Tricks Used By Scammers to Bypass MFA

Leila Sharma

 

 

DEcorative image

MFA is a crucial step in protecting users from the effects of credential compromise, and we recommend that it be used on all available accounts. As you may know, multi-factor authentication (“MFA”) provides a second layer of security for your accounts by creating a “locked door”, for which you must supply a key. The MFA prompt follows the account login prompt of username + password, and requests that users authenticate with something that they have, e.g., a smartphone or a token. With NYU MFA, the “key” can take the form of :

  • A push notification via the Duo app
  • A passcode generated by the Duo app
  • A code sent to SMS messages
  • A  token
  • One of the numbered keys on a phone being pressed in response to a call directed to a designated phone number. *Please note that as of 10/06/22 this option will no longer be available.

In order to protect both you and NYU, it is critically important to be aware of how malicious actors are attempting to bypass MFA to gain access to your accounts. 

Tricks Used by Scammers:

  • MFA bombing:
    • Attempts to get users to accept app push notifications, by sending repeated notifications at off times (such as 3am) or; 
    • Sends users successive notifications, throughout the day. Scammers may also try to  stay under the radar by sending just one or two notifications per day.
  • Spoofed phone calls to employees from scammers pretending to be part of a trusted organization. Scammers tell the target they need to authenticate using MFA as part of a process and then hijack the session.
  • Registering other devices to your account to authorize MFA. Once in possession of account credentials, scammers may attempt to register their devices to the account. To check the devices associated with your account, go to start.nyu.edu => login, and login with your NYU NetID and password. On the MFA authentication screen, select My Settings & Devices. You will be prompted to authenticate with MFA using an enrolled device. Once you do so, you will see a list of devices and can remove a device by clicking the Device Options button next to the device.

Tips & Best Practices:  

  • Remain aware of when you last authenticated using MFA, and whether you selected “remember me for 1 day”.  Deny all authentication requests you have not made. Please be aware that if you open another browser, you will need to authenticate using MFA again. For more information on denying requests see the following NYU KBase article: Responding to Fraudulent/Unsolicited MFA Requests.
  • If you believe you may have been a victim of an MFA bypass attempt, or if you see an MFA device registered to your account that you did not register, please immediately change your NYU NetId password and contact AskIt@nyu.edu using the email subject line “URGENT: Suspected MFA bypass attempt”.