The FBI is warning banks, businesses and other organizations that cybercriminals are using social engineering and other technical techniques to circumvent multifactor authentication security protections.

See Also: The Global State of Online Digital Trust

In a Private Industry Notification issued in September, which Forbes first reported, the FBI notes that cybercriminals and other threat actors are now taking advantage of inherent flaws in multifactor authentication to bypass the security filters in order to take over accounts or steal additional credentials.

In one form of multifactor authentication, a user enters credentials into a system or device and then receives a one-time password to help verify their identity. Now, however, it appears that threat actors and cybercriminals have found new ways to circumvent this type of protection, the FBI warning notes.

"FBI reporting identified several methods cyber actors use to circumvent popular multifactor authentication techniques in order to obtain the one-time passcode and access protected accounts," according to the September warning. "The primary methods are social engineering attacks, which attack the users, and technical attacks, which target web code."

The FBI is urging organizations to use more sophisticated techniques, such as biometrics or behavioral authentication methods, which include geolocation data or an IP address, to help verify a user's identity even through these are much more inconvenient for customers or employees.

An FBI spokesperson could not be reached for comment Wednesday.

Manipulating Secondary Tokens

Multifactor authentication has been widely used by U.S. banks, government agencies and others for authenticating an individual's identity.

The FBI, however, notes that cybercriminals are manipulating the secondary token feature though tactics such as SIM-swapping and man-in-the middle-attacks to circumvent the security filters that come with multifactor authentication technologies.

"Over the course of 2018 and 2019, the FBI's Internet Crime Complaint Center and FBI victim complaints observed ... SIM swapping as a common tactic from cybercriminals seeking to circumvent two-factor authentication," the FBI notes.

SIM-swapping involves taking a victim's phone number and porting it to another SIM card that is then under the control of the attackers, who can receive one-time passwords. A man-in-the-middle attack occurs when a third party intercept and alters the communication between the customer and the service provider or the employee and the business service that they are trying to access.

The FBI warning notes that in a case in 2016, an attacker took advantage of customer services representatives of one bank who were willing to give out customer information. From there, the attacker completed a SIM-swapping attack and started to have money transferred to different accounts.

In another case from this year, the FBI notes, cybercriminals took advantage of flaws in a bank's website to inject code that helped bypass two-factor authentication protections.

"The cyberattacker logged in with stolen victim credentials and, when reaching the secondary page where the customer would normally need to enter a PIN and answer a security question, the attacker entered a manipulated string into the Web URL setting the computer as one recognized on the account," the FBI warns. "This allowed him to bypass the PIN and security question pages and initiate wire transfers from the victims' accounts."

Reliance on MFA

The FBI warning comes at a time when the use of multifactor authentication is on rise.

A recent study conducted by security firm LastPass, and recently shared with Bleeping Computer, found that nearly 57 percent of businesses worldwide use multifactor authentication.

In another study published in July, Microsoft claimed that multifactor authentication can block "99.9" percent of attacks. The issue, the company says, is that only about 10 percent of enterprises' employees use the technique to help verify their accounts.