The FBI recently released a security advisory warning organizations about the rising threat of attacks that bypass multi-factor authentication. "The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks," the FBI wrote in a Private Industry Notification (PIN).

Who Can Be Affected?

Anyone with a cell phone that is using text messaging for MFA (multi-factor authentication) can be affected.

How Does This Attack Work?

The release cited multiple incidents in recent history, dating back to 2016, where MFA has been bypassed. These attacks used a technique called SIM Swapping. SIM Swapping consists of major cell phone providers being socially engineered into changing your phone number to the attacker’s SIM card instead of yours. This allows them to get all your texts and phone calls on the new SIM card.

Once attackers have performed the SIM swap they will have access to your telephone number and can then complete any text-based two-factor authentication requests.

What Can You Do?

The FBI still recommends the use of MFA as a security precaution but wanted to acknowledge that cybercriminals have found ways around it. "Multi-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks," the FBI said.

Currently, there are only a few mitigations for this type of attack. Make sure your cell phone provider always verifies your identity to change anything on your account with a password of some sort. Test them if you don’t trust them! The other sure-fire way to prevent this is to use an MFA application that is installed on your phone. Those are not tied to the phone number or SIM card.

Written by: 
Buzz Hillestad,  SVP - Information Security Consultant - SBS CyberSecurity, LLC
Blake Coe, VP Network Security - SBS CyberSecurity, LLC