For years, cyberattacks have been increasing in frequency, scope and sophistication. From multibillion dollar disasters crossing international borders to run-of-the-mill ransomware, enterprises have to be more vigilant than ever to protect their data and their bank accounts from malicious actors. One of the primary lines of defense? Multi-factor authentication (or MFA for short). Going beyond just passwords to unlock sensitive data, multi-factor authentication requires a secondary identity confirmation to access that data — things like texting your mobile phone, an RSA physical key, authenticator apps with paired random code generation, and really hard-to-crack systems like physical thumb drive protocols like Sesame. Unfortunately, and somewhat predictably, motivated hackers have devised clever tactics to bypass certain MFA protections. To that end, here’s what to look out for, and why you should still be using MFA (although, perhaps, stronger ones).
Multi-factor authentication bypasses
“The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks,” the FBI wrote in a Private Industry Notification (PIN) sent out on September 17.
What does that mean? Well, first off, it confirms what we’ve known in the cybersecurity space for years — the weakest part of every security system are people. Social engineering is when a threat vector uses tactics or ploys on gatekeepers to elicit the information needed to bypass whatever security has been set up. For example, if you have too much personal information out on social media, hackers may be able to pull your address, birthday, parents’ names, etc. So, when they call the bank to reset your password, they have all the secondary information they need to impersonate you. If the customer service rep for your bank isn’t on their game, then your security could be irrevocably breached.
Considering multi-factor authentication is designed to thwart that, hackers have had to get creative with how to impersonate you twice. So while they may be able to use social engineering to get a password reset, if they don’t have your mobile phone, they can’t get the text message necessary to unlock the account, can they?
Turns out they can. Hackers can use social engineering on the phone company too, to swap which SIM card your number is associated with, so your MFA texts them instead of you. Or if they have physical access to your phone, they can swap SIM cards with you for this exact purpose.
Now, both of those are pretty rare in the grand scope of breaches, but it’s worth noting because the incidences are rising.
MFA still a necessity
All that said, MFA is still your best bet for keeping important data secure. The question is more, rather, which type of MFA sets you up for the most security. Something like YubiKey or Sesame are slightly less convenient, but nearly unhackable. The FBI was clear to say MFA is still largely secure, and you should be using it — but maybe choose a more secure version than SMS-based authentications (from ZD Net):
The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. The FBI still recommends that companies use MFA.
Instead, the FBI wants users of MFA solutions to be aware that cyber-criminals now have ways around such account protections.
“Multi-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks,” the FBI said.