Cybersecurity is often described as an arms race. Companies invest heavily in stronger authentication mechanisms, encryption standards, and multi-layered defenses. More and more organizations are switching to two-factor authentication, also known as multi-factor authentication, to better protect data, trade secrets, and sensitive information in addition to the classic username and password combination.
This is a good approach for greater security, but unfortunately not a silver bullet.
The concept of multi-factor authentication has achieved one of the most significant technical security improvements of the last decade. By introducing a second factor, automated attacks can be prevented, credential stuffing can be blocked and the chances of success of a classic hacker attack can be significantly reduced. The hackers have also understood this and are increasingly looking for non-technology-based loopholes that focus on the user and his psychology.
Humans as the Weakest Link
The saying “A chain is only as strong as its weakest link” also applies to cybersecurity. Weaknesses such as choosing insecure passwords or a lack of awareness about cybersecurity, phishing, and social engineering lead cybercriminals to manipulate people rather than hack systems.
Often, human traits such as curiosity, helpfulness, fear, trust, or respect for authority are exploited. In the context of social engineering, this is also referred to as human hacking – the deliberate manipulation of people.
The goal is to trick victims into revealing confidential information and company data, as well as access credentials such as passwords or two-factor authentication (2FA) codes.
What Techniques Can Be Used to Circumvent Two-Factor Authentication (2FA)?
The danger posed by social engineering and phishing attacks has increased significantly in recent years, but efforts to combat them have also intensified. This is being achieved through employee training and awareness campaigns on the one hand, and the introduction of enhanced authentication methods such as 2FA/MFA on the other one. Nevertheless, the threat posed by such attacks remains enormous.
Criminals are increasingly using AI tools, which is countered by the increased security measures taken by companies have forced cybercriminals to respond. As a result, threat actors are developing increasingly sophisticated methods and strategies that pose new challenges for companies and users.
Below, we present some of the most commonly used and most dangerous methods:
MFA Fatigue Attack
In an MFA fatigue attack, also known as MFA bombing, attackers use previously stolen credentials and repeatedly trigger login attempts that appear as push notifications (yes/no) on the victim’s mobile phone. The goal of these countless messages is to trick victims into confirming one of these requests out of frustration, confusion, or by mistake, thus granting the attackers access to the account.
Adversary-in-the-Middle Attack
In an adversary-in-the-middle (AitM) attack, attackers trick the user into believing they are entering their login credentials, including the two-factor authentication (2FA) code, on a legitimate login page. In reality, this is a deceptively realistic fake login page that the attackers place between the user and the genuine service in real time. This allows them to intercept login credentials and authentication codes, steal session cookies, and log in as the user.
SIM Swapping Attack
In a SIM swapping attack, attackers contact the victim’s mobile phone provider and impersonate the victim using personal information they have obtained beforehand. They claim that the cell phone is defective or has been lost and have the cell phone number transferred to a new SIM card. This results in SMS TANs for online banking or logins ending up with the fraudsters, and the hijacked cell phone number becomes the master key to the victim’s entire digital life.
Attack on the Service Desk
Attackers contact service desk employees, claiming to have lost access to their second factor or forgotten their password. Through psychological manipulation, the criminals then attempt to trick employees into disabling multi-factor authentication or resetting their passwords. If the caller’s identity is not verified, the criminals gain relatively quick access to the company’s infrastructure.
Answering Security Questions
Even though security questions pose a significant security risk because the answers are often easily found, sometimes simply answering one is enough to resolve login problems. Attackers exploit this to bypass two-factor authentication. For example, the answers to questions like “What was your first pet?” or “What is your mother’s maiden name?” can be discovered using social engineering.
How Can I Effectively Protect Myself Against Social Engineering Attacks?
Companies and users must be aware that two-factor or multi-factor authentication does not solve the problem of weak passwords. They primarily provide additional protection for passwords, but can be overcome. Nevertheless, they remain important, as security experts emphasize. The type of authentication is crucial here.
Here are some key strategies for better protection on the provider side:
- Avoid SMS: Authenticator apps (e.g., Google Authenticator, Microsoft Authenticator, FreeOTP) or physical security keys (hardware tokens) are significantly more secure than SMS codes. They are also immune to SIM swapping attacks. Furthermore, SMS messages can generally be intercepted and read, and they do not offer end-to-end encryption (E2EE).
- Use phishing-resistant MFA: Modern authentication methods such as passkeys, which are based on the FIDO2 standard and use cryptographic keys, offer strong protection against phishing and fake login pages.
- Measures to protect the service desk: In addition to strict verification processes such as bidirectional identity checks that verify support staff in real time, employees should be regularly trained and processes should be consistently followed.
Here are some key strategies for better user protection:
- Practice vigilance: Only confirm and approve 2FA requests that have been triggered by yourself. When faced with a flood of notification requests, it is advisable to change the password for the affected account for security reasons.
- Answering security questions: Instead of security questions, other authentication methods such as authenticator apps should be used whenever possible. If this is not technically feasible, fictitious and therefore less predictable answers should be used. For example, “Sunny” as an answer to “First pet”.
- Secure mobile phone contract: Some telecommunications providers require a PIN when contacting customer service, which serves as an additional security measure. If this is not already the case, a secure and not easily guessed PIN should be set up (i.e. not 0000 or 1234, etc.) to protect your contract from unwanted changes.
- Use of social media: Be careful when sharing personal and professional information on social media. Cybercriminals could use this data for social engineering attacks.
Conclusion
Multi-factor authentication as a technical process is working great, but does nothing more than increasing the technical barrier against unauthorized access. Most modern attacks do not defeat cryptography or algorithms or exploit mathematical system weaknesses. Instead, they use social engineering to “persuade” users to cooperate – without them noticing. In doing so, they make the psyche of human behavior their own.
Often, it starts with a compelling phone call, a well-designed phishing page, or a habitually approved push notification. In other words: The attack does not succeed because the second authentication factor fails, but because a human was successfully manipulated. Consequently, it is not enough to develop and implement ever stronger authentication technologies, but must be accompanied by a sustained information and training campaign for users.