Tech Insight : How (Simple) 2FA is Being Beaten
In this article, we take a look at how two-factor authentication, introduced to help add an extra layer of security to logins, has its own vulnerabilities.
What Is 2FA?
Two-factor authentication (2FA) combines a username and password with another factor (e.g. sending an SMS or email with a code) to enable a person to login to an online account / platform / system, or website. This means that 2FA provides an additional layer of security to the username/password system
A username password system on its own has been found to be vulnerable to attacks and breaches because:
– There has been a huge increase in cybercrime and data breaches in recent years, and increasingly sophisticated attack methods are now more widely available, many of which can be bought off-the-shelf for relatively small amounts.
– Stolen passwords from previous breaches are widely available for cyber criminals to buy/swap, so most hacking-related breaches happen due to compromised (and weak credentials); for example, three billion username/password combinations were stolen in 2016 alone.
– Passwords can now be more easily cracked using technology. For instance, a computer recently set a record by guessing 100 billion passwords per second.
– Many people still set weak passwords and share the same password between many sites/platforms/accounts, thereby increasing the risk.
– Most people can only successfully remember shorter, more uniform, or more memorable strings of characters, and consequently these often end up being partly words, names, dates, or a combination, thereby perpetuating the problem of people choosing simple easier to crack passwords.
– Legislation, compliance, reputation, and tightened security policies have meant that online sites and apps must offer tighter security (i.e. not just passwords).
Despite adding the extra second layer of security, cyber-criminals are already finding ways to beat simple 2FA. For example:
– Using Google Play and a victim’s login credentials to install apps on a victim’s Android phone (e.g. an app that synchronises users’ notifications across different devices, thereby enabling access to a victim’s SMS 2FA messages). Also, attackers can use compromised email/password combinations for a Google account to install a message mirroring app on a victim’s smartphone via Google Play, thereby enabling 2FA code interception.
– SIM swapping. This is where the attacker contacts the target’s mobile service provider posing as the target and convinces them to switch the target’s phone number to a device of their choice, thereby allowing the attacker to intercept any verification codes.
– Exploiting a weakness in the Signal System 7 (SS7) protocol used by phone carrier networks, thereby being to intercept codes to mobile phones.
– Sending multiple ‘push to accept’ authentication to a user’s phone causing the victim to click on “accept” (even when not authenticating) to remove the notification from their screen.
– Using knowledge-based authentication (KBA) to get around KBA as a verification method. For example, finding details of a target victim on the Web (e.g. mother’s maiden name, first pet, first car driven etc), can enable some attackers to get around KBA verification, reset a password, and take over an account.
– Supply chain attacks (like SolarWinds) where code components are infected, and the target companies download these pieces without knowing they have been compromised.
– Compromised MFA authentication workflow bypass exploited by using a denial-of-service vulnerability in the MFA module in Liferay DXP v7.3.
– So-called ‘pass-the-cookie’ attacks where hackers try to extract stored authentication data that’s held in cookies on the victim’s browser.
– Server-side forgery which uses four zero-day flaws in Exchange to nullify all authentication completely with Microsoft Exchange servers.
– Real-time or automated phishing. For example, back in 2018 (as reported by Amnesty International), hackers sent fake but convincing security alerts (like Google or Yahoo) to journalists and activists based in the Middle East and North Africa, advising that the victim’s account had been breached, and providing a link to an official-looking fake login page to initiate a password reset. Here, the 2 FA code and other details could be stolen.
– Using reverse proxy and Modlishka with a phishing attack. The Modlishka (meaning ‘mantis’) tool, created by Polish researcher Piotr Duszyński, sits between a user and a target website (e.g. Gmail). When the victim connects to the Modlishka server, which hosts the phishing domain, a reverse proxy component makes requests to the site it wants to impersonate, the victim receives authentic content from the legitimate site, yet all traffic to and from the victim passes through (and is recorded on) the Modlishka server. This allows an attacker to record any passwords and intercept any 2FA tokens.
With criminals beating simple 2FA, many businesses are turning to:
– Using multi-factor authentication (i.e. using multiple methods of authentication simultaneously) and in combination as needed.
– Biometrics – fingerprint scans, face scans, iris scans, voice-recognition and more. Some biometrics authentication systems have already been shown to be vulnerable (e.g. voice recognition systems have been tricked) plus biometrics can’t be remotely revoked; if a fingerprint is compromised, it can’t be replaced (as a password can).
Some simple ways to protect yourself against attacks on 2FA include:
– Checking whether your password has been compromised via sites/services such as https://haveibeenpwned.com/ .
– Using stronger passwords and a Password Manager and avoiding password sharing.
– Limiting the use of SMS as a 2FA e.g., use Google Authenticator instead.
What Does This Mean For Your Business?
Many businesses now have policies for passwords, have adopted a zero-trust approach to security and realise that there are many vulnerabilities in username/password systems. Even though 2FA provides an extra layer of security, human error, the appliance of social engineering, and the increasingly sophisticated methods used by cybercriminals mean that 2FA can (and is) being beaten. Businesses are now looking towards multi-factor authentication and biometric security solutions in the shorter term for added protection although some biometric solutions have already been beaten or shown themselves to have other disadvantages. Many businesses accept that fight against cybercrime is ongoing and that staying one-step ahead is the most that can be expected until there is a major security breakthrough.