Thought leadership. threat analysis, news and alerts.
Real-Life Cases Show Some Types of 2FA Can Be Bypassed
A number of cyber incidents in the past few years have demonstrated that certain types of multi-factor authentication or two-factor authentication (2FA) can easily be bypassed.
What Is Multi-Factor of Authentication? What Is 2FA?
Multi-factor authentication is an added layer of security in which a user is required to present two or more pieces of proof in order to be granted access to a computer system or application.
Two-factor authentication (2FA) is the more popular type of multi-factor authentication. In a typical 2FA, in addition to the traditional authentication method of a combination of username and password, a user is required to present one more authentication proof. Examples of these additional authentication proofs include a one-time code that changes over time, biometrics or behavioural information such as IP address, time of day or geolocation.
3 Ways 2FA Authentication Can Be Bypassed
In the past few years, the following 3 methods have been used to bypass or circumvent certain types of 2FA authentication:
1. Sim Swap
In bypassing 2FA using the SIM swap method, an attacker convinces a customer service representative of a phone company of an intended victim to do the SIM card swap to a SIM that the attacker controls, allowing the attacker to intercept the 2FA security codes intended for the victim to access a computer system or application.
Last month, the U.S. Federal Bureau of Investigation (FBI) issued an alert to its partner organizations warning them about SIM swapping. According to the FBI, between 2018 and 2019, SIM swapping is the most common tactic used by cyber criminals in circumventing the 2-factor authentication. Victims of SIM swapping attacks, the FBI said, had their bank accounts drained and their passwords and PINs changed.
Last year, Reddit disclosed that all Reddit data from 2007 and before including account credentials and email addresses as well as email digests sent by Reddit in June 2018 were illegally accessed. The company said that the weaknesses inherent to SMS-based 2FA appeared to be the root cause of this incident. The company added that “SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept”.
Reddit, however, didn’t specify how SMS-based 2FA one-time code was intercepted. At the time of the Reddit attack, the known methods in intercepting SMS-based 2FA one-time code were through SIM swapping and mobile number port-out scams.
In port-out scams, instead of a SIM swap, an attacker impersonates an intended victim and requests that the victim’s mobile number be transferred to another mobile network provider. In both SIM swap and port-out scams, one-time codes delivered by SMS are delivered to a phone controlled by the attackers.
2. Phishing Scheme
The second method by which 2FA can be bypassed is through phishing scheme. In December 2018, researchers at Certfa Lab detected a phishing campaign in which attackers, knowing that their victims use two-step verification in their Gmail and Yahoo accounts, created phishing pages for both desktop and mobile versions of Google and Yahoo mail services.
These phishing pages ask the victims their username and password combination, as well as 2-step verification code. The attackers then enter these username and password combination and 2-step verification code into Google or Yahoo’s genuine website and hijack the email accounts of their victims.
A victim is tricked into visiting one of these phishing sites by sending a fake email alert purportedly from the email provider, stating that unauthorized individuals have tried to access their accounts. This fake email alert asks the victim to review and restrict suspicious accesses via the link – leading to the attackers’ phishing site – provided in the email.
3. Session Hijacking
The third method by which 2FA can be bypassed is through session hijacking. Among the 3 methods of bypassing 2FA, session hijacking is more technical.
A few months ago a toolkit that bypasses 2FA via session hijacking was publicly released. This toolkit uses Muraena and NecroBrowser. According to the authors of this toolkit, Muraena is a “custom target-agnostic reverse proxy solution”, while NecroBrowser takes care of the “instrumentation and session riding”. According to the FBI, Muraena tool intercepts traffic between a user and a target website which requires the usual username and password combination and 2FA code, while NecroBrowser allows cyber actors to hijack these private accounts and make changes to these accounts while maintaining access as long as possible.
Last month, security researchers at DEVCORE reported a different form of session hijacking that enabled them to access Twitter Intranet. According to the DEVCORE researchers, they were able to access Twitter Intranet by bypassing the 2FA of the SSL VPN used by the company.
“Twitter enabled the Roaming Session feature, which is used to enhances mobility and allows a session from multiple IP locations,” the DEVCORE researchers said. “Due to this ‘convenient’ feature, we can just download the session database and forge our cookies to log into their system!”
Preventive and Mitigating Measures
There’s a reason why multi-factor authentication or 2FA is widely used by organizations today. Instead of relying merely on the traditional username and password combination, multi-factor authentication provides an extra layer of security to systems or applications.
The use of multi-factor authentication can decrease numerous attack surfaces. Using multi-factor authentication, however, shouldn’t give your organization a false sense of security. As shown in the above-mentioned examples, certain types of multi-factor authentication or 2FA can be bypassed.
Reddit Data Breach Highlights Weaknesses of SMS-Based 2-Factor Authentication
Reddit recently announced that it succumbed to a cyberattack, an attack that was born out of the weaknesses inherent to SMS-based 2-factor authentication (2FA).
Reddit, in a statement, said that an attacker managed to access the company’s complete copy of a database backup containing user data starting from the site’s launch in 2005 up to May 2007. The data accessed during this period include passwords of users and public and private messages.
The company added that email address of current users, source code, internal logs, configuration files and other employee workspace files have also been accessed by the attacker.
While acknowledging that the recent cyberattack was a serious attack, according to Reddit, the attacker didn’t do much damage to the site itself as the attacker only gained read-only access, not write access to Reddit systems.
Reddit said that the attacker entered the company’s systems as a result of the weaknesses inherent to SMS-based 2FA. “Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit said.
What Is Two-Factor Authentication (2FA)?
Two-Factor Authentication, also known as 2FA, is an added layer of protection that’s meant to ensure that security of online accounts goes further than a username and a password.
Here are the 3 most common types of 2FA or security keys for securing your online accounts:
1. SMS-Based 2FA
In SMS-based 2FA, whenever you log-in to your online account, after entering your username and password, a verification code will be sent in a form of an SMS message to your mobile phone. Once the correct verification code is entered after entering the correct username and password, you’ll then gain access to your online account.
In the case of the Reddit cyberattack, it wasn’t disclosed how the attacker carried out the "SMS intercept".
The publicly known scenario for SMS intercept is via SIM swapping, also known as SIM hijacking. In SIM swapping, an attacker calls a cell phone carrier’s tech support pretending to be the target victim and claims that the target’s SIM card is lost. The attacker then requests that the phone number of the target be transferred (also known as ported) to a new SIM card that the attacker already owns.
The attacker in this scam convinces the phone carrier’s tech support to make the necessary transfer of phone number to a new SIM card by providing the target’s personally identifiable information, including Social Security Number or home address, details that are available online after many data breaches from other companies in the past.
Once an attacker convinces the phone carrier’s tech support for the SIM-swap, it’s game over for the target. The immediate effect is that the target loses phone service and any 2FA verification code delivered via SMS is sent to the new SIM card that the attacker controls.
2. App-Based 2FA
In app-based 2FA, you need to download an app, such as Google Authenticatoror Authy, to your mobile phone or PC. Once installed and configured, you can get the verification code, after entering your correct username and password, through your device.
Unlike the SMS-based 2FA, you can still get the verification code when your phone service gets shut off. The downside of app-based 2FA is that the verification code needs to be entered into the same login page on a website along with the username and password. This allows cyberattackers to subvert the username, password and verification code by cyberattacks such as phishing and man-in-the-middle.
In a phishing attack, a user is duped into revealing sensitive data, including username and password. In man-in-the-middle attack, the attacker positions himself in a conversation between a user and an application, making it appear as if a normal exchange of information is conducted.
3. Hardware-Based 2FA
Hardware-based 2FA, also known as physical security key, comes in the form of a USB device. Login process can be completed by inserting the USB device to the USB port and by pressing a button in the USB device, eliminating the need for retyping verification codes. This is also meant to verify that you’re not a remote malicious hacker.
Unlike the SMS-based 2FA and app-based 2FA, in hardware-based 2FA, you don’t need your mobile phone to access your online accounts.
Yubico, the most popular maker of hardware-based security keys, sells its basic model for only $20. Last month, Googleannounced that its own hardware-based security keys called “Titan Security Keys” are available to Google Cloud customers and will soon be available for anyone to purchase on the Google Store.
Last month also, Google told cybersecurity journalist Brian Krebsthat since early 2017, more than 85,000 of its employees have been using physical security keys. Since then, the tech giant said that 85,000+ of its employees haven’t fallen prey to phishing attacks on their work-related accounts.
Google said that Titan Security Keys enhanced protection against phishing as the “2-step verification with a security key uses cryptography to provide two-way verification: it makes sure you're logging into the service you originally registered the security key with, and the service verifies that it's the correct security key as well”.
The downside of having physical security keys is that it’s a security risk to carry these devices around as once attackers get hold of them, it’s also game over for the targets. Physical security keys, therefore, have to be kept in a safe and secure place.
When you have questions concerning your options of better protecting mission critical data, our experts are a phone call away.
Steve E. Driz, I.S.P., ITCP