FBI’s Cyber Division issued a Private Industry
Notification (PIN) warning businesses and other organizations that criminals
are using a variety of hacking attacks and social engineering to bypass
multi-factor authentication.
“FBI reporting identified several methods cyber
actors use to circumvent popular multi-factor authentication techniques in
order to obtain the one-time passcode and access protected accounts,” explained
the Cyber Division. “The primary methods are social engineering attacks
which attack the users and technical attacks which target web code.”
The PIN offers several examples, including a 2019 attack
on a banking institution that saw hackers exploit a website flaw to bypass
multi-factor authentication, as well as a series of attacks over the past two
years using SIM-swapping, where attackers steal phone numbers and the customer
service representatives give valuable information about users.
While multi-factor authentication (MFA) remains a vital step
to secure online accounts, it’s not infallible. Like any other protective
measure, it can be bypassed by attackers in a few ways, but it’s not an easy
feat.
Multi-factor authentication includes any method of
confirming the identity of a user, besides the regular credentials. It can take
the form of an email, an SMS and a few other out of band authentication methods.
But the more people adopt an extra layer of protection, the more incentive
there will be to crack it or bypass it.
Even when users have an MFA solution in place, it’s not the only link in the chain. As often happens with social engineering, people are the weakest link, offering details they shouldn’t, and trusting other parties instead of asking for more credentials.
The FBI’s note also cited researchers who demonstrated
other attack vectors that combine man-in-the-middle attacks and session
hijacking to capture traffic between users and websites. They even went so far
as to set an automated phishing scheme, as demonstrated at the 2019
Hack-in-the-Box conference,
which significantly increased their chances of finding relevant data.
The best protection people can employ consists of
constant vigilance and awareness of social engineering tactics, which holds for
companies as well. Organizations should use more complex authentication
methods, including biometrics (fingerprint) and behavioral (time of day,
geolocation or IP address).