Hackers bypassing some types of 2FA security FBI warns

Some types of two-factor authentication (2FA) security can no longer be guaranteed to keep the bad guys out, the FBI is reported to have warned US companies in a briefing note circulated last month.

FBI reporting identified several methods cyber actors use to circumvent popular multi-factor authentication techniques in order to obtain the one-time passcode and access protected accounts.

The simplest and therefore most popular bypass is SIM swap fraud, in which the attacker convinces a mobile network (or bribes an employee) to port a target’s mobile number, allowing them to receive 2FA security codes sent via SMS text.

Naked Security now regularly covers this kind of hack, almost always because it was used to empty people’s bank accounts, steal cryptocurrency from wallets or exchange accounts, or to attack services such as PayPal.

From the victim’s point of view, it’s the ultimate gotcha a security weakness caused by the failings of a service provider they can do little to prevent.

A second technique is the man-in-the-middle phishing attack that tricks people into entering their credentials and OTP code into a fake site which then instantly passes it to the real one. A good example of this is last months’ attack on YouTube users, some of whom had 2FA turned on.

More advanced still is session hijacking where the site is genuine, but the credentials and codes are stolen from traffic travelling to and from the user.

According to the FBI, in one case from 2019, a security vulnerability on the website of a bank allowed a hacker to bypass PIN and security questions after phishing basic credentials.