Posted on October 12, 2019 at 10:25 AM
Hackers breaking into accounts for the purpose of stealing money, data, or gaining further access to entire platforms is nothing new, and security researchers have been at war with them for ages. One of the more successful measures in keeping the hackers out has been to set up a Dual Authentication security measure, commonly known as Two-Factor Authentication (2FA).
However, according to the new warning issued by the Federal Bureau of Investigation (FBI), not all types of 2FA security will work these days. The warning was passed down to US companies only recently, through a briefing note that has been circulating for the past month.
The briefing note claims that the FBI managed to identify several methods that cybercriminals have been using to bypass 2FA and obtain one-time passcodes that are being sent to users when they try to access their accounts.
How are hackers bypassing Two-Factor Authentication?
As mentioned, the warning includes several methods that the hackers have been known to use to overcome additional security measures, with the most popular and simplest one being SIM swap fraud. This method relies on the attacker convincing or bribing an employee of mobile networks to port a mobile number of their target, which results in the hacker receiving the security codes sent by websites and services.
These cases have become quite common in recent years, and they were used in many cases, usually to steal money from other people’s bank accounts, cryptocurrency wallets, exchange accounts, PayPal, and other similar services. The victims usually do not even realize that they were robbed for quite a long time, and there is pretty much nothing that they can do to prevent this.
Another method that has been used on a regular basis is phishing, which tricks victims into revealing their login credentials, as well as their OTP code by planting a fake website. As soon as the victim tries to log into their account on the fake website, the hacker gathers their login credentials and uses them on the real site. The most recent example of this was noticed only a month ago, and it involved an attack on YouTube users, many of which had 2FA enabled.
There is also another method, although this one is a bit more advanced, and it relies on session hijacking. This means that, despite the fact that the website to which the user is trying to log into is real, hackers still manage to steal login credentials as they travel between the user’s device and the website. Of course, this method provides only a small window of opportunity, but skilled hackers have been known to use it.
Then, there are regular security vulnerabilities on the websites themselves, which often allow hackers to slip in without even bothering with 2FA. One such case was reported earlier in 2019 when a security flaw on a site of a certain bank allowed hackers to gain access to users’ accounts without having to deal with security questions, PINs, or other security methods. Hackers simply used phishing to obtain user credentials, after which they accessed their accounts directly.
2FA is still a valid security measure
Despite the fact that 2FA is generally considered to be a strong and useful security measure — companies likely did not need the FBI to tell them about it in order to know that no method works 100% of the time. However, despite all of the methods that the hackers use, and despite all of the mentioned and recorded cases of hackers bypassing 2FA — this method still works most of the time.
In other words, while 2FA is clearly not 100% hacker-proof, it is still much better to have it in place than to simply rely on login credentials for the protection of the account.
While the fact that the warning was issued is ultimately considered a good and necessary step, one big question is how it might influence the users themselves. Hacking attacks still work quite often because a lot of people do not use 2FA, at all. Those who do can get hacked, as mentioned, but such cases are a rarity when compared to the hacks against those who do not use Dual Authentication.
With reports such as this, these people might be further discouraged from enabling extra security, which makes them that much more vulnerable to potential attacks. In the meantime, developers are coming up with more advanced security measures that the users could protect themselves with, including FIDO2 hardware tokens, or WebAuthn, that allows devices to authenticate one another automatically.