Thought leadership. threat analysis, news and alerts.
2-Factor Authentication Weakness: It’s also Hackable
The 2-factor authentication, also known as 2FA, is one cyberdefense that gets you one step away from cyberattackers. It shouldn’t be viewed, however, as a cure-all cyberdefense as it’s also vulnerable to other hacking activities.
What is 2-Factor Authentication (2FA)?
The 2-factor authentication is an added layer of security that’s designed to block cyberintruders even if they know your password. Verification codes can be sent via SMS text, email or verification apps like Google Auth. A special USB drive can also be used for 2-factor authentication.
Early Security Vulnerability of 2FA
Before 2FA became widely available to the public, this cybersecurity defense measure was used only by high-security government and corporate entities. One of the early adaptors of the 2FA was Lockheed Martin, the Pentagon’s No. 1 supplier.
In 2011, hackers were able to breach Lockheed Martin’s network using compromised 2FA codes. The supplier of Lockheed Martin’s 2FA codes, the RSA Security Division of the EMC Corporationacknowledged that it suffered a data breach that compromised one of its computer security products, the 2-factor authentication.
While it wasn’t disclosed what was breached at RSA, Whitfield Diffie,
one of the pioneers of public-key cryptography, told the New York Times that a "master key" – a massive secret number used as part of RSA’s encryption algorithm – might have been stolen.
The worst-case scenario, Diffie said, would be that the cyberattacker could reproduce cards that duplicate the ones supplied by RSA to generate two-factor authentication codes, enabling the cyberattacker to gain access to corporate networks and computer systems.
Here are 3 ways by which cybercriminals can hack 2-factor authentication:
1. Man-in-the-Middle Attacks
A man-in-the-middle (MITM) attack refers to a cyberattack where the attacker positions himself in a conversation between a computer user and a software application or a website. The attacker may eavesdrop or impersonate a software application or a website, making it appear as if a normal exchange of information is ongoing.
For instance, a MITM attacker may trick you into logging into a fake banking app and ask for your 2FA code. Once you input your 2FA code, you’re doomed.
An example of MITM attack that fools users into exposing their 2-factor authentication code is the malicious software (malware) called “Acecard”. One of the ways, Acecard is able to get inside the victims’ devices is by being listed as a legitimate game app in Google Play store. Once the Acecard app is installed on the victim’s mobile device, it lies in wait until the victim launches a legitimate banking app.
Once the malware detects which banking app is used, it then overlays a fake banking app interface, fooling the user that he’s inside a legitimate banking interface.
The login details entered in the fake app are then sent by the malware to the attacker and these details are used to login into the victim’s real banking app to withdraw money.
Acecard can convincingly impersonate a banking app by hijacking SMS message containing one-time password sent by the bank’s system as part of 2-factor authentication.
The SMS message containing one-time password sent by the bank’s system to the victim’s phone as part of two-factor authentication is then intercepted by the malware and sent to the attacker. The malware also intercepts and sends to the attacker the transaction confirmation.
Victims have, therefore, no knowledge about the SMS message as well as the transaction confirmation. Victims will only know about the withdrawal transaction when they check their bank account balance and transaction history.
A mobile banking malware like Acecard can hijack SMS messages by asking permission to access SMS.
According to Kaspersky, Acecard is capable of bypassing security measures of nearly 50 different online financial apps and services, including WhatsApp, Viber, Instagram, Skype, VKontakte, Odnoklassniki, Facebook, Twitter, Gmail and PayPal.
KnowBe4 Chief Hacking Officer Kevin Mitnick recently demonstrated how LinkedIn’s 2-factor authentication can be spoofed. Mitnick used the spoofing tool developed by white hat hacker Kuba Gretzky called “Evilginx”. In bypassing LinkedIn’s 2-factor authentication, Mitnick sends a user to a fake LinkedIn login page which runs Evilginx.
“I'm releasing my latest Evilginx project, which is a man-in-the-middle attack framework for remotely capturing credentials and session cookies of any web service,” Gretzky described his Evilginx project. “It uses Nginx HTTP server to proxy legitimate login page, to visitors, and captures credentials and session cookies on-the-fly. It works remotely, uses custom domain and a valid SSL certificate.”
Gretzky added that Evilginx can be adapted to work with any website.
2. Exploiting Account-Recovery Systems
Another way cyberattackers bypass 2-factor authentication is by exploiting the account-recovery systems.
Cyberattackers who have previously hacked the personally-identifiable information of their victims can easily use the account-recovery feature of many websites by inputting the current password, answering password reset questions or calling tech support to get around the 2-factor authentication.
3. Brute Force Attacks
While many websites or online services have the 2-factor authentication feature, many don’t have bad login attempt control – a feature that locks out a user after a number of failed 2-factor authentication attempts.
Failure to put in place bad login attempt control will enable attackers to conduct brute force attacks, whereby they’ll simply guess the 2-factor authentication code over and over again until they hit the correct code. High-powered computers nowadays can crack thousands of passwords or codes per second.
Exercising caution whenever you grant an app access to your SMS, scanning apps for malware, being vigilant in clicking links as these might lead you to fake websites and not making it easy for hackers to guess your password reset questions are some of the measures in preventing cyberattackers from hacking your accounts via 2-factor authentication.
Two-factor authentication isn’t meant to replace other good cybersecurity practices. It’s meant only as an additional layer of security.
When you need help, our security professionals are a phone call away.
Steve E. Driz, I.S.P., ITCP