing-resistant” MFA, like a smart card or FIDO security key, where only the key owner has access to their device.

Even a one-time code sent to the phone, however, isn’t the worst way to authenticate. “Any MFA is still better than no MFA,” according to an agency bulletin. And the same likely goes for legislation.

“When we think about a large enterprise, sure, they’ve all been using [MFA] for a while now. But small and midsize businesses are still not using multifactor, and that’s leading to their compromise. And of course, that’s leading insurance companies to be looking at what are the simplest things that we can require that are going to dramatically improve the security of a given customer,” Wisniewski said.