How Threat Actors Bypass Your MFA Protection

You think your accounts are safe because you turned on Multi Factor Authentication (MFA)? Well, think again. Here are 3 ways how hackers can bypass it and gain access to your precious data.


1. Modlishka

Modlishka is an open source tool available on GitHub which allows to setup phishing websites easily with an emphasis on MFA bypassing. The basic idea is to proxy all the data between you and the platform you are trying to access. It’s pretty much a man in the middle attack but completely bypassing MFA. Don’t believe me? Check out this video of Modlishka in action:

2. SIM Card Swapping

The idea behind SIM Swapping is that someone convinces your cell phone provider to assign your phone number to another sim card. This way threat actors would get access to all the text messages you would receive without you even noticing – including access tokens.

You think SIM Swapping is not a thing? Brian Krebs says it is.

3. E-Mail Forwarding

Imagine the following scenario: You’re not using MFA for your email account and a hacker gained access because you used the same password on a different platform which was recently compromised. One thing that a threat actor immediately will do is setup a forwarding rule to an email address they control. This way they’ll get access to any tokens sent to your email address even if you activate MFA on your email account at a later date – it’s too late and you won’t even notice that your authentication method got compromised.

How To Protect Yourself

  1. Do not rely on phone/email based MFA
  2. Use an authenticator app like Authy or IBM Verify
  3. Check if the url of the site which asks for a token actually matches the address you expect to be. If is asking for your Facebook token something’s wrong.
  4. Enable MFA. Now.
  5. Don’t re-use passwords. Use a password manager!

Photo by Luther Bottrill on Unsplash

Follow me on social media

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.