Before we jump into this FBI warning about bypassing multi-factor authentication, also known as two-factor authentication, the FBI says it remains effective and you should continue to use it. The agency has issued the warning as more of an alert for the security industry. Furthermore, attacks against users of multi-factor authentication are rare so you don’t need to be alarmed, just informed.
“Multi-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks.”Federal Bureau of Investigation
Also of note, the warning was sent to “industry partners” and the Bureau was more or less warning about attacks against organizations. Of course, this doesn’t mean the same methods of bypassing multi-factor authentication wouldn’t work against a single target, this is why it is good to stay informed.
“The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks,” the FBI wrote in a Private Industry Notification (PIN) sent out on September 17.Federal Bureau of Investigation
The Bureau warned against two methods of bypassing multi-factor authentication, SIM swapping and transparent proxies like Muraen and NecroBrowser. The Bureau pointed to some recent incidents as examples:
- In 2016 customers of a US banking institution were targeted by a cyber attacker who ported their phone numbers to a phone he owned-an attack called SIM swapping. The attacker called the phone companies’ customer service representatives, finding some who were more willing to provide him information to complete the SIM swap. Once the attacker had control over the customers’ phone numbers, he called the bank to request a wire transfer from the victims’ accounts to another account he owned. The bank, recognizing the phone number as belonging to the customer, did not ask for full security questions but requested a one-time code sent to the phone number from which he was calling. He also requested to change PINs and passwords and was able to attach victims’ credit card numbers to a mobile payment application.
- Over the course of 2018 and 2019, the FBI’s Internet Crime Complaint Center and FBI victim complaints observed the above attack-SIM swapping-as a common tactic from cybercriminals seeking to circumvent two-factor authentication. Victims of these attacks have had their phone numbers stolen, their bank accounts drained, and their passwords and PINs changed. Many of these attacks rely on socially engineering customer service representatives for major phone companies, who give information to the attackers.
- In 2019 a US banking institution was targeted by a cyber attacker who was able to take advantage of a flaw in the bank’s website to circumvent the two-factor authentication implemented to protect accounts. The cyber attacker logged in with stolen victim credentials and, when reaching the secondary page where the customer would normally need to enter a PIN and answer a security question, the attacker entered a manipulated string into the Web URL setting the computer as one recognized on the account. This allowed him to bypass the PIN and security question pages and initiate wire transfers from the victims’ accounts.
These are just a few examples of the attacks against multi-factor authentication found by the FBI. Again, it is important to note that the FBI says that using MFA or 2FA is still effective and these incidents are rare.
Last Updated on February 3, 2021.