FBI’s Cyber Division issued a Private Industry Notification (PIN) warning businesses and other organizations that criminals are using a variety of hacking attacks and social engineering to bypass multi-factor authentication.
“FBI reporting identified several methods cyber actors use to circumvent popular multi-factor authentication techniques in order to obtain the one-time passcode and access protected accounts,” explained the Cyber Division. “The primary methods are social engineering attacks which attack the users and technical attacks which target web code.”
The PIN offers several examples, including a 2019 attack on a banking institution that saw hackers exploit a website flaw to bypass multi-factor authentication, as well as a series of attacks over the past two years using SIM-swapping, where attackers steal phone numbers and the customer service representatives give valuable information about users.
While multi-factor authentication (MFA) remains a vital step to secure online accounts, it’s not infallible. Like any other protective measure, it can be bypassed by attackers in a few ways, but it’s not an easy feat.
Multi-factor authentication includes any method of confirming the identity of a user, besides the regular credentials. It can take the form of an email, an SMS and a few other out of band authentication methods. But the more people adopt an extra layer of protection, the more incentive there will be to crack it or bypass it.
Even when users have an MFA solution in place, it’s not the only link in the chain. As often happens with social engineering, people are the weakest link, offering details they shouldn’t, and trusting other parties instead of asking for more credentials.
The FBI’s note also cited researchers who demonstrated other attack vectors that combine man-in-the-middle attacks and session hijacking to capture traffic between users and websites. They even went so far as to set an automated phishing scheme, as demonstrated at the 2019 Hack-in-the-Box conference, which significantly increased their chances of finding relevant data.
The best protection people can employ consists of constant vigilance and awareness of social engineering tactics, which holds for companies as well. Organizations should use more complex authentication methods, including biometrics (fingerprint) and behavioral (time of day, geolocation or IP address).