6 Ways Hackers Bypass Two-Step Verification and Tips for Safe Use

6 Ways Hackers Bypass Two-Step Verification and Tips for Safe Use
Protecting your account with just a username and password is dangerous. This information can easily be stolen, guessed, or even hacked. That’s why two-factor authentication (2FA) is recommended at all important access points. Online banking has been mandating 2FA for years.

ⓒ Getty Images Bank

2FA uses two factors to access an account, network, or application. These two factors can be chosen from three categories:

  • Information (password, PIN)
  • Personal belongings (smartphone, Fido2 stick, etc.)
  • Biometrics (fingerprints, facial recognition, etc.)

For 2FA to provide sufficient security, the two factors must be chosen from different categories. When more than two factors are used, it is called multi-factor authentication (MFA).

Although 2FA is very secure, it is not perfect. Hackers still have many ways and loopholes they can exploit to take over your account.

1. Man-in-the-middle attack

The connection between a user and an online account is protected by Transport Layer Security (TLS), making it very difficult to hack. However, attackers can use a variety of methods to get between a user and an account. This is called a “man in the middle” attack.

There are several types of man-in-the-middle attacks. The most common method is phishing pages. Phishing attacks are one of the biggest threats to 2FA. Cybercriminals create fake websites to steal users’ login information. They usually direct users to these phishing sites via email, SMS, or WhatsApp messages. These messages often disguise themselves as trustworthy companies.

While typical phishing sites simply steal a user’s login information, man-in-the-middle attacks can also intercept 2FA authentication codes. The attacker uses the information the user entered on the fake site to immediately log in to the service. Such attacks are a race against time, as 2FA’s one-time password expires in a matter of seconds.

Therefore, man-in-the-middle attacks are time-consuming. The attacker must wait for the potential victim to log in immediately after entering their information on the fake site. However, criminals continue to try man-in-the-middle attacks because they are often used to steal money directly.

2. Browser intermediary

One variation of man-in-the-middle attacks involves using malware that infiltrates the victim’s browser directly. The malware waits for the user to log into their bank and complete two-step authentication, then manipulates the victim’s transfers in the background. Examples of such malware include Carberp, Emotet, Spyeye, and Zeus.

The victim’s browser displays the transfer amount and recipient information normally. The user confirms this and approves the transfer using a one-time password. However, in reality, the malware secretly transfers a larger amount to another recipient through the bank.

The method of protection is simple. Most banks will send the user a one-time password request to confirm the amount of the transfer. In most cases, the recipient’s IBAN is also sent, either in full or in part. It is important to check this information carefully.

3. Phone scams

In many cases, the attacker already knows the victim’s online account username and password. This may be obtained from a list of leaked passwords on the dark web, or by planting information-stealing malware on the victim’s PC.

However, what the attacker needs to log into the victim’s online account is a 2FA authentication factor. To obtain this, the attacker calls the victim. They pretend to be a bank employee and request authorization through the 2FA authentication process, claiming that they are implementing a new security procedure. If the victim approves this action through 2FA at this point, the victim is not consenting to the new security procedure, but is instead transferring their money to the attacker’s account.

Never give your 2FA code or authentication procedure to anyone else or respond to requests over the phone. Real service agents will never ask for this confidential information.

4. SIM Swapping

For a while, one-time passwords that users receive via text message for their online accounts were considered a secure method for 2FA. However, criminals have developed SIM swapping techniques to hack millions of online accounts, including Bitcoin exchange accounts that are protected by 2FA. The prerequisite for this attack is that the attacker already knows the victim’s username and password.

SIM swapping, or SIM hijacking, is a method where an attacker gains control of a victim’s mobile phone number. The attacker contacts the carrier and has them issue a new SIM card or eSIM for him. He then activates it on his phone and receives a text message with a one-time password for two-step authentication login.

Attackers often call the carrier and claim to have lost their phone and request a new SIM card. They may also ask the carrier to send the SIM card to a new address. If the carrier refuses, the attacker can wait for the mail to arrive at the victim’s address and empty the mailbox before the actual recipient receives it, stealing the SIM card. This process is time-consuming and labor-intensive for the attacker, but if the victim has a large amount of money in their account, it may be worth it for the criminal.

If possible, we recommend not using SMS for two-step verification. It is more secure to use a one-time code generated by an authenticator app.

5. Stealing authentication cookies

Many services that use 2FA offer users the option to remember their login information in their PC’s Internet browser. In this case, once you’ve logged in, you can then log in again on that browser without two-step authentication by simply entering your username and password, or without requiring any login information at all.

This method greatly increases convenience, but also increases the possibility of being exposed to attacks. With this method, the service stores an authentication cookie on the user’s PC, and this cookie contains encrypted login information. If an attacker succeeds in installing information-stealing malware on the user’s PC, the login information stored in the cookie can be stolen. The attacker can use this cookie on his or her PC to access online services without a login procedure or two-step authentication.

An example of such information-stealing malware is Lumma, which has been attacking PCs since 2022 and is sold as “malware as a service” on Russian-language underground forums.

The way to protect yourself is, of course, to install an antivirus program. This can help block information-stealing malware. It is also recommended that accounts that use two-step authentication be set to require two-step authentication every time you log in. 2FA is usually enabled by default.

6. Insecure 2FA authentication factors

A common mistake with 2FA is choosing an insecure factor. Many users still use SMS as a 2FA factor, even though better 2FA methods are available. However, SMS is vulnerable to attacks such as SIM swapping. Using email as a 2FA factor is also recommended only in limited cases, especially if you do not protect your email account with a secure 2-step authentication yourself.

Even if you only use it as a backup, weak authentication factors can be dangerous. Many online services offer the option to store multiple login factors for one account, which is useful because you can switch to another factor if one authentication factor doesn’t work.

However, an attacker can always use other login options. The saying “the weakest link in the chain determines the strength of the entire chain” applies here as well. If you protect your account with a one-time password from an authenticator app, but also enable one-time passwords via email as a login option, an attacker can exploit this.

Therefore, it is recommended to store multiple authentication factors when logging into a service. For example, you can use one-time passwords and passkeys from an authentication app. However, you should avoid insecure authentication factors such as SMS and email.

2FA, which method is safe?

When logging in using two-step authentication, there are secure and less secure ways.

1. One-time password (OTP)

  • SMS based OTP : A one-time password (OTP) is sent to the user’s mobile phone via SMS. Is it safe? SMS-based OTP is relatively unsecure as it is vulnerable to SIM swapping attacks and man-in-the-middle attacks.
  • App based OTP : An authentication app like Google Authenticator generates a one-time password. Is it safe? App-based OTPs are more secure than SMS-based OTPs because they are not transmitted over external networks. However, they can be vulnerable to phishing attacks.
  • Email based OTP : A one-time password will be sent to your email address. Is it safe? Email-based OTPs are less secure than other methods. Emails can be intercepted, are often sent over less secure networks, and email accounts themselves can be targets of phishing attacks.
  • Push Notifications : A push notification is sent to the authenticator application installed on the user’s mobile phone. The user must approve the notification. Is it safe? Push notifications are relatively secure because they require direct user interaction, but they can be vulnerable to social engineering attacks that trick users into approving notifications.

2. Hardware Tokens

  • U2F/FIDO2 Token : USB or NFC-based hardware tokens (e.g. YubiKey) based on the U2F/FIDO2 standard. Is it safe? These tokens are authenticated using cryptographic keys, making them highly secure and resistant to phishing and man-in-the-middle attacks.
Hardware tokens offer a high level of security as a 2FA factor and also work on smartphones. ⓒ Foundry

3. Passkey

  • Passkey : Used as an additional option in addition to the password in most services. Is it safe? If a passkey is set up as a true 2FA factor, logins are very secure. However, if a passkey is used as an alternative to a password, it does not provide any additional security over a password, as it can be switched to login with a password.

4. Biometrics

  • Fingerprints, facial recognition, etc. : Unlock or log in using the fingerprint sensor or biometric camera. Is it safe? Fingerprints can be forged more easily than you might think when in direct contact with the victim.

conclusion

  • Highest security : Hardware tokens offer the highest level of security due to their physical characteristics.
  • Medium Security : Passkeys, app-based OTPs, push notifications, and biometrics are more secure than SMS and email-based OTPs, but may be vulnerable to some attacks, such as social engineering attacks.
  • lowest security : SMS and email-based OTPs are most vulnerable to attacks and should be avoided.

4 Tips for Using 2FA Securely

Here, the website (left) sends a push notification to the relevant app on the smartphone. The user is then asked to enter the number displayed to log into their account. ⓒ Foundry
  1. Generate and print out emergency codes and keep them in a safe place. It’s a good idea to always carry two or three of these codes with you when you travel.
  2. Activate more than one 2FA method, such as using an authenticator app and a hardware token. This provides a backup in case you don’t have your authenticator app or emergency codes.
  3. We do not recommend using 2FA codes via SMS for sensitive accounts, as criminals can steal your SIM card or obtain your SMS codes through phishing.
  4. Use an authenticator app with a backup feature so you can transfer the app and all your codes to a new phone. Otherwise, you will have to set up all your 2FA services again when you reinstall the app.

editor@itworld.co.kr

Source: www.itworld.co.kr