OPINION: Why Multi-Factor Authentication Isn’t as Secure as Financial Institutions Think

Courtesy of Matthew Gracey-McMinn, Payments Journal

“We would like to text or call you with a code.” That familiar phrase usually means multi-factor authentication (MFA) is in play. It’s an added layer of protection that businesses are using to protect accounts, and it’s become commonplace at financial institutions to secure personal data. From banks to brokers to crypto wallets, there is an expectation that it is implemented by institutions. However, MFA is far from foolproof. Criminals can still find their way around it to carry out attacks.

The holy grail for hackers is to successfully takeover an account utilizing techniques such as credential stuffing. This requires the attacker to acquire a list of username and password pairs and then thrust the credentials onto login pages using bots. The speed and volume at which bots can fill in login forms helps the hacker find a winning credential combo quickly. The data used often comes from leaks, stolen device fingerprints, or session cookies sold on the dark web or marketplaces like Genesis Market.

So, suppose a criminal launches an attack that could be attempting millions of logins within a few hours. In that case, the success rate can yield hundreds or thousands of accounts. Credentials can be validated and used to reset a password, completely control an account, and even transfer funds elsewhere.

MFA can stop an account takeover following a successful credential stuffing attack by requiring more than just a password to validate a legitimate login and prevent automated attempts. But it’s not airtight. Some sites use 2FA (two-factor authentication), a type of MFA that uses two factors for login, such as credentials and a device.

The secret ingredient for hackers to bypass MFA security is using a combination of bots and human intervention. The goal is to either sidestep the need to use MFA for access or use tricks to fool account owners into handing over MFA codes.

Here are the five most common techniques financial services organizations need to know about:

  1. Targeting financial aggregator sites. APIs are easily exploitable via financial aggregator sites. Customers of services such as Mint or Plaid use these apps to manage their finances, aggregating accounts into a single view. These apps can access account information and even make changes using the bank’s API or a web app, sometimes without requiring MFA. A threat actor can perform credential stuffing using a financial aggregator app to bypass MFA controls or can target the aggregator app itself taking over a customer’s account there and thereby getting some degree of access to their banking information.
  2. Stealing security questions with social engineering. The most common method of verifying a user’s identity is through security questions. Security questions are often in place to bypass MFA if users lose or don’t have access to their device. Attackers use social engineering, which can be as simple as looking at social media profiles, to answer common security questions and access accounts without MFA. Bots can then use credential stuffing techniques to bypass MFA and input answers to security questions using brute force or publicly available data.
  3. Generating phishing scams. Phishing is one of the most popular means of acquiring sensitive information such as passwords or answers to security questions. Attackerstry to convince individuals to visit a fake login page and input the MFA code. The threat actor might also email or phone an individual and impersonate their bank to ask for the MFA code. In this way, attackers gain access to MFA codes maliciously rather than bypass MFA.
  4. Exploiting Man-in-the-middle (MITM) tactics. The threat actor positions themselves between the bank and the customer (often using malware) and intercepts messages between them. This tactic is used to acquire an MFA code by linking to a fake page asking for the code.
  5. Using SIM swapping techniques. Bad actorsintercept text messages sent to a user’s phone number and send them to another handset. This is accomplished by calling the user’s SIM provider, impersonating the customer, and passing on security questions. The criminal convinces the provider to swap the phone number to the attacker’s SIM card. Once set up, they use the phone number as authentication to access the account.

MFA might present a more vigorous defense than using a password, but it’s not a fool-proof guarantee against successful attacks. Bypassing MFAs may require human intervention, but it can still happen. When you factor in bots attacking at scale, the risk increases, and the success rate becomes much higher. Banks need to be on the lookout for malicious activity and educate customers about deceptive behavior such as phishing and social engineering. Adding extra layers of security to stop the bot attacks that are the precursor to the phishing and social engineering attacks will also help to protect systems. Don’t forget, security requires greater depth to successfully deal with more sophisticated criminals. Financial institutions must stay one step ahead.

Disclaimer: This article represents the views of the author only. They are not themselves a statement of any official government policy and does not represent the views or policy of the National Association of State Credit Union Supervisors (NASCUS),