Last month, the FBI sent out a security advisory to its industry partners warning about attacks that can sometimes pass multi-factor authentication solutions (MFA). Their warning specifically focused on SIM swapping, vulnerabilities in online pages handling MFA operations, and the use of transparent proxies like Muraen and NecroBrowser.
The FBI provided a number of examples in their bulletin, which you can find on Zdnet. While it is alarming to think that there are hackers out there capable of bypassing MFA, MFA is still considered more effective than not having it. The FBI made it very clear that its alert should be taken only as a precaution, and not an attack on the efficiency of MFA, which the agency still recommends. As quoted in their bulletin: "Multi-factor authentication continues to be a strong and effective security measure to protect online accounts, as long as users take precautions to ensure they do not fall victim to these attacks," the FBI said. According to Microsoft, MFA helped users block 99.9% of all account hacks.
How can users, as the FBI suggests, protect their online accounts? Phishing and social engineering tricks are the most common ways to either intercept SMS messages or get the user to give up their username and passwords. There are also stronger forms of MFA out there; a list of the different types showing their effectiveness can be found here. Remember that MFA is better than just a password alone, but you must always remain vigilant as nothing is “unhackable.”