Multifactor authentication is far stronger than a simple username and password, but hackers are getting better at defeating or evading MFA protections. Last year, malware targeting financial mobile apps emerged with this ability.
For example, Cerberus is a Trojan that abuses Android accessibility features, enabling remote access and updating malware on target systems. By reverse engineering Google's authentication flow, hackers are able to extract MFA credentials from mobile apps and bypass Google Authenticator.
Another example is the Eventbot malware, which targets mobile banking apps. It can intercept MFA codes sent via SMS — a very common way to transmit these codes to end users. With MFA codes in hand, hackers can take over accounts and steal critical data.
Hackers evade MFA through a variety of techniques. Often, they use specialized programming tools to observe how apps function in simulated environments and to obtain the source code and understand the app’s inner workings. The information these tools provide enables them to identify apps' weaknesses so they can formulate attacks that exploit them.
Hackers also alter digital certificates for use in man-in-the-middle and phishing attacks to obtain MFA codes, because these phony certificates can convince both the bank's server and the mobile user they are talking to a trusted entity. Finally, hackers can search for unencrypted data that is stored within an app, such as authentication tokens, cookies and user credentials. With this data, they can intercept MFA codes.
As with most security strategies, defeating MFA evasion requires a multilayered approach:
Harden apps with anti-tampering, anti-reversing, checksum validation and jailbreak/root prevention to prevent hackers from studying, simulating, and learning about the app and all its components.
Obfuscate the code to prevent reverse engineering.
Encrypt sensitive data. Don’t store sensitive data or artifacts unencrypted.
Protect data in transit. Techniques such as certificate pinning and certificate authority validation can protect against man-in-the-middle attacks.
Use "in-app" MFA. SMS is not a secure means for transmitting MFA codes. Instead, send them within the app and leverage features such as in-app FaceID/TouchID. In this way, even if a device PIN code or the MFA solution is compromised, the app is still safe.
MFA is a more secure means of authenticating users than the traditional username/password model but it's insufficient by itself. Without additional security measures, hackers can compromise MFA and wreak havoc on financial institutions and their customers.
