Why even multi-factor authentication is vulnerable

Business users are often unaware that even the supposedly secure MFA does not offer 100% protection. Cybercriminals have developed new attack methods such as cookie theft, real-time phishing and MFA fatigue attacks, with which they can also exploit multi-factor authentication in companies.

Until recently, multi-factor authentication (MFA) was considered the ultimate in IT security when it came to securely logging on to applications, servers, services or even networks remotely. But even cybercriminals have not remained idle in recent years: They are constantly developing new methods and tricks to bypass the higher security of an MFA solution. Usually they do not directly attack the login secured by MFA, but use alternative ways to circumvent it. They also take advantage of human weaknesses.

How multi-factor authentication works

Multi-factor authentication adds another factor to classic login with a username and password. The user knows the first factor, for example, their password or a pin. These are often stolen and then sold on the Internet. The second factor is something only the user owns, for example, their mobile phone with a pre-configured authenticator app that generates time-based one-time passwords (TOTP). The authentication service only grants access if the correct TOTP is also specified during login.

How can cybercriminals circumvent a secure authetntication method that sounds great on paper? They use new tricks such as cookie theft, real-time phishing and MFA fatigue attacks, among other things.

What is cookie theft

Both cookie theft and real-time phishing hide methods of attacking an MFA that pursue the same goal. The principle is relatively simple: The criminals want to access the user's session cookies. These are also set in the user's browser after an MFA-protected login. So that the user does not have to re-authenticate every few clicks, the server regularly checks where a session cookie has been set. If an attacker can access session cookies they can assume the identity of the user, for example, to steal, manipulate or delete data.

The easiest way to steal cookies is with a trojan. This secretly monitors the processes in the browser and becomes active when the user logs into a service of interest to the criminals. Then the malware steals the session cookie. The attacker imports this into his own browser via an add-on, so that he also logs in to the service without a regular login process and without manipulating the MFA.

There is now a flourishing trade in session cookies and browser fingerprints on the dark web. Law enforcement agencies also know this. In April 2023, several authorities led by the FBI paralyzed the illegal marketplace "Genesis Market" as part of the "Operation Cookie Monster". According to the British National Crime Agency (NCA), more than 80 million access data and digital fingerprints of more than two million people were traded there. The Dutch police, who also participated in the operation, now offers an online check on their website, which anyone can use to check whether their data also appeared in the Genesis Market.

What happens with real-time phishing

Real-time phishing is also based on gaining control of session cookies. In contrast to direct cookie theft, however, criminals here use intermediate proxies to intercept cookies. Basically, real-time phishing is a kind of man-in-the-middle attack. However, the attacked website no longer needs to be faked. Instead, the attackers simply forward the data from the original page to the victim. Conversely, they also send the user's data back to the website. So the proxy works both ways.

Attackers can read the entire traffic including the access data used. In addition, they also come into possession of session cookies, which they then misuse for their own purposes. In the meantime, the victim usually does not notice what the attackers are up to. Encryption does not help here either, as the proxy injects its own certificate.

MFA fatigue attacks are tiresome

MFA fatigue attacks take a completely different approach. A fatigue attack puts the victim’s patience to the test. Criminals repeatedly try to log into an MFA-protected account with compromised access data. With each of these login attempts, the victim's smartphone automatically displays an MFA authorization message – or receives an SMS.

In such MFA fatigue attacks, the criminals rely on the fact that the user may not accept these requests immediately, but might eventually do so. Then the trap snaps shut as soon as the victim accidentally authorizes the login attempt. Microsoft, whose experts warned of MFA fatigue attacks as early as 2022, say that one percent of users accept the fatal fatigue requests on the first attack.

In a nutshell:

However, the attack methods described do not change the fact that companies and private users should continue to rely on multi-factor authentication for all sensitive accounts. Security technology continues to make it much harder for criminals to penetrate third-party user accounts. However, MFA does not offer 100% protection, as we have shown. Therefore, passkeys, as recently introduced by Google for two billion accounts, are currently in high demand. However, it will still take some time before passkey authentication becomes widely accepted.

Until then, it is important to be aware of the remaining dangers of MFA login and to keep your own login details safe in case of an emergency. Read more about this in our blog post “How to switch to secure two-factor authentication”.

Subscribe to blog

CAPTCHA image for SPAM prevention If you can't read the word, click here.