Phishing and MFA: How Attackers Bypass Extra Security Layers

Phishing schemes represent a pervasive threat in the digital landscape, exploiting trust to deceive individuals into divulging sensitive information. Multi-factor authentication (MFA) stands as a crucial defense mechanism. By adding layers of verification, MFA fortifies account security and deters potential attackers. It’s become an industry standard for protecting sensitive information online.

However, as phishing techniques evolve, traditional MFA methods face challenges. In an era where cyber threats loom large, solutions like Photolok offer a proactive defense against phishing, safeguarding sensitive information and bolstering digital resilience.

What are phishing schemes?

The Federal Trade Commission of the United States defines phishing as an online scam method that relies on the impersonation of a well-known or trusted source, usually a bank, internet service provider, mortgage or loan company, or other similar entity. Phishers will send an email, text message, or other message that closely resembles the authentic source’s communications, often including using its logo and a covert email address that resembles the real thing. This email will ask the victim to follow a link or call a number to provide personal information such as an account number, name, phone number, password, social security number (SSN), or other identifying information. The information is then used by the phishers to access important accounts and use them to commit identity fraud or steal money.

The Federal Bureau of Investigation notes that these “spoofed” (faked or impersonated) profiles, emails, and websites are created with the sole purpose of stealing information and will often be extremely convincing. They’re intentionally manipulative, usually using a sense of false urgency – the threat of your account being suspended or legal action being taken, for example – to get you to act quickly without taking the time to verify the legitimacy of the claim. 

How MFA works against phishing

Multi-factor authentication (MFA) is a process that adds a layer of action to access accounts, thereby increasing the account’s security. Some common forms of MFA include security questions, captcha tests, biometric verification (facial recognition or fingerprint scanning), and secondary device verification.

MFA helps to thwart phishing attempts in a couple of different ways. For one, a user who is used to seeing MFA prompts will be immediately suspicious if not asked for verification when entering information, making them more likely to update their security protocols before any negative action can be taken. If the scammer does get their information without their realizing it, however, MFA can stop them from accessing the account without the secondary piece of information. This gives the user more time to update their security protocols and alert the service that something is wrong. 

How attackers can bypass MFA for phishing schemes

Unfortunately, even as our security technology improves, phishing schemes are becoming more and more sophisticated and are beginning to bypass traditional MFA. Some methods, like push bombing (overloading a system with requests for credentials and using those weaknesses to reroute MFA to a scammer’s device) and SIM swap attacks (where an attacker taps into a mobile operator’s number porting functions and overtakes the victim’s secondary device to receive their information that way). 

It’s important to recognize these potential shortcomings of MFA and implement measures to combat them so that businesses can keep up with attackers and think ahead of them. This is especially true if you are working on an older system that hasn’t been updated to protect against modern threats like AI and machine learning attacks.

How to defend against advanced phishing attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has put our official guidelines for using MFA effectively for phishing attack defense. They recommend using phishing-resistant MFA including public key infrastructure (PKI) based systems and FIDO/WebAuthen systems. An added benefit to using these systems is that attacks like push bombing and SIM swapping simply do not apply, and therefore can’t be effective.

One effective MFA system is Photolok logon. Unlike conventional MFA logon methods that may rely on biometrics like facial recognition fingerprints, etc., Photolok relies on a photo-based system that replaces passwords that does not require biometrics as a variable.  Since passwords are the primary credentials that the attacker is trying to compromise, eliminating passwords stops them in their tracks.  More importantly, since biometrics are permanent  and can be easily compromised, they can lead to abuse and financial harm once compromised.

With Photolok, users select specific non-personal photos from Photolok’s photo library for their account. Each user accounts photo is proprietary coded to prevent guessing and/or screen detection.  Photolok’s defenses are designed to lock-out intruders and protect against push bombing because of the billions of photo combinations. Even if another person is using some of the same photos, each photo is uniquely coded to the account user and their devices to prevent another person from entering their account.  Quite simply, the unauthorized user and/or hacker will be locked out immediately by Photolok’s security barriers.

Photolok MFA approach offers heightened security compared to traditional MFA methods including protections against AI/ML attacks, sim-card swapping, and lateral penetrations. Photolok MFA effectively merges ultra-security with simplicity and ease of use.For more information about Photolok and how it can protect your company from phishing attacks, you can contact the sales team.