Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Social engineering, MFA bypass, and the identity gap teams miss


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Recent UK retail breaches show how social engineering, SIM swapping, and help-desk compromise can still bypass traditional MFA and expose customer data, with Marks & Spencer losing more than $80 million in profit and $1.3 billion in market value, according to 1Kosmos and the BBC. The lesson is that identity programmes built on credentials and devices alone cannot withstand impersonation-driven access theft.

NHIMG editorial — based on content published by 1Kosmos: Social engineering and MFA bypass in recent retail attacks

By the numbers:

Questions worth separating out

Q: How should security teams reduce social engineering risk in identity recovery workflows?

A: They should treat recovery as a privileged control path, not a customer service process.

Q: Why do traditional MFA controls fail against help-desk and SIM swap attacks?

A: Traditional MFA often trusts channels that can be redirected, such as SMS delivery, carrier changes, or support-assisted resets.

Q: What breaks when attackers gain access through impersonation rather than malware?

A: Impersonation bypasses many perimeter assumptions because the session begins with valid credentials or a valid recovery action.

Practitioner guidance

  • Harden help-desk recovery workflows Require step-up verification for password resets, device rebinds, and MFA changes, and make support staff validate identity with independent proof rather than caller-supplied details.
  • Lock down telecom-based recovery paths Add carrier-level safeguards for SIM swap and number port requests, and monitor for changes that can move the second factor onto an attacker-controlled device.
  • Replace code-only MFA on sensitive accounts Use phishing-resistant authentication for privileged and high-impact accounts, especially where account recovery can be socially engineered through help desks or mobile providers.

What's in the full analysis

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step breakdown of how SIM swapping and help-desk manipulation were used to bypass identity controls
  • Specific details on liveness-based biometric verification and how it binds the person to the authentication event
  • Implementation context for integrating stronger authentication into privileged access and existing enterprise login flows
  • Operational examples of where traditional MFA breaks down in real support and recovery processes

👉 Read 1Kosmos's analysis of social engineering, MFA bypass, and enterprise identity risk →

Social engineering, MFA bypass, and the identity gap teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Social engineering is now an identity-control failure, not just a people problem. When attackers can redirect recovery channels, the weak point is the governance chain that lets humans authenticate via trust rather than proof. That is why help desks, telecom carriers, and delegated support processes belong in the same control conversation as IAM and PAM. Practitioners should treat impersonation resistance as a core identity requirement, not an awareness campaign.

A few things that frame the scale:

  • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
  • 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirming and 26% suspecting compromise.

A question worth separating out:

Q: Who is accountable when social engineering defeats identity controls?

A: Accountability sits with the teams that own authentication, support workflows, telecom dependencies, and privileged access, not only with end users. If a reset, SIM swap, or device rebind can grant access without strong verification, the governance gap is structural. Organisations should map those responsibilities before an incident forces the issue.

👉 Read our full editorial: Social engineering and MFA bypass are still breaking enterprise identity



   
ReplyQuote
Share: