Is MFA Enough to Stop Adversary-in-the-Middle Attacks?

Multi-factor authentication (MFA) is rightly considered a security upgrade on single-factor approaches like a simple username and password. MFA does a great job of reinforcing traditional login credentials, and in turn, is very effective at stopping fraudsters who take advantage of easy prey – such as the 12% of consumers who use one single password for every account across multiple platforms. In situations like these, where fraudsters rely solely on stolen credentials to perpetrate their crimes, MFA methods like SMS and email OTPs are very effective at preventing account takeover (ATO).

But although MFA makes organizations – and their users – feel safe, cybercriminals are constantly evolving their technologies and practices to get around this additional layer of security. Some of these methods rely on driving MFA fatigue, but others are more insidious and seek to bypass the protection offered by MFA altogether. All of this means that, while MFA is a great way to reinforce login credentials like usernames and passwords, it may not be enough to stop the latest types of ATO.

The number of organizations that offer or even require MFA is growing, but in turn, cybercriminals are developing new, more sophisticated cyberattacks that can circumvent MFA. Worse, these attacks no longer require a high level of technical skill on the part of the fraudster. In fact, they are easier to perpetrate than ever.

Take Phishing as a Service (PhaaS) as an example. Phishing attacks and social engineering have played a role in ATO for a long time, but they have become more accessible than ever. PhaaS kits are easy to find online, inexpensive to download, and they include everything a fraudster needs to get started, including templates for phishing emails, target lists, and detailed instructions. With these end-to-end tools, even novice criminals can perpetrate sophisticated ATO schemes. Worse still, PhaaS technology was specifically developed with the sole purpose of conducting phishing campaigns that circumvent MFA.

One type of attack that these tools enable is known as Adversary-in-the-Middle (AitM). AitM attacks call accepted cybersecurity practices into question, because they can bypass most forms of MFA, meaning traditional MFA methods like SMS OTPs simply won’t cut it as a threat response. Let’s take a look at how these types of attacks circumvent MFA, and explore some solutions an organization can undertake to keep their users secure.

AitM is a type of Man-in-the-Middle attack (MitM) where a fraudster uses a reverse proxy server to position themselves between a user and an online service to steal user credentials, session tokens, and session cookies. Since fraudsters seamlessly mimic both users and online services in this dynamic, this attack vector circumvents traditional authentication processes like OTPs. Essentially, the phishing site sits between the victim and the service, so it can intercept the OTP flow in real time, along with the access token that results.

AitM attacks are conducted with the goal of intercepting MFA between users and authentication platforms. With this info in hand, fraudsters steal identities and orchestrate ATO. As such, successful AitM attacks are often just the first step in much larger crimes like business email compromise (BEC) where fraudsters use stolen credentials to conduct nefarious activities after penetrating a network. In some cases, bad actors even log in to user accounts and change MFA settings to avoid future detection.

As previously mentioned, AitM is part of the larger Phishing as a Service (PhaaS) landscape. 

Since criminals are supplied with AitM kits by other fraudsters in a PhaaS network, even novices can perpetrate sophisticated phishing attempts with AitM. This method doesn’t require the use of custom phishing websites built for the purpose of stealing credentials, and there are also a number of free tools available online that make the use of AitM phishing kits very convenient. 

As a fraudster doesn’t have to bother with building an entire phishing site to steal credentials, they can perform AitM fraud with very little technical knowledge. These attacks are an extremely attractive option for cybercriminals since they are both easy to perpetrate and difficult to detect.

While fraudsters are always looking for new ways to penetrate legitimate organizations and accounts to steal sensitive information, perpetrate financial fraud, and commit other crimes, identity solution providers like Ping work tirelessly to remain well ahead of the threat protection curve. Here are a few suggestions on how you can keep your organization and users safe from AitM attacks.  

Adopt a Threat Detection Tool That Can Spot AitM

A great starting point for preventing AitM is adopting a real-time threat detection tool like PingOne Protect that is engineered to stop ATO. Using intelligence-based policies that combine the results of key risk predictors, PingOne Protect monitors for unusual behavior throughout the user journey. By examining data from the user’s device along with network data, PingOne Protect can inspect authentication and registration requests to identify anomalies that indicate an AitM attack attempt.

With an appropriate threat detection tool in play, you can then build out a mitigation strategy for future AitM scams. 

Don’t Forget About AitM Mitigation 

Once you’ve successfully detected an AitM attack, mitigating these attacks is essential for protecting your organization. Remember, AitM attacks are often just the first step in much larger cybercrimes where fraudsters use stolen credentials and session tokens to access sensitive data. Proper fraud mitigation responses must function in real-time to block and lock the account to prevent further login attempts. Moreover, continuous monitoring will help maintain the integrity of network traffic moving forward. After all, cybersecurity isn’t static – as cyber threats evolve, defenses must do the same.

Go Passwordless with FIDO2

A surefire way to protect your organization against AitM attacks is to eliminate the use of traditional login credentials altogether. FIDO keys are a phishing-resistant MFA option, and moving away from passwords will help your organization be more secure – because whether your organization is targeted by AitM attacks or other forms of identity fraud, passwords are the #1 threat to your organization’s security. When you adopt a Passwordless solution with FIDO2 standards, you eliminate the vulnerabilities that come with traditional MFA methods like SMS OTPs. 

Many organizations have yet to transition away from the use of passwords, and the journey to passwordless may include multiple stops. If you are not ready to make the transition to passwordless now, it's a great long-term goal for future-proofing security measures.

While traditional MFA is an effective means for reinforcing the use of passwords, it is not enough to stop AitM attacks. Robust identity solutions like PingOne Protect and Passwordless are essential for safeguarding your organization against today’s sophisticated fraudsters.

However you choose to address AitM, it's essential that your detection and prevention strategies are integrated throughout the customer journey. Don't forget that fraudsters are always evolving their tactics, so partner with a solution provider like Ping Identity that will keep you well ahead of the curve.

Schedule a demo for PingOne Protect or Passwordless today!