No matter how many controls a company uses to protect its data, attackers inevitably find ways around them, using advanced tools and exploiting poor password practices to compromise accounts more easily than ever. MFA can better confirm the identity of a user, helping reduce the risk of a security breach. Microsoft stated that MFA can block 99.9% of account compromise attacks. However, attackers are finding new ways to also bypass MFA. In this article, we'll look at what MFA is, how attackers are getting around it, and how that impacts cybersecurity.

MFA Reduces Vulnerability To Certain Types Of Cyber Attacks

MFA uses more than one step to verify a user. In a basic set-up, a security system will request a single credential to match with a user. Most traditionally, this looks like a password submitted with a user ID. However, anyone with the user ID and password can also access that account--and all the data within. Adding another authentication factor can mitigate that risk by verifying a user more thoroughly. For example, after using a password to log in, a bank account security system may ask for a code it texts the user or request one generated by an authentication app. Even if an attacker has the password, they don't have access to the user's phone, which blocks them from accessing the account. Another popular factor uses biometrics, like a fingerprint, to verify users.

Using MFA reduces the risk of a compromised account, especially when users don't follow secure practices like creating unique passwords for every account. Hackers can purchase lists of stolen passwords on the black market or acquire them from breaches of other organizations. When people reuse passwords across multiple platforms, it then increases the likelihood a hacker can gain unauthorized access to multiple accounts. This hacking technique, called credential stuffing, has up to a 2% success rate according to an article in the Harvard Business Review. With 1 million stolen passwords, an attacker could potentially compromise 20,000 accounts. MFA helps reduce this risk by requiring authentication beyond a single password--which attackers cannot get through credential stuffing alone. For this reason, MFA measures are increasingly common at many companies.

Cyber Attacks Are Evolving To Thwart MFA

Despite its effectivity, MFA can still be vulnerable. In 2018, US-based cyber security firm Mandiant Inc. demonstrated a process to bypass MFA. It released ReelPhish, a tool that allows someone to capture authentication information that includes MFA data.

Lack of awareness and poor security behaviors can undermine the additional protection that MFA provides. In May 2022, Cisco Systems Inc. disclosed that it was the victim of an attack. It determined that an employee was compromised after an attacker gained control of a personal Google account. The attacker used the credentials stored in that account to send a flood of push notifications to the employee, tricking them into accepting an MFA request. This method is called MFA fatigue.

Some criminal groups have even taken advantage of this by turning it into a business opportunity. The EvilProxy platform frames phishing as a service. It acts as a middleman between users and their intended internet destination. Much like ReelPhish, this allows EvilProxy to collect credentials and MFA data to take over the user's account. Users pay this professional-looking service upwards of $600 per month to bypass MFA-enabled accounts, some belonging to major brands like Apple Inc., Meta Platforms Inc., GoDaddy Inc., GitHub Inc., and Alphabet Inc.

EvilProxy not only enables MFA bypass of certain major brands, but it also targets developer sites such as Github and PyPI. When accounts on these platforms are compromised, attackers can potentially introduce malicious code into trusted software without anyone's knowledge. The developer sites unintentionally become distributors of malware, highlighting a type of third-party risk. In August 2022, PyPI, a well-known repository for Python software, announced that hackers were attempting to compromise developer accounts through phishing attacks. According to security firm Resecurity, it is possible that these attacks were using EvilProxy.

Bolstering Cyber Defenses With Awareness And Education

Although MFA is incredibly effective at minimizing risks associated with passwords, organizations need to acknowledge it's not invincible. Security controls should include layers of protection beyond MFA in case an attacker bypasses it. Organizations can take steps to investigate a brand-new device being used from unexpected locations, such as during the Cisco attack, when hackers added new devices under the compromised account. Groups can also weed out devices that do not meet their basic security requirements, leaving only valid, authorized technologies connected to their networks. Implementing network segmentation can reduce an attacker's ability to move around the network easily. Companies should also adequately log suspicious events, so that they can be fully investigated.

Lastly, companies should highlight these types of attacks to employees, preparing them to keep secure habits and avoid attacks such as MFA fatigue. Only with proper education can employees know to react to unexpected MFA requests or to scrutinize phone calls from unverified personnel who may be phishing for information. Employees should also understand what steps to take if they are a target of any such attacks.

Cyber Risk Management Can Impact Credit--Especially When It Falls Short

By itself, the presence or absence of MFA is unlikely to have credit rating implications. However, a lack of MFA can indicate potential deficiencies in an entity's operational risk management practices. Wider risk mismanagement can impact our assessment of governance practices and ultimately lower ratings.

We expect entities with robust operational risk management practices will continue to develop their controls and defenses as threats evolve to find new ways to bypass existing controls like MFA. We view this continuous improvement approach to cybersecurity as important for stable credit ratings, as it has implications for an entity's risk management practices and competitive position within a sector.

Related Research

S&P Global Ratings research

• Cyber Risk In A New Era: International Public Finance Is A Target, Jul. 19, 2022
• Cyber Brief: Reviewing The Credit Aspects Of Blockchain, May 5, 2022
• How Cyber Risk Affects Credit Analysis For Global Corporate Issuers, Mar. 30, 2022
• Cyber Threat Brief: How Worried Should We Be About Cyber Attacks On Ukraine?, Feb. 22, 2022
• Cyber Threat Brief: A Log (4j) Has Been Added To The Fire, Dec. 17, 2021
• Cyber Risk In A New Era: The Increasing Credit Relevance Of Cybersecurity, Jul. 14 2021

Other research

• EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web, Resecurity, Sep. 5, 2022
• Cisco Talos Shares Insights Related To Recent Cyber Attack On Cisco, Talos Intelligence, Aug. 10, 2022
• One Simple Action You Can Take To Prevent 99.9 Percent Of Attacks On Your Accounts, Microsoft Security, Aug. 20, 2019
• ReelPhish: A Real-Time Two-Factor Phishing Tool, Mandiant, Feb. 7, 2018
• You Can't Secure 100% Of Your Data 100% Of The Time, Harvard Business Review, Dec. 4, 2017