Hackers Are Circumventing MFA and Here's What You Can Do About It

Those who have followed the NJCCIC over the last two years have likely noticed how often we emphasize the importance of enabling multi-factor authentication (MFA). MFA provides an added layer of security by requiring an additional piece of authentication data beyond that of a username and password. Because of its effectiveness in deterring account compromise, popularity of the security measure grew as email providers, banks, social media platforms, and various online shopping websites began offering it as a feature to their users. However, as is the case with many security measures, given enough time, motivation, and resources, somebody is bound to eventually find a workaround and reduce its effectiveness.

According to a recent article in The New York Times, hackers have begun targeting mobile phone carriers in an attempt to circumvent MFA and compromise victims’ accounts that have this feature enabled. The attack these hackers perform is not technical or complex in nature but, instead, relies on social engineering. Once a potential victim is identified, the hacker conducts reconnaissance to acquire the victim’s full name, address, email address, mobile phone number and provider, and other personal details. This information can easily be found through simple online searches using public records databases, online forums, and social media accounts, among other websites. Once compiled, the hacker calls the victim’s mobile phone carrier and attempts to impersonate the victim by providing known personal details for the carrier’s authentication process. If the hacker is successful in convincing the carrier’s representative of his identity as the victim, he will request the victim’s phone number to be ported to a mobile phone within his possession. Even if some of the authentication questions are answered incorrectly, the hacker may attempt to coerce or guilt the carrier’s representative into porting the number, claiming a faulty memory or an emergency situation. If the hacker’s request is denied, he will keep calling the carrier back until he reaches someone willing to comply.

If the hacker succeeds in getting the number ported to his phone, he then attempts to locate any personal and financial accounts used by the victim. Once found, he plugs the victim’s known usernames or email addresses into the login field and either attempts to use the website’s “Forgot Password” feature to reset the account or enters the victim’s known password in the corresponding field. If the website’s recovery feature includes sending a text message to the victim’s mobile phone number, the hacker will receive that text to his phone, unbeknownst to the victim.

Now, initial media reports seem to indicate that many of the targeted victims thus far have been major players in the cryptocurrency trading space. Cryptocurrencies such as Bitcoin have become a popular target for theft by profit-motivated hackers because of recent spikes in value and the semi-anonymous nature of transactions. However, this type of attack can easily be deployed against high-profile figures such as celebrities or politicians as well as your average end user who is not security-conscious or who may share a little too much information online. This type of attack could also be used by hackers who are personally or professionally close to their victims in an effort to seek revenge or sabotage their personal lives or careers.

Unfortunately, right now, there is little the average user can do to fully prevent hackers from using this method to circumvent SMS-based MFA as much of the responsibility rests on the shoulders of the mobile phone carriers to tighten their security controls and educate their customer representatives on these social engineering techniques. In the meantime, the NJCCIC recommends contacting your mobile phone carrier to ask them what steps they are taking to protect their customers and requesting the change of any authentication questions and answers to something only you would know. Also, be sure to conduct online searches of your name regularly to see what information is publicly available and submit opt-out requests to public records websites. Tighten privacy settings on social media accounts and avoid using your real or full name on these accounts, if possible. Lastly, see if any of your personal accounts allow the use of an app-based MFA solution that uses a one-time password algorithm or a hardware-based MFA solution and consider implementing those for layered security. If you suddenly and unexpectedly lose service on your mobile phone and can no longer receive calls or text messages, contact your carrier immediately, along with any banks or credit card companies and ask them to monitor and place a temporary freeze on your accounts.

If you have been a victim of this type of impersonation attack, please contact your local police department, the FBI, and report it to the NJCCIC using our Cyber Incident Report Form.