FBI Warns That Social Engineering Techniques Could Help Bypass Multi-Factor Authentication

A while ago, we talked about how useful Two-Factor Authentication and Multi-Factor Authentication systems can be and how they can help users protect their accounts from hackers. However, with time, cybersecurity specialists proved that no system is invincible and that all security measures can be bypassed if attackers have means, funds, and determination to do so. The latest proof of that was presented in the FBI announcement. It discusses the FBI’s observed attacks on Multi-Factor Authentication systems and warns not to depend on extra security layers too blindly. Does this mean that using Multi-Factor authentication or setting up strong passwords is a waste of your time? You can find the answers to these questions further in this blog post. Also, in the rest of this article, we talk about how hackers bypass Multi-Factor authentication and how often such attacks do happen.

How can hackers bypass Multi-Factor Authentication?

According to the FBI warning, hackers bypass Multi-Factor Authentication with the help of common social engineering techniques and technical attacks. The announcement specifically warned about SIM swapping, weaknesses of websites that handle Multi-Factor Authentication, and hacking tools, such as Muraen and NecroBrowser.

SIM swapping that is also known as a port-out scam is an attack during which fraudsters target a vulnerability in a verification system that requires a security code, which ought to be received via a mobile phone. To carry out such an attack, cybercriminals have to port a targeted victim’s telephone number to a device belonging to them. Most telephone companies provide such services to users who lose their SIM cards and want to keep their old telephone numbers. Thus, to successfully carry out SIM swapping attacks, hackers have to learn enough information about a targeted victim so they could impersonate him and convince his telephone provider to transfer the needed phone number onto a new SIM card. Keep in mind that in the event that cybercriminals succeed, the user’s original SIM card should be blocked. Thus, if you ever notice that your SIM card no longer works, you should contact your phone company as fast as possible and check if someone might have illegally swapped your SIM card.

Next, we have hacking tools called Muraen and NecroBrowser. They were introduced in the Hack-in-the-Box conference that took place in Amsterdam, June 2019. The tools were created for automated phishing attacks that could bypass Two-Factor Authentication. During them, the mentioned tools create a copy of a website through which the targeted account can be accessed. The difference between traditional phishing websites and fake sites created with the help of Muraen and NecroBrowser tools is that the later ones can request verification codes from original sites. Thus, a user trying to login through the fake website would receive a verification code from the legitimate site. Once such a code is entered, hackers can not only use it to log into the targeted account, but also obtain session cookies or session tokens that they can use for future logins.

How often do hackers bypass Multi-Factor Authentication?

If you are following cybersecurity news, you may have noticed that researchers report new attacks on Multi-Factor Authentication systems from time to time. You may have also read that there is no statistical information on such attacks as they rarely happen. There are a couple of reasons for it. Firstly, despite cybersecurity experts’ recommendations to use Multi-factor Authentication, there are still a lot of users who do not bother enabling it. Meaning, cybercriminals do not have to attack accounts that are protected with such security measures as there are plenty of less protected targets. Secondly, hacking into an account with Multi-Factor Authentication is not as easy as hacking an account protected only by a password. Such attacks require more time, money, and more advanced hacking tools. In other words, while attacking a company’s account that is heavily protected might be more rewarding, many hackers find it easier and more profitable to prey on weaker targets.

Is it still advisable to use Multi-Factor Authentication?

In short, the answer is absolutely yes. Even though Multi-Factor Authentication might fail to protect accounts sometimes, it is still your best shot at protecting yourself online. As mentioned earlier, such attacks rarely happen as many cybercriminals choose more accessible targets. Naturally, if more users start using Multi-Factor Authentication, hackers may have no other choice but to attacks accounts protected with it in the future. However, for now, the extra security layers of Multi-Factor Authentication can protect against traditional phishing attacks and other attacks that were designed for only password-protected accounts.

Is using a strong password necessary if you enable Multi-Factor Authentication?

Lastly, you may wonder if there is any point in using a strong password if you enable Multi-Factor Authentication. Again, the answer would be yes. When it comes to protecting personal information, your banking account, or anything else sensitive that hackers could find on your accounts, you should take advantage of every security measure that you can employ. Besides, there are still websites, platforms, and applications that do not provide Multi-Factor Authentication. In such cases, the security of your accounts might depend on the password you set up.

No doubt, the easiest way to create strong passwords and ensure that you will never forget them is to employ a password manager. To make sure that your login credentials are protected too, we recommend using a dedicated password manager and not integrated features that come with browsers. If you want a tool that can ensure security and provide many useful features free of charge, we suggest trying Cyclonis Password Manager. It works on all major operating systems. Also, it can generate strong passcodes and remember them for you as well as log you into your accounts automatically. To learn about all of the features it can offer, you should continue reading here.

All in all, even if Multi-Factor Authentication can be bypassed, it still appears to be the best way to protect one’s accounts. Of course, there are lots of Multi-Factor Authentication options, and some are safer than others. Thus, if you are able to choose, you should research all available options and pick the one considered to be the strongest. Also, instead of blindly depending on extra security layers, you should never lose your guard and watch out for phishing websites as well as ensure that hackers could not easily swap your SIM card. Plus, it never hurts staying on top of cybersecurity news and learning how to avoid becoming a victim of the latest scams.

December 9, 2019

Leave a Reply