FBI: Cybercriminals Are Bypassing Multifactor AuthenticationThreat Actors Using Social Engineering, Other Technical Techniques to Circumvent MFA Protections
The FBI is warning banks, businesses and other organizations that cybercriminals are using social engineering and other technical techniques to circumvent multifactor authentication security protections.
In a Private Industry Notification issued in September, which Forbes first reported, the FBI notes that cybercriminals and other threat actors are now taking advantage of inherent flaws in multifactor authentication to bypass the security filters in order to take over accounts or steal additional credentials.
In one form of multifactor authentication, a user enters credentials into a system or device and then receives a one-time password to help verify their identity. Now, however, it appears that threat actors and cybercriminals have found new ways to circumvent this type of protection, the FBI warning notes.
"FBI reporting identified several methods cyber actors use to circumvent popular multifactor authentication techniques in order to obtain the one-time passcode and access protected accounts," according to the September warning. "The primary methods are social engineering attacks, which attack the users, and technical attacks, which target web code."
The FBI is urging organizations to use more sophisticated techniques, such as biometrics or behavioral authentication methods, which include geolocation data or an IP address, to help verify a user's identity even through these are much more inconvenient for customers or employees.
An FBI spokesperson could not be reached for comment Wednesday.
Manipulating Secondary Tokens
Multifactor authentication has been widely used by U.S. banks, government agencies and others for authenticating an individual's identity.
The FBI, however, notes that cybercriminals are manipulating the secondary token feature though tactics such as SIM-swapping and man-in-the middle-attacks to circumvent the security filters that come with multifactor authentication technologies.
"Over the course of 2018 and 2019, the FBI’s Internet Crime Complaint Center and FBI victim complaints observed … SIM swapping as a common tactic from cybercriminals seeking to circumvent two-factor authentication," the FBI notes.
SIM-swapping involves taking a victim's phone number and porting it to another SIM card that is then under the control of the attackers, who can receive one-time passwords. A man-in-the-middle attack occurs when a third party intercept and alters the communication between the customer and the service provider or the employee and the business service that they are trying to access.
The FBI warning notes that in a case in 2016, an attacker took advantage of customer services representatives of one bank who were willing to give out customer information. From there, the attacker completed a SIM-swapping attack and started to have money transferred to different accounts.
In another case from this year, the FBI notes, cybercriminals took advantage of flaws in a bank's website to inject code that helped bypass two-factor authentication protections.
"The cyberattacker logged in with stolen victim credentials and, when reaching the secondary page where the customer would normally need to enter a PIN and answer a security question, the attacker entered a manipulated string into the Web URL setting the computer as one recognized on the account," the FBI warns. "This allowed him to bypass the PIN and security question pages and initiate wire transfers from the victims' accounts."
Reliance on MFA
The FBI warning comes at a time when the use of multifactor authentication is on rise.
A recent study conducted by security firm LastPass, and recently shared with Bleeping Computer, found that nearly 57 percent of businesses worldwide use multifactor authentication.
In another study published in July, Microsoft claimed that multifactor authentication can block "99.9" percent of attacks. The issue, the company says, is that only about 10 percent of enterprises’ employees use the technique to help verify their accounts.
*Any* MFA correlates to a >99.9% reduction in compromise, and with <10% MFA coverage hackers don’t usually bother breaking it. So turn it on! But creeps going after high value assets can & do break MFA - fight back with “verifier impersonation resistant” creds. Hope you enjoy. https://t.co/9opXnOrVMy— Alex Weinert (@Alex_T_Weinert) October 3, 2019
The Microsoft study points out that the problem is essentially with the user's passwords, which the threat actors can easily manipulate using methods such as phishing, malware sniffing and network among other mechanisms. Instead of replacing the existing authentication system, the study argues the best approach is to strengthen existing multifactor authentication systems with cryptographically strong credentials.
Still, security experts believe that older techniques of verifying identity are starting to wear down as cybercriminals adopt new techniques such as machine learning to bypass these protections. A recent Congressional hearing highlighted how the criminal underground is adopting faster than businesses and other organization can keep up (see: Congress Hears Ideas for Battling ID Theft).
One issue with multifactor authentication is that many users share personal data across social media platforms, giving cybercriminals an opening to figure out how to break knowledge-based authentication, says Shahrokh Shahidzadeh, the CEO of security vendor Acceptto.
The way around this is to continually ask for updates and verification during a session to ensure that the user is authentic, Shahidzadeh says. While inconvenient, it's a way to ensure proper identity, he says.
"Companies and end users that are relying solely on binary authentication tactics, such as two-factor authentication or MFA, need to understand that these solutions are static and stored somewhere, waiting to be compromised time and time again," Shahidzadeh tells Information Security Media Group. "The best way to avoid a syndicated cyberattack or breach is to assume all credentials, even those yet to be created, have been compromised."