1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

5/19/2018

0 Comments

2-Factor Authentication Weakness: It’s also Hackable

 
Picture

2-Factor Authentication Weakness: It’s also Hackable 

The 2-factor authentication, also known as 2FA, is one cyberdefense that gets you one step away from cyberattackers. It shouldn’t be viewed, however, as a cure-all cyberdefense as it’s also vulnerable to other hacking activities.

What is 2-Factor Authentication (2FA)?

The 2-factor authentication is an added layer of security that’s designed to block cyberintruders even if they know your password. Verification codes can be sent via SMS text, email or verification apps like Google Auth. A special USB drive can also be used for 2-factor authentication.

Early Security Vulnerability of 2FA

Before 2FA became widely available to the public, this cybersecurity defense measure was used only by high-security government and corporate entities. One of the early adaptors of the 2FA was Lockheed Martin, the Pentagon’s No. 1 supplier.

In 2011, hackers were able to breach Lockheed Martin’s network using compromised 2FA codes. The supplier of Lockheed Martin’s 2FA codes, the RSA Security Division of the EMC Corporationacknowledged that it suffered a data breach that compromised one of its computer security products, the 2-factor authentication.

While it wasn’t disclosed what was breached at RSA, Whitfield Diffie,

one of the pioneers of public-key cryptography, told the New York Times that a "master key" – a massive secret number used as part of RSA’s encryption algorithm – might have been stolen.

The worst-case scenario, Diffie said, would be that the cyberattacker could reproduce cards that duplicate the ones supplied by RSA to generate two-factor authentication codes, enabling the cyberattacker to gain access to corporate networks and computer systems.

Here are 3 ways by which cybercriminals can hack 2-factor authentication:

1. Man-in-the-Middle Attacks

A man-in-the-middle (MITM) attack refers to a cyberattack where the attacker positions himself in a conversation between a computer user and a software application or a website. The attacker may eavesdrop or impersonate a software application or a website, making it appear as if a normal exchange of information is ongoing.

For instance, a MITM attacker may trick you into logging into a fake banking app and ask for your 2FA code. Once you input your 2FA code, you’re doomed.

An example of MITM attack that fools users into exposing their 2-factor authentication code is the malicious software (malware) called “Acecard”. One of the ways, Acecard is able to get inside the victims’ devices is by being listed as a legitimate game app in Google Play store. Once the Acecard app is installed on the victim’s mobile device, it lies in wait until the victim launches a legitimate banking app.

Once the malware detects which banking app is used, it then overlays a fake banking app interface, fooling the user that he’s inside a legitimate banking interface.

The login details entered in the fake app are then sent by the malware to the attacker and these details are used to login into the victim’s real banking app to withdraw money.

Acecard can convincingly impersonate a banking app by hijacking SMS message containing one-time password sent by the bank’s system as part of 2-factor authentication.

The SMS message containing one-time password sent by the bank’s system to the victim’s phone as part of two-factor authentication is then intercepted by the malware and sent to the attacker. The malware also intercepts and sends to the attacker the transaction confirmation.

Victims have, therefore, no knowledge about the SMS message as well as the transaction confirmation. Victims will only know about the withdrawal transaction when they check their bank account balance and transaction history.

A mobile banking malware like Acecard can hijack SMS messages by asking permission to access SMS.

According to Kaspersky, Acecard is capable of bypassing security measures of nearly 50 different online financial apps and services, including WhatsApp, Viber, Instagram, Skype, VKontakte, Odnoklassniki, Facebook, Twitter, Gmail and PayPal.

KnowBe4 Chief Hacking Officer Kevin Mitnick recently demonstrated how LinkedIn’s 2-factor authentication can be spoofed. Mitnick used the spoofing tool developed by white hat hacker Kuba Gretzky called “Evilginx”. In bypassing LinkedIn’s 2-factor authentication, Mitnick sends a user to a fake LinkedIn login page which runs Evilginx.

“I'm releasing my latest Evilginx project, which is a man-in-the-middle attack framework for remotely capturing credentials and session cookies of any web service,” Gretzky described his Evilginx project. “It uses Nginx HTTP server to proxy legitimate login page, to visitors, and captures credentials and session cookies on-the-fly. It works remotely, uses custom domain and a valid SSL certificate.”

Gretzky added that Evilginx can be adapted to work with any website.

2. Exploiting Account-Recovery Systems

Another way cyberattackers bypass 2-factor authentication is by exploiting the account-recovery systems.

Cyberattackers who have previously hacked the personally-identifiable information of their victims can easily use the account-recovery feature of many websites by inputting the current password, answering password reset questions or calling tech support to get around the 2-factor authentication.

3. Brute Force Attacks

While many websites or online services have the 2-factor authentication feature, many don’t have bad login attempt control – a feature that locks out a user after a number of failed 2-factor authentication attempts.

Failure to put in place bad login attempt control will enable attackers to conduct brute force attacks, whereby they’ll simply guess the 2-factor authentication code over and over again until they hit the correct code. High-powered computers nowadays can crack thousands of passwords or codes per second.

Prevention

Exercising caution whenever you grant an app access to your SMS, scanning apps for malware, being vigilant in clicking links as these might lead you to fake websites and not making it easy for hackers to guess your password reset questions are some of the measures in preventing cyberattackers from hacking your accounts via 2-factor authentication.

Two-factor authentication isn’t meant to replace other good cybersecurity practices. It’s meant only as an additional layer of security.

When you need help, our security professionals are a phone call away.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit