FBI urges businesses to use biometric factors to mitigate multi-factor authentication risk
The FBI recently released a Private Industry Notice telling businesses to adopt biometric factors in order to protect against risks associated with multi-factor authentication. Multi-factor authentication has become one of the most popular and trusted trends in cybersecurity.
In July, Microsoft's group program manager for identity security and protection Alex Weinert said accounts using multi-factor authentication were "more than 99.9% less likely to be compromised." Google made similar claims about multi-factor authentication in a blog post in May.
But the FBI's Cyber Task Force said in their four-page report that there have been instances since 2016 where hackers got around multi-factor authentication systems.
"The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks. Multi-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks," the FBI press release said. "FBI reporting identified several methods cyber actors use to circumvent popular multi-factor authentication techniques in order to obtain the one-time passcode and access protected accounts. The primary methods are social engineering attacks which attack the users and technical attacks which target web code."
SEE: How to set up two-factor authentication for your favorite platforms and services (free PDF) (TechRepublic Premium)
The FBI listed a situation this year, which involved a bank that was hacked by someone able to bypass the secondary security measure. After logging in with stolen credentials and presented with a second page asking for a PIN, the cybercriminal was able to enter "a manipulated string" into the web url and gain access. From there, the cybercriminal initiated wire transfers directly from the person's account.
They also highlighted a trend called "SIM-swapping," which started to gain prominence in 2016 and has grown in the past few years. With SIM-swapping, cybercriminals steal phone numbers and drain bank accounts while changing passwords and PIN numbers.
"The attacker called the phone companies' customer service representatives, finding some who were more willing to provide him information to complete the SIM swap. Once the attacker had control over the customers' phone numbers, he called the bank to request a wire transfer from the victims' accounts to another account he owned," the FBI report explained. "The bank, recognizing the phone number as belonging to the customer, did not ask for full security questions but requested a one-time code sent to the phone number from which he was calling."
The report added that hackers have also used man-in-the-middle attacks , and session hijacking to get around multi-factor authentication systems.
Two conferences in the last year have included presentations that showed a number of different tools sophisticated cybercriminals could use to circumvent security systems.
"Biometrics should not be an afterthought in a comprehensive Identity Access Management (IAM) strategy," said Mike DePasquale, CEO of biometric authentication security company BIO-key. "It should be a core design factor in an IAM platform, for end-user authentication, provisioning, and governance. BIO-key offers our customers a comprehensive set of biometric authentication options, both on-device and on-server, to meet the real needs of business users."
The FBI Cyber Task Force suggested businesses should put more work into educating their employees in the typical tricks cybercriminals use to infiltrate systems. Employees should be able to spot dubious websites or clearly dangerous links in fake emails.
According to the FBI, enterprises should also look into more sophisticated kinds of multi-factor authentication systems involving biometrics or behavioral authentication methods
"The FBI's report and recommendation is so powerful because it comes from their unique vantage point from the front lines, fighting cybercrime and investigating real breaches, not from an ivory tower or hardware token industry standards group," said Jim Sullivan, BIO-key's SVP of Strategy and Compliance.
"The FBI has one goal, which is the prevention of cybercrime, and that makes them a very credible source."