Within the cyber security community, multi-factor authentication (MFA) is generally considered to be one of the safest and most effective ways to secure user accounts and user profiles. But now a special security alert from the Federal Bureau of Investigation (FBI) is alerting private industry partners that multi-factor authentication might not be nearly as effective as once thought. Quite simply, hackers are becoming more and more sophisticated. They are finding new ways to bypass multi-factor authentication using a mix of social engineering and technical hacks, and that should be a wakeup call for IT security leaders everywhere.
Hackers are now bypassing multi-factor authentication
As the FBI points out in its Private Industry Notification (PIN) dated September 17, hackers now have multiple ways of carrying out MFA bypasses. Some of them rely on social engineering tactics, in which hackers convince users to hand over the required information needed for multi-factor authentication. Others are even more fiendishly complex and rely on sophisticated technical hacks. And still others are based on a combination of these two approaches.
The primary concern of the FBI, of course, is that hackers could use any of these multi-factor authentication bypasses to gain access to critical infrastructure or other high-value computer targets. The PIN security advisory, then, is meant to be a “heads up” to private sector partners, letting them know that they should be on high alert for more of these attacks in the future and take relevant security measures to protect users and protect online accounts.
The SIM swapping attack
One of the most popular approaches is an attack known as a “SIM swap.” In this type of SIM swapping attack, a hacker gets access to the personal information of an individual, such as via buying that information on the Dark Web, and then uses that information to contact a phone company in order to re-route phone calls to a new phone (with a new SIM card containing the information of the individual) in possession of the hacker. That way, when the pin code or other information sent via SMS text message is sent to verify an account, the hacker can get access to the multi-factor authentication information. Once someone falls victim to these attacks, it is only a matter of time before the hackers are able to change the username and password combination for an account, and then set about either stealing the identity of an individual or draining a bank account.
The website manipulation attack
Another increasingly popular way to bypass multi-factor authentication, says the FBI, is the website manipulation attack. This is a purely technical attack in which hackers search out weaknesses or gaps in the multi-factor authentication process, and then carry out a version of the “man-in-the-middle” attack. In this form of attack, hackers intercept web traffic and insert themselves in the middle. In such a way, they are able to steal login credentials or multi-factor authentication tokens.
New tools available to hackers are making this easier and easier to pull off. The FBI, for example, specifically cites two new tools – Muraena and NecroBrowser – that should be on the radar of any cyber security consultant. When used together, the tools become even more popular. They can enable hackers to automate phishing attacks and then hijack legitimate authentication sessions.
The social engineering attack
Perhaps the most devious forms of MFA attack, though, involves social engineering. This type of attack relies on users freely giving up the information required by hackers to access a site. Essentially, users are “tricked” into entering the information used as part of any multi-factor authentication scheme. Thus, for example, they might give up the answers to any of the security questions typically required to restore an account. In many ways, social engineering attacks are becoming easier and easier to pull off because users are leaving so much personal data available on the web for anyone to harvest and steal.
Example of multi-factor authentication attacks in action
To prove its point that multi-factor authentication attacks are on the rise, and to help cyber security experts understand how exactly these attacks are being carried out, the FBI provides several different examples of MFA bypass attacks. Some of these attacks – such as a multi-factor authentication bypass attack on a U.S. bank in 2016 – occurred in “the wild” and resulted in significant financial losses (i.e. bank accounts were drained as a result). Others – such as demonstrations at various white hat and black hat hacker events – are more theoretical in nature, and help to illustrate what could happen if hackers decide to get more involved with man-in-the-middle and session hijacking attacks.
The growing scope of MFA bypass attacks
Of course, the FBI is careful to point out that, even with these security vulnerabilities, multi-factor authentication remains a “strong and effective” security measure. The FBI still recommends MFA as the primary approach used by cyber security experts to deter attacks. The point, instead, is to provide a warning to security experts that hackers are continuously innovating, and coming up with new approaches to bypass multi-factor authentication. Private sector partners should take precautions to ensure website security and alert users to take precautions when entering login credentials.
Still, these MFA attacks are quite rare. It is technically possible to pull off, but the task is much harder at scale. To bypass multi-factor authentication on 100 people, for example, a hacker might need 100 different phones with 100 different SIM cards. And, as Microsoft points out, multi-factor authentication techniques are successful in 99.9% of cases. Google, too, says that multi-factor authentication blocks 100% of automated bots, 99% of bulk phishing attempts, and 66% of targeted attacks (i.e. an attack where a hacker knows the specific individual – such as a top CEO – who will become the victim of an MFA bypass attack).
The cat-and-mouse game with hackers
If nothing else, the new FBI security advisory illustrates just how hard it is to keep up with global hackers. As soon as the security community finds a new approach – such as multi-factor authentication – that it considers close to ironclad in its effectiveness, hackers will come up with ways to circumvent or bypass that security layer. It is, indeed, a perpetual cat-and-mouse game between the white hat hackers (aided by law enforcement) and the black hat hackers lurking in the darkest corners of the Dark Web.