The Federal Bureau of Investigation (FBI) recently warned in a private-industry notification (PIN) that companies could be vulnerable to attacks that bypass multi-factor authentication systems, ZDNet reports.
“The FBI has observed cyber actors circumventing multi-factor authentication through common social-engineering and technical attacks,” the agency said in a September advisory. “The primary methods are social-engineering attacks which attack the users, and technical attacks which target Web code.”
The FBI offered several examples of techniques used by attackers. In one instance, a malicious actor would use stolen credentials to bypass a bank’s two-factor authentication system.
“When reaching the secondary page where the customer would normally need to enter a PIN and answer a security question, the attacker entered a manipulated string into the Web URL setting the computer as one recognized on the account,” the FBI said. “This allowed him to bypass the PIN and security-question pages and initiate wire transfers from the victims’ accounts.”
Using SIM cards
SIM swapping tactics have also been observed by the FBI. For this technique, an attacker using a stolen phone number would dupe a company’s customer service representative into providing additional information needed to execute the swap.
“Once the attacker had control over the customers’ phone numbers, he called the bank to request a wire transfer from the victims’ accounts to another account he owned,” the FBI said. “The bank, recognizing the phone number as belonging to the customer, did not ask for full security questions but requested a one-time code sent to the phone number from which he was calling. He also requested to change PINs and passwords and was able to attach victims’ credit card numbers to a mobile-payment application.”
The FBI stressed in its advisory, however, that multi-factor authentication “continues to be a strong and effective security measure to protect online accounts as long as users take precautions to ensure they do not fall victim to these attacks.”
Microsoft has published a resource detailing different MFA solutions and compared how well each solution protects against MFA-bypass attacks. ZDNet notes that the solutions listed at the bottom of the table on this page are the most effective.