Mitigating MFA bypass attacks: 5 tips for developers


App developers have enough reasons to integrate multi-factor authentication (MFA) into their offerings. Passwords just don’t do the trick, as they’re vulnerable to brute force and can be stolen with basic tools such as screen grabbers. 

But while MFA offers enhanced security by asking users to authenticate in various ways, it’s not a cure-all for the app security problem. Hackers are using sophisticated techniques to bypass second- and third-layer security defenses and gain access to user accounts.

Recent MFA bypass cases

In March of 2020, the mobile industry witnessed the emergence of Eventbot, a sophisticated Android-based Trojan that can intercept MFA codes sent to a mobile device via SMS. Eventbot targets users of different financial applications, including money transfer services, online banking and cryptocurrency wallets. Auto-updates means new and more advanced variants are expected to pop up as hackers attempt to breach mobile systems.

Even the codes generated via authenticator apps are at risk. Security researchers from mobile security company ThreatFabric say that an Android malware strain called Cerberus can extract MFA credentials from the Google Authenticator application. Cerberus can obtain the interface’s content and send it to the command-and-control server controlled by the adversary. Abusing accessibility privileges,

Read More: