Claire, an IT technician on a beautiful college campus, handles cybersecurity for faculty and staff. One fall afternoon, she receives a frantic call from a professor who suddenly can’t login to their email account. Claire quickly realizes something is wrong when the system logs show multiple unauthorized login attempts, including from overseas. She asks, and the professor recalls approving a strange MFA notification earlier that day, assuming it was a routine verification. Within minutes, the attacker hijacked the account, gaining access to sensitive student records and research files. The breach sends ripples through the campus, shaking the college’s reputation and causing panic among faculty and students alike. Claire knows that a single MFA hijack has put years of work and trust at risk, reminding her how crucial it is to stay vigilant. 

Understanding MFA 

Multi-factor authentication (MFA) provides an extra layer of protection beyond a password. By requiring a second form of verification, MFA aims to make it significantly harder for attackers to gain unauthorized access to accounts. However, as security measures evolve, so do cybercriminals’ tactics. One of the latest threats in this ongoing battle is MFA hijacking. Drake ITS staff have seen recent instances of MFA hijacking that’s allowed attackers to compromise accounts. 

What is MFA Hijacking? 

MFA hijacking refers to compromising the multi-factor authentication process to gain unauthorized access to accounts or systems. This includes stealing authentication tokens, intercepting one-time passwords (OTPs) such as those sent via text message (SMS), or exploiting vulnerabilities in the MFA implementation itself. 

How MFA Hijacking Works 

1. Phishing Attacks: One of the most common methods used in MFA hijacking is phishing. Attackers trick users into revealing their credentials and the second authentication factor, often by creating fake login pages that mimic legitimate websites. Once the user enters their username and password, the attacker can capture them in real-time and use them to gain access. 
2. Man-in-the-Middle (MitM) Attacks: In a MitM attack, cybercriminals intercept the communication between the user and the authentication service to capture the authentication token or OTP and use it to log in as the legitimate user. 
3. SIM Swapping: In this attack, the criminal convinces a mobile carrier to transfer the victim’s phone number to a SIM card controlled by the attacker. Once they have control of the victim’s phone number, they can receive the SMS-based OTPs and complete the MFA process. 
4. Session Hijacking: Attackers may hijack an active session if they gain access to the cookies or tokens stored in a browser. This method bypasses the need for MFA entirely because the attacker can impersonate the user without re-authentication. 

Protecting Yourself Against MFA Hijacking 

While MFA remains a crucial security measure, it’s essential to understand that it’s not foolproof. Here are some strategies to help protect yourself against MFA hijacking: 

1. Use Stronger MFA Methods: Use authentication methods less susceptible to hijacking, such as mobile applications using number matching. Avoid using SMS-based OTPs whenever possible, as they are particularly vulnerable to SIM swapping and interception. 
2. Monitor for Anomalies: Regularly check the MFA options configured in your accounts to remove old devices and ensure unrecognized MFA methods have not been added. Hijackers will often add MFA authentications methods to an account to maintain the ability to login in the future.  
3. Report Suspicious Account Activity: As soon as you notice, tell ITS about any suspicious activity on your accounts, such as unexpected login attempts, changes to account settings, or notifications about unauthorized access. Early detection and reporting help mitigate potential damage and prevent further unauthorized access. 

While MFA hijacking is a growing threat in the cybersecurity landscape, it doesn’t render MFA obsolete. It simply highlights the importance of staying informed about the latest threats. By understanding and remaining aware of the risks, you can reduce the likelihood of falling victim to MFA hijacking. 

–Chris Mielke, ITS