FBI Warns of MFA Vulnerabilities

In September the FBI’s Cyber Division released a Private Industry Notice (PIN 20190917-001) warning that they were observing attacks that were circumventing some widely-used multi-factor authentication (MFA) technologies. Specifically they called out PINs, security questions, and mobile one-time-passcodes (OTPs) using various techniques including SIM-swapping, man-in-the-middle (MITM), URL manipulation, and specialized browsers built to support advanced phishing techniques.

Although these attacks are troublesome, they made it clear that MFA was a strong and effective security measure but warned recipients to take precautions. Their mitigation suggestions were by the book including end-user training and deploying more complex MFA and behavioral tools. These are a start, but they really don’t solve the problem.

When you dive deep to get to the root cause, the attacks are really targeting the authentication and identity processes. User journeys such as logins, contact information updates, device registrations, and app installations are the conduits to gain entry. The advice to add more advanced MFA and behavioral authentication continues a cat and mouse game as any authenticator is going to be vulnerable at some level over time. MFA definitely adds friction to dissuade the casual attacker, but determination can bypass nearly any technology using techniques that target processes and the users themselves.

Biometrics and behavioral authentication are vulnerable to hardware/software failures, insecure fallback procedures, social engineering, shoulder surfing, and device theft. In addition, If an attacker uses a new device, biometrics and behavioral tools are unusable as they generally are tied to specific user devices.

Understanding context such as authentication technology used, user activities, behavioral anomalies, resource sensitivity, and risk is more important than adding more and more layers of authenticators that add cost, complexity, and negatively impact the user experience. Agility in process modifications, threat detection thresholds, and correlating diverse threat signals is the key to a successful mitigation strategy.

Transmit’s cross-channel, continuous adaptive risk engine monitors activities as they occur and compares them to historical user and device profiles. Anomalies are flagged quickly and actions can be deployed to mitigate risks in real-time, no matter which combination of authentication technologies are used.