Phishing
This is the ultimate attack targeting users. In this ‘variant’ focused on stealing MFA in real time, the attacker simulates a well-known website, and when we enter our credentials and MFA code, both are captured by hacking tools.
What can we do as users?
- Never click on links sent by unknown or suspicious senders.
- It is always advisable to access the resources we need from the official website.
- Be wary of urgent messages. Phishing always tries to create urgency in the user, whether it be a traffic fine, a false login that we have to block… When faced with phishing, the user’s calmness and judgement always prevail. When in doubt, always double-check the URL of the site.
MFA by persistence
This attack consists of sending repeated push notifications to log in to the user’s MFA application, and either by mistake or fatigue, the user ends up accepting it without really evaluating whether or not they requested it.
What can we do as users?
- Always check whether access has been requested. Have we recently sent an access request that requires 2FA?
- Always evaluate the IP from which this request is being received. Does it match ours?
- It is advisable to change your password in these cases.
SIM exchange or SIM swapping
In this case, the attackers manage to convince the telephone operator to change the SIM associated with our second authentication factor in SMS, and with this they gain access to all the MFAs we receive through that medium.
What can we do as users?
Avoid MFA by SMS at all costs. Currently, most providers allow the configuration of other authentication factors.
MFA reconfiguration through weak security questions
This last attack is based on what we know as ‘social engineering’. We publish personal information on social networks, often without realising who has access to it. In this case, the attacker will be able to collect our personal information and correctly answer the security questions to reset the MFA.
What can we do as users?
- One of the main recommendations will always be to select another recovery method that does not depend on personal questions.
- If this is not possible, we must make the answers more difficult, so that they cannot be deduced from our public information.
The second authentication factor remains one of the main steps in protecting our accounts, but as we have seen throughout this article, it is not the only one. As users, we have a responsibility to be aware of the different types of scams we may encounter.
We have seen that many attacks against MFA are not strictly based on technology, but also on human error. A poorly managed second factor can give us a false sense of security and leave us exposed.
