FBI Warns Companies of MFA Security Weaknesses


The Federal Bureau of Investigation (FBI) last month alerted private industry that cyber crooks were skirting multi-factor authentication (MFA) through social engineering and technical attacks.

“This data is provided to help cyber security professionals and system integrators guard against the persistent malicious actions of cyber criminals,” the agency said in a Private Industry Notification (PIN) sent out on September 17. In particular, the agency named three threats: SIM swapping, vulnerabilities in online pages handling MFA operations, and transparent proxies such as Muraen and NecroBrowser, ZDNet reported.

The alert is meant as a precaution, the FBI said, and isn’t meant to convey the weaknesses of MFA. The agency recommends businesses use MFA as a firewall against hackers. "Multi-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks," the FBI said, as ZDNet reported.

Two past incidents in which two of the hacking techniques had been used in financial heists were included in the advisory (via ZDNet from the alert):

SIM swapping:

  • In 2016 customers of a U.S. banking institution were targeted by a cyber attacker who ported their phone numbers to a phone he owned-an attack called SIM swapping. The attacker called the phone companies' customer service representatives, finding some who were more willing to provide him information to complete the SIM swap. Once the attacker had control over the customers' phone numbers, he called the bank to request a wire transfer from the victims' accounts to another account he owned. The bank, recognizing the phone number as belonging to the customer, did not ask for full security questions but requested a one-time code sent to the phone number from which he was calling. Victims of these attacks have had their phone numbers stolen, their bank accounts drained, and their passwords and PINs changed.

Online pages handling MFA:

  • In 2019 a US banking institution was targeted by a cyber attacker who was able to take advantage of a flaw in the bank's website to circumvent the two-factor authentication implemented to protect accounts. The cyber attacker logged in with stolen victim credentials and, when reaching the secondary page where the customer would normally need to enter a PIN and answer a security question, the attacker entered a manipulated string into the Web URL setting the computer as one recognized on the account. This allowed him to bypass the PIN and security question pages and initiate wire transfers from the victims' accounts.

Despite the warnings, the FBI and cyber experts continue to recommend MFA and 2FA, which are generally more effective than basic username/password security systems.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.