Just when you thought your organization was safe from cyber threats using two-factor authentication (2FA), cybercriminals are relentlessly coming up with new ways to steal credentials.
- Malicious Malware – According to Check Point, a hacking group has created malware that allows it to bypass two-factor authentication protections used in Android devices to steal SMS messages that have one-time passwords as well as other data. The malware is disguised as a legitimate Android app. If installed, it functions as a backdoor that can give access to the device. [BankInfoSecurity]
- Real-time Phishing – A fake website that looks exactly like its legitimate counterpart is set up. Then the hacker sends the target an email prompting them to log in for whatever reason (account expiration, some action needed to be taken etc.). The user goes to the login page, which looks and works exactly like the one the user expects to see, they log in using their user password. Then the fake website asks for the second factor, just like the legitimate one would, the user complies and enters the OTP (one-time password), and the phishing website captures both passwords. In the background, the hacker has a few seconds to use the combination to get into the real account. [Protectimus]
- Man in the Middle – This type of attack implies that the hacker inserts himself in the middle of the two systems’ communication. This can be done either with a fraudulent cryptographic certificate, inserting fake root certificates in the target’s browser database of trusted certificates, or by compromising a root certificate authority listed in the database. As a result, two connections are created — client-attacker and attacker-server, instead of a single client-server one. Once the connection is intercepted the hacker can read and modify the transactions done via the connection. [Protectimus]
- SIM Swapping – The attacker transfers the victim’s SIM information to another phone, allowing the attacker to get the any sent codes used by SMS-based 2FA solutions. It is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message or call placed to a mobile telephone. The attacker calls up the mobile-phone provider of their target and impersonates them. The attacker calls up the mobile-phone provider of their target and impersonates them. They tell the operator that they’ve lost their SIM card or had their phone stolen and ask them to switch the cell phone number over to a new SIM card which they have in their possession. Once it has been switched over, the number is disconnected from the victim’s SIM card and all of their calls and messages are diverted to the attacker. This gives the attacker an absurd amount of power to wreak havoc on the victim’s life. [LuxSci]
The growing 2FA hacking trend has becoming so prevalent that KnowBe4 has recently published a new book Hacking Multifactor Authentication, covering 50 ways to hack MFA along with a checklist anyone can use to help them pick the right MFA solution for their organization.
What can you do to protect your organization?
To be clear, two-factor authentication does significantly cut down on many types of hacking. The key to using 2FA correctly is to make sure you use a good 2FA solution implementation (like through Magna5) and to educate the end-users about the various types of attacks and tactics that may be used against them.
Here are some tips in preventing 2FA security hacking presented by Protectimus.
- Use data signing or CWYS (Confirm What You See) drawings.
- Train your staff to identify phishing and social engineering.
- Use strong passwords.
- Use 2FA security on each of your accounts.
- Stop using outdated methods like SMS and HOTP tokens.
- Use app-based 2FA rather than text-based.
- Verify requests from technical support or customer service to disable your 2FA. It could be a trick.