Cybercriminals are now using social engineering techniques developed to crack passwords to break through multi-factor authentication (MFA) defenses, such as sending a code to another device, such as the user’s smartphone.
According to the UK’s National Cyber Security Centre (NCSC) report, Not all types of MFA are created equal…: “Attackers have realized that many of the same social engineering techniques that tricked us into handing over passwords can also be updated to overcome some methods of MFA. We’ve seen the success of attacks against MFA-protected accounts increasing over the past couple of years.”
Cybersecurity firm Mandiant also reports that attackers have now developed new tactics to bypass multi-factor authentication. These include adversary-in-the-middle techniques where the threat actors do not only eavesdrop on communications, but actively interferes with them, modifying the messages to their advantage.
Another factor making robust MFA the first line of corporate defense is the move to storing important data on the cloud, which has added another vulnerability.
Cloud-based services more vulnerable to attack
“A lot of organizations were moving their corporate digital services to the cloud. As they did this, those services became more exposed to attacks via the internet. In making that move, the NCSC emphasized that the organization’s authentication methods needed to be made more robust by including MFA,” says the NCSC.
The NCSC does, however, add that MFA still provides an added level of security as opposed to relying solely on passwords: “Some recent high-profile breaches of corporate data (including one that impacted Ticketmaster, Santander and other Snowflake customers) would probably not have occurred if mandatory MFA had been enforced.”
However, the NCSC also acknowledges that a balance must be struck between keeping the bad guys out and not implementing so many levels of security that legitimate users find it difficult to access the system.
“We expect authentication will be front and center of attackers’ targets for the foreseeable future. For security professionals, there’s a balance between a system that needs to be able to let legitimate users in while also keeping illegitimate users out,” says the NCSC.
The NCSC has issued advice for organizations on how to implement strong methods of multi-factor authentication (MFA) for accessing corporate online services.
