Attackers are always on the lookout to compromise digital identities. A successful account takeove r allows a cybercriminal to impersonate a genuine user for monetization purposes. Enterprises large and small have utilized various means to secure someone’s digital identity, and credentials are the starting point. F5 Labs 2021 Credential Stuffing Report indicates that 1.8 billion credential sets were spilled in 2020 alone. Such a huge stash of credentials is a massive threat to digital identities. An effective mitigation strategy to this threat that various regulatory bodies and security practitioners recommend is to enforce multifactor authentication (MFA).

MFA, which restricts attackers from capitalizing on the use of compromised credentials, has been on the rise. It requires the user to provide two or more different types of factors. Typically, it’s something the user knows (such as a password) and something the user has. The second factor is usually a code sent via text message, a hardware token, or a dedicated multifactor authentication app. After entering a username and password, the user must enter the code to complete the login. However, it is worth noting that not all authentication systems are created equal, and unsuspecting users can be tricked into providing the second factor. Social engineering is a prevalent way of getting a user the divulge the second factor, but fraudsters have also employed technologically sophisticated ways to bypass MFA. This article evaluates two tricks attackers use to game authentication systems.

Trick 1: Capitalizing on Trusted Sessions

No doubt, the user experience suffers because of MFA. To make this less inconvenient for customers, many websites employ techniques to identify a user device and register the information after the user provides a second authentication factor and consent to trust their device. Once registered, transactions from those devices are deemed safe. For example, an e-commerce website establishes trust with a user device by enforcing MFA on the first logon. It then subsequently allows transactions from this trusted user device, which may include credit card details stored in a user’s profile. This improves the experience for the user, who is not forced to provide a second factor for every transaction. However, any deviation from the user’s stored risk profile, such as a known user logging in from a new device, initiates a multifactor verification.

Typically, once a device is identified, the information is stored in the form of a cookie on the client side, which will be used to identify the device on the server side. A known device is supposedly less risky and does not trigger additional authentication. Fraudsters understand this process, and we have seen a thriving marketplace named Genesis Store that helps enable these bad actors. For example, a fraudster can obtain device fingerprints and associated cookies and credentials with ease, as shown in Figure 1.