MFA ain't fool-proof

MFA ain’t fool-proof !

Yesterday, I wrote about security psychology and social engineering. Today morning, I got a cryptic error from my email service provider when I was trying to load my inbox. The error message was something that I could not understand; it was totally technical something related to some kind of reset; the end result is that I was not able to view my mail page. My heart skipped a beat worried if my email account had been hacked! Fortunately, it was a technical glitch on the service provider side, probably because of an overload in their server. The issue got resolved by itself after a few minutes. That prompted me to think about some nonsecure MFA practices that we follow in our day-to-day life, and I concluded that MFA ain’t fool-proof !

MFA (multi-factor authentication) is a method of using an OTP or a text in addition to the username and password to make sure that I am indeed the person who is the authenticated owner of the account by verifying through another device like a cell phone by sending a text after the username and password are entered and verified correctly. Although MFA is better than no additional authentication at all, humans could be tricked and MFA nullified because of various reasons. MFA is not the total solution for security. It has its loopholes.

Here are some ways where MFA could fail if the user is not careful, which are Social Engineering attacks:

  • Getting fooled by a message sent to a mobile and clicking on a link which takes to the attacker’s website which imitates a genuine website and private information or keys obtained in that imitated page
  • Receiving an OTP to email, when the email had been hacked
  • Clicking a link that you don’t trust off of Internet

There are further other practices that we normally do for convenience or because of laziness which could lead to security breaches:

  • Allowing your service provider to read SMSes sent to your mobile
  • Staying logged in into your account instead of logging out everytime

Text-based or email-based MFA is not totally secure. Authentication apps (like Authy) can provide some more security, but again since the app is installed in your device, if your device is stolen and if you have secured the authentication app with a key that the attacker does not know, this will also fail.

To conclude, Social Engineering is a complex topic left to the ingenuity of the user and the attacker. We could only be as careful as possible but still incidents happen. MFA ain’t fool-proof and is not exclusive from the attacks.

To discuss your organisation’s software quality needs, feel free to get in touch with me.

1 thought on “MFA ain’t fool-proof !”

  1. Pingback: Social Engineering Attacks On Server Side - Venkat Ramakrishnan

Leave a Comment

Your email address will not be published. Required fields are marked *