Skip to main content

The FBI Warns That Multifactor Authentication Is Not as Secure as You Think

By October 10, 2019No Comments

(This post originally appeared on Inc.)

No one needs to remind us of how exposed we are to cyberthreats and how serious an issue this is for companies big and small. Over the past few years, most experts have advised us that one of the most reliable ways to prevent these attacks is to implement security software that uses multifactor authentication, or MFA.

You’re probably familiar with MFA already. It’s the process where you try to log into a website with your password but are then required to use an additional form of authentication, usually in the form of a special personal identification number (PIN) sent to your smartphone. Even if a hacker steals your password, it’s unlikely he’ll also have possession of your smartphone, so MFA is really secure, right?

Well, maybe not as much as we think. Last month, the FBI issued a warning to private companies about MFA. According to this ZDNet article by Catalin Cimpanu, the agency said that there is a rising threat of attacks against organizations and their employees that can bypass MFA solutions.

What kinds of threats? There are at least three that are the most popular.

The first is a SIM swap. That’s when the hacker steals enough information online about you that he can call up the phone company with this information, pretend to be you, and persuade them to reroute phone calls to a smartphone that he owns. His phone contains a fresh SIM (subscriber identity module) card that contains your details, which he obtained via additional hacks or purchased on the “dark” web. Once done, he then receives the text messages with the special MFA code and can access those accounts.

The second is through a website manipulation. If a website isn’t designed properly, a smart hacker can figure out how to circumvent the login pages where a PIN is required and arrive directly at an account holder’s details, and then perform transactions.

The third is simply “social engineering,” which is a nice way to describe when hackers fool users like you and me and our employees to give up information that we shouldn’t be. This may be accomplished by surreptitiously navigating us to “phishing” or fake websites where we offer vital information about ourselves or where cookies are downloaded with malicious code that are then used to automate a scam in the future by hijacking our online sessions where passwords and recovery emails are changed.

All of this is awful and annoying, but there’s some good news: Most security experts and even the FBI still recommend using MFA. Why? Because it’s not perfect, but for now it’s pretty darn close.

“Multifactor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks,” the FBI said in the ZDNet report.

Even the big tech giants agree. Microsoft recently said that MFA attacks are “so out of the ordinary, that they don’t even have statistics on them,” and Google’s research shows that “simply adding a recovery phone number to your Google Account can block up to 100 percent of automated bots, 99 percent of bulk phishing attacks, and 66 percent of targeted attacks that occurred during our investigation.”

The reason why these threats haven’t caught on so far is because they take too much work to accomplish by the hacker and can’t be automated on a mass scale. Sure, it may be worth it for a big fish, but for most of us there’s more money to be made elsewhere with other less expensive forms of malware like ransomware.

But that’s just for now.

So go ahead and stick with MFA as your go-to security solution for all of your company’s applications, and try to use the strongest tools available (Cimpanu directs readers to this great summary of MFA solutions recommended by Microsoft). But don’t let your guard down. I’m betting, as hackers get smarter and figure out how to automate these attacks, MFA will become more and more susceptible.

Skip to content