Why MFA is Not Enough to Fight ATO and How Memcyco Can Help

Multi-Factor Authentication (MFA) has long been considered a robust security measure, with Microsoft research showing it can block 99.9% of automated attacks. However, recent data indicates that sophisticated attackers have developed numerous techniques to bypass MFA, making it insufficient as a standalone defense against Account Takeover (ATO) attacks.

The Growing Limitations of MFA

Recent statistics paint a concerning picture:

• 85% of CISOs believe MFA is not keeping pace with sophisticated attacks
• Nearly half of all security incidents in Q1 2024 involved MFA-related compromises
• 25% of incidents involved users accepting fraudulent MFA push notifications

The reason for these numbers are sophisticated MFA bypassing techniques developed by attackers. Lets examine different types of MFA and its vulnerabilities.

Common MFA Techniques and Their Vulnerabilities

SMS-Based Authentication 

How it works:

A one-time code is sent via text message to the user’s registered phone number. The user must enter this code along with their password to gain access.

Bypass Methods:

• SIM swapping: Attackers convince mobile carriers to transfer victim’s phone number to their SIM card
• Social engineering: Attackers trick users into sharing verification codes
• Phishing attacks that capture both password and SMS code in real-time

Real-life Example:

 In 2019, Twitter CEO Jack Dorsey’s account was compromised through a SIM swap attack, allowing attackers to bypass SMS-based MFA (https://www.cyberark.com/resources/blog/why-shutting-off-sms-2fa-makes-sense).

Similarly, in 2024, the SEC’s Twitter account was compromised when attackers performed a SIM swap to gain control of the associated phone number (https://duo.com/decipher/sec-sim-swapping-attack-led-to-twitter-account-compromise)

Push Notifications

How it works:

Users receive a push notification on their mobile device to approve or deny a login attempt through an authenticator app.

Bypass Methods:

•  MFA fatigue attacks: Overwhelming users with repeated authentication requests
• Social engineering: Impersonating IT support to convince users to approve requests

Real-life Example:

Uber suffered a significant breach in 2022 when attackers used MFA fatigue to overwhelm an employee with push notifications until they accidentally approved the request (https://www.beyondidentity.com/resource/the-top-10-mfa-bypass-hacks).

Time-Based One-Time Passwords (TOTP)

How it works:

An authenticator app generates time-sensitive codes that change every 30-60 seconds based on a shared secret key.

Bypass Methods:

• Man-in-the-middle attacks using proxy servers
• Real-time phishing attacks that capture and replay TOTP codes
• Response tampering attacks that modify authentication responses

Real-life Example:

Attackers have used tools like Evilginx to create sophisticated phishing sites that intercept both credentials and authenticator codes in real-time, successfully bypassing app-based MFA (https://abnormalsecurity.com/blog/cybercriminals-evilginx-mfa-bypass)

Hardware Security Keys

How it works:

Physical devices like USB keys that must be physically present and connected to authenticate.

Bypass Methods:

• Social engineering to obtain physical access to the key
• Exploiting implementation vulnerabilities in the authentication protocol
• Man-in-the-browser attacks using malicious browser extensions

Real-life Example:

The Lapsus$ group demonstrated how they could bypass hardware-based MFA at multiple organizations by exploiting OAuth vulnerabilities and using sophisticated social engineering techniques(https://www.vectra.ai/resources/mfa-bypass-attack)

Biometric Authentication

How it works:

Uses unique physical characteristics like fingerprints, facial recognition, or iris scans to verify identity.

Bypass Methods:

Presentation attacks using high-quality photos or 3D prints

Exploiting sensor vulnerabilities

Manipulating the authentication response at the API level 

Real-life Example:

In 2023, the GoldPickaxe malware, developed by a suspected Chinese hacking group called “GoldFactory,” successfully bypassed biometric authentication in banking apps through a combination of:

• Collection of facial recognition data
• Creation of deepfake videos
• Social engineering tactics
  
  (https://www.fanaticalfuturist.com/2021/12/in-a-world-first-chinese-hackers-spoofed-biometric-authentication-systems-to-steal-76-million/)

The Promise and Weakness of Passwordless Authentication

FIDO2 passkeys, a form of passwordless authentication, promise to eliminate credential harvesting phishing attacks by relying on methods such as facial recognition and fingerprints instead of traditional passwords. While passwordless solutions like FIDO2 passkeys offer improved security, they are not without vulnerabilities. One theme is the fact that Passwordless systems still rely on passwords for first-time device setup or when a device is lost, broken, or replaced.Joe Stewart, Principal Security Researcher with eSentire’s Threat Response Unit (TRU) demonstrated how Authentication Reduction Attack bypasses passkey (https://www.esentire.com/blog/securing-passkeys-thwarting-authentication-method-redaction-attacks).

More details on passkey vulnerabilities can be found at https://www.memcyco.com/library/fido2-passwordless-authentication-the-end-of-credentials-phishing-attacks/

How Memcyco Helps Prevent Account Takeover (ATO)

Account Takeover (ATO) is a growing cyber threat where attackers gain unauthorized access to user accounts, often bypassing traditional security measures like Multi-Factor Authentication (MFA). Memcyco provides a multi-layered solution to combat ATO with advanced detection, prevention, and mitigation capabilities.

Key Capabilities

1. Real-Time Phishing Detection

• Real-time alerting: Memcyco detects phishing sites and issues instant alerts to users and to the organization.
• Decoy Credentials: Prevent attackers from using stolen data by feeding fake credentials and exposing their activities.
• Threat Intelligence: Identifies and flags suspicious domains or phishing campaigns proactively.
  

2. Advanced Device Tracking

• Device DNA: Assigns unique IDs to user devices, building trust histories and flagging suspicious devices.
• High-Risk Assessments: Devices involved in phishing, credential stuffing, or brute-force attacks receive enhanced scrutiny.

3. Session Monitoring and Protection

• Tracks session parameters (IP, geolocation, and proxies) to identify anomalies and terminate or revalidate compromised sessions.
• Detects and blocks session hijacking attempts.
  

4. Automated Defense Against Credential Attacks

• Identifies repeated login attempts from suspicious devices or IPs.
• Blocks brute-force and credential stuffing attacks in real time.
  

5. Adaptive Security

• Adjusts security thresholds dynamically during high-risk periods.
• Correlates phishing events with new device logins to block unauthorized access.
  

6. Offensive Measures

• Deception Campaigns: Disrupt attackers with marked, fake data to mislead and expose them.
• Automated Takedowns: Rapidly removes phishing sites, malicious emails, and rogue apps.

Why Memcyco Stands Out

Memcyco’s unique integration of defensive, offensive, and adaptive security ensures comprehensive ATO protection. By preventing phishing, identifying suspicious activities, and blocking unauthorized access, Memcyco not only safeguards accounts but also disrupts attacker operations, delivering unmatched digital security for businesses and customers alike.

Arthur Zavalkovsky

VP of Product at Memcyco