For years, a solid defense against cyber intrusion could be defined by a few simple sentences: Don’t click on unknown links, and enable multi-factor authentication (MFA) on all digital communication and controls.
Those rules still hold, but new cybersecurity threats have complicated the equation. Today, sophisticated adversaries can bypass some MFA protections, creating new risks for manufacturers and their supply chains.
Here’s the new reality: Don’t click on suspicious links, and understand that multi-factor authentication is no longer the protective shield it once was. MFA is now vulnerable to increasingly sophisticated attacks. Organizations must adapt their cybersecurity strategies accordingly.
“MFA still stops basic attacks, but it is no longer a silver bullet against sophisticated threats,” warned Michael Tanji, director of cybersecurity for MxD, the National Center for Cybersecurity in Manufacturing as designated by the U.S. Department of Defense.
“In the past,” Tanji said, “simply requiring a second factor such as a text message code stopped most automated hacking attempts. Today, attackers have developed smarter tools specifically designed to trick users or bypass MFA entirely.”
Change became apparent four years ago through a series of MFA-related attacks targeting organizations including Twilio, Uber and Cisco.
Those attacks shocked the cybersecurity industry because MFA had seemed such a clever form of protection: An adversary couldn’t simply steal a password to log on; they would need to receive and respond to a second prompt sent to the user’s trusted device or account. At the time, it appeared difficult for an outsider to compromise that additional layer of verification.
That assumption changed when attackers developed sophisticated new methods for hijacking the MFA process.
One common technique involves creating a fake website that allows the attacker to intercept and steal authentication codes in real time. These new phishing schemes do what cybercriminals couldn’t do before: Grab MFA permission for access without actually having the victim’s phone or computer.
Tanji said this capability is now a routine part of the hacker toolkit.
“These bypass techniques have become highly automated and commercialized, turning what used to be advanced hacking into push-button tools available to anyone,” he said. “Cybercriminals have essentially industrialized ‘Phishing-as-a-Service.’ Anyone can now rent a hacking kit that mimics a real login process and intercepts MFA codes in real time.”
It is important to understand that, regardless of their sophistication, these attacks still begin with traditional social engineering.
A user receives a fraudulent message and is persuaded to click a nefarious link (don’t do it!).
The link directs the victim to a convincing but fake login page, allowing the hacker the opportunity to take control of the login process and intercept the MFA code. Intercepting the code allows the hackers to steal the session cookie or token that grants full access to the system.
“The hacker gets access to your account from their own computer without ever needing your password or MFA again,” Tanji explained.
There are also variations on this attack.
For example, attackers may target text message (SMS)-based verification through a technique known as SIM swapping. In these cases, the attacker convinces a mobile carrier to transfer the victim’s phone number to a SIM card under the attacker’s control. Once the transfer occurs, MFA codes sent by text message are delivered to the attacker rather than the legitimate user.
How to Defend Against MFA Attacks
Tanji said traditional MFA methods, such as text-message codes or simple “Approve” prompts, are no longer sufficient for protecting sensitive or high-risk accounts.
Organizations should consider upgrading to phishing-resistant authentication methods, including passkeys and hardware security keys, rather than relying solely on SMS-based verification.
Another option is to implement MFA solutions that use number matching.
With this approach, users must enter a number displayed on their computer screen into the authentication application on their mobile device rather than simply pressing an approval button.
Organizations must also train employees to recognize that approving an MFA request is a deliberate security decision, not a routine administrative task.
As with phishing awareness, users cannot become complacent when responding to authentication prompts. If an MFA request appears unexpected or unusual, it should be denied and reported for investigation.
“When a user denies a request five times and approves it on the sixth, that is not authentication, it’s surrender,” Tanji said.
