The US Federal Bureau of Investigation (FBI) has sent last month a security advisory to private industry partners about the rising threat of attacks against organizations and their employees that can bypass multi-factor authentication (MFA) solutions.
"The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks," the FBI wrote in a Private Industry Notification (PIN) sent out on September 17.
Past incidents of MFA bypasses
While nowadays there are multiple ways of bypassing MFA protections, the FBI alert specifically warned about SIM swapping, vulnerabilities in online pages handling MFA operations, and the use of transparent proxies like Muraen and NecroBrowser.
To get the point across, the FBI listed recent incidents where hackers had used these techniques to bypass MFA and steal money from companies and regular users alike. We cite from the report:
- In 2016 customers of a US banking institution were targeted by a cyber attacker who ported their phone numbers to a phone he owned-an attack called SIM swapping. The attacker called the phone companies' customer service representatives, finding some who were more willing to provide him information to complete the SIM swap. Once the attacker had control over the customers' phone numbers, he called the bank to request a wire transfer from the victims' accounts to another account he owned. The bank, recognizing the phone number as belonging to the customer, did not ask for full security questions but requested a one-time code sent to the phone number from which he was calling. He also requested to change PINs and passwords and was able to attach victims' credit card numbers to a mobile payment application.
- Over the course of 2018 and 2019, the FBI's Internet Crime Complaint Center and FBI victim complaints observed the above attack-SIM swapping-as a common tactic from cyber criminals seeking to circumvent two-factor authentication. Victims of these attacks have had their phone numbers stolen, their bank accounts drained, and their passwords and PINs changed. Many of these attacks rely on socially engineering customer service representatives for major phone companies, who give information to the attackers.
- In 2019 a US banking institution was targeted by a cyber attacker who was able to take advantage of a flaw in the bank's website to circumvent the two-factor authentication implemented to protect accounts. The cyber attacker logged in with stolen victim credentials and, when reaching the secondary page where the customer would normally need to enter a PIN and answer a security question, the attacker entered a manipulated string into the Web URL setting the computer as one recognized on the account. This allowed him to bypass the PIN and security question pages and initiate wire transfers from the victims' accounts.
- In February 2019 a cyber security expert at the RSA Conference in San Francisco, demonstrated a large variety of schemes and attacks cyber actors could use to circumvent multi-factor authentication. The security expert presented real-time examples of how cyber actors could use man-in-the-middle attacks and session hijacking to intercept the traffic between a user and a website to conduct these attacks and maintain access for as long as possible. He also demonstrated social engineering attacks, including phishing schemes or fraudulent text messages purporting to be a bank or other service to cause a user to log into a fake website and give up their private information.
- At the June 2019 Hack-in-the-Box conference in Amsterdam, cyber security experts demonstrated a pair of tools - Muraena and NecroBrowser - which worked in tandem to automate a phishing scheme against users of multi-factor authentication. The Muraena tool intercepts traffic between a user and a target website where they are requested to enter login credentials and a token code as usual. Once authenticated, NecroBrowser stores the data for the victims of this attack and hijacks the session cookie, allowing cyber actors to log into these private accounts, take them over, and change user passwords and recovery e-mail addresses while maintaining access as long as possible.
MFA is still effective
The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that companies use MFA.
Instead, the FBI wants users of MFA solutions to be aware that cyber-criminals now have ways around such account protections.
"Multi-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks," the FBI said.
MFA attacks are rare
Despite the rise in the number of incidents and attack tools capable of bypassing MFA, these attacks are still incredibly rare and have not been automated at scale. Last week, Microsoft said that attacks that can bypass MFA are so out of the ordinary, that they don't even have statistics on them.
In contrast, the OS maker said that when enabled, MFA helped users block 99.9% of all account hacks.
Back in May, Google also said a similar thing, claiming that users who added a recovery phone number to their accounts (and indirectly enabled SMS-based MFA) improved their account security.
"Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation," Google said at the time.
All in all, MFA is still very effective at preventing most mass and automated attacks; however, users should be aware that there are ways to bypass some MFA solutions, such as those relying on SMS-based verifications.
Instead, users should choose a stronger MFA solution that is not vulnerable to social engineering tricks like SIM swapping, or transparent proxies that can intercept the MFA token.
On this page, a Microsoft security engineer analyzed how various MFA solutions fare against MFA-bypass attacks. The solutions listed at the bottom of the table are the strongest.