The FBI is warning about an attack that
bypasses multi-factor authentication
Recently, the Federal Bureau of Investigation, Cyber
Division sent out a Private Industry Notification (PIN) to warn about cyber criminals
using social engineering and technical attacks to circumvent multi-factor
The FBI still recommends that companies use MFA, stating “Multi-factor authentication continues to be a strong and
effective security measure to protect online accounts, as long as users take
precautions to ensure they do not fall victim to these attacks.”
Instead, this alert is meant to ensure that users of MFA
know that cyber-criminals have found some ways to circumvent multi-factor
authentication, and some ways that users can protect themselves.
For example, users should choose a strong MFA solution that
is not vulnerable to social engineering tricks such as SIM swapping, or
transparent proxies that can intercept the MFA token.
Some past incidents of MFA bypasses were included in the
FBI released PIN:
• In 2016, some customers of a US banking institution were
targeted by a cyber attacker using the SIM swap method. The attacker contacted
the customer service departments of phone companies that bank customers used in
an effort to obtain the information necessary for the criminal to complete the
SIM swap. Some phone company representatives gave out the information and the
attacker was then able to take control over the customers’ phone numbers. The attacker
then called the bank to request a wire transfer from the victims’ accounts to
another account that the criminal owned. The bank, recognizing the phone number
as belonging to the customer, didn’t ask any security questions and requested a
one-time code be sent to the phone number from which the criminal was calling.
The criminal also requested to change PINs and passwords and was able to attach
victims’ credit card numbers to a mobile payment application.
This has been a continuing occurrence, as in 2018 and 2019
the FBI’s Internet Crime Complaint Center continued to see attacks of this
nature happen. Victims of these attacks have their phone numbers stolen, their
bank accounts drained, and their passwords and PINs changed. Many of these
attacks rely on the attackers socially engineering customer service
representatives for major phone companies, who give out the information that
the attackers need.
• In 2019, a US banking institution was targeted by a cybercriminal
who was able to take advantage of a flaw in the bank’s website in order to
circumvent the two-factor authentication implemented to protect accounts. The
attacker logged in with stolen victim credentials and, upon reaching the
secondary page where the customer would typically need to answer security
questions, the attacker entered a manipulated string into the Web URL. This
change allowed him to bypass the PIN and security question pages and to
initiate wire transfers from the victims’ accounts.
Some possible MFA bypasses were also included in the FBI
• At the RSA Conference in San Francisco that was held in
February 2019, a cyber security expert demonstrated a large variety of schemes
and attacks that cybercriminals could use to circumvent multi-factor
authentication. The expert presented real-time examples of how attackers could
use man-in-the-middle attacks and session hijacking in order to intercept the
traffic between a user and a website to conduct these attacks and maintain
access for as long as possible.
•The PIN also references the June 2019 Hack-in-the-Box
conference that was held in Amsterdam. Cyber security experts demonstrated a
pair of tools – Muraena and NecroBrowser – which are used in tandem to automate
a phishing scheme against users of multi-factor authentication. The Muraena
tool works by intercepting traffic between a user and a target website that the
user is logging in to. Once the user has successfully logged in, NecroBrowser
stores the user’s data and hijacks the session cookie. With this information,
the cyber-criminal can then log into these private accounts, take them over,
and change user passwords and recovery e-mail addresses, in order to make it
more difficult for the user to regain access to their account.
Even with the ways cyber attackers have found to bypass
MFA, attacks of this nature are rare.
Microsoft has stated that attacks that can bypass MFA are
so out of the ordinary that they don’t even have statistics on them. In fact,
Microsoft states that when MFA is enabled, it helps users to block 99.9% of all
Google echoes a similar statement, claiming that users who
added a recovery phone number to their accounts, which also indirectly enables
a SMS-based MFA, greatly improved their account security. “Our research shows that simply adding a recovery
phone number to your Google Account can block up to 100% of automated bots, 99%
of bulk phishing attacks, and 66% of targeted attacks that occurred during our
It’s safe to say that MFA is still a very
effective preventative aid that keeps out most mass and automated attacks.
However, users should also be aware that there are some ways those MFA solutions
can be bypassed.
Therefore, it’s important to choose stronger
MFA solutions (such as with biometrics or a YubiKey or equivalent) that are not
vulnerable to social engineering tricks like SIM swapping, or transparent
proxies that can intercept the MFA token.
if we can be of help with your network or computer, give us a call here at
RHYNO Networks. (855) 749-6648
RHYNO Networks was designed to meet the needs of the IT marketplace. Specifically, to offer businesses skilled, timely IT services in order for them to focus on their business. We’re dedicated to the principles of Reliability, Innovation and Customer Service.