The Federal Bureau of Investigation recently notified cybersecurity companies about attacks that could defeat multifactor authentication systems protecting sensitive online personal and financial data, systems usually considered much stronger than two-factor authentication combinations such as user names and passwords.
The FBI last month quietly sent a so-called private-industry notification (PIN)—a warning or advisory not meant for widespread distribution on the Internet—to security firms and related organizations about fraudsters using social-engineering techniques to defeat multifactor security. Multifactor authentication systems ask a user, for example, a bank-account holder, to provide something he or she knows, such as a password, has, such as a trusted device, and is, such as a fingerprint or other biometric.
“The FBI has observed cyber actors circumventing multi-factor authentication through common social-engineering and technical attacks,” says the PIN, which has now appeared on some security sites. The fraudsters’ aim often is to obtain one-time passcodes to access protected accounts. “The primary methods are social-engineering attacks which attack the users, and technical attacks which target Web code.”
The notice gives several examples. In one, a cyberattacker using stolen credentials was able to get by a bank’s two-factor authentication system. Then, “when reaching the secondary page where the customer would normally need to enter a PIN and answer a security question, the attacker entered a manipulated string into the Web URL setting the computer as one recognized on the account. This allowed him to bypass the PIN and security-question pages and initiate wire transfers from the victims’ accounts.”
Another example warns of so-called SIM swapping, in which a fraudster with stolen phone numbers targeted a bank by first tricking customer-service representatives at phone companies into providing additional needed information to complete the swap. “Once the attacker had control over the customers’ phone numbers, he called the bank to request a wire transfer from the victims’ accounts to another account he owned,” the notice says. “The bank, recognizing the phone number as belonging to the customer, did not ask for full security questions but requested a one-time code sent to the phone number from which he was calling. He also requested to change PINs and passwords and was able to attach victims’ credit card numbers to a mobile-payment application.”
The notification says complaints the FBI has received directly and through its Internet Crime Complaint Center identify SIM swapping as a common method used by fraudsters in 2018 and 2019 to bypass two-factor authentication. “Victims of these attacks have had their phone numbers stolen, their bank accounts drained, and their passwords and PINs changed,” the notice says. “Many of these attacks rely on socially engineering customer-service representatives for major phone companies, who give information to the attackers.”
The warning also points out how cybersecurity experts at two recent conferences demonstrated technical attacks that could defeat multifactor authentication, some in concert with phishing schemes.
Still, the FBI recommends continued use of multifactor authentication, but that companies should educate customers, employees, and other users about social-engineering schemes designed to obtain credentials. They also should consider using stronger biometric or behavioral-authentication systems, even if it means some user inconvenience, the notice says.
“Multifactor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks,” the FBI said.