The Internet has created unprecedented opportunities for humanity’s progress and growth. Unfortunately, it has also created new opportunities for crimes against this same humanity. Many of these crimes are perpetrated by an ever-evolving breed of cybercriminals, unscrupulous entities whose overarching goal is usually to illegally access or ‘hack’ into Internet-enabled systems and devices for malicious and/or exploitative purposes. Security experts expend time, energy, and of course, tons of money into protecting these systems from attacks and unauthorized breaches. One such security approach that has become standard practice all over the world is two-factor authentication (2FA).
What is 2FA? In simplest terms, 2FA is a security approach that requires users to provide information from two different ‘factors’ to log in to a system. The goal is to augment the standard password-only strategy to strengthen security, and thus ensure that only authorized users can access a particular system or online account. This second factor could be something you know (e.g., PIN), something you have (e.g., USB token) or even something you are (e.g., fingerprints).
Now, although two-factor authentication is more secure than a simple username and password combination, it doesn’t offer a watertight defense. Savvy and sophisticated criminals have found ways to cut through its added layer of security in order to illegally access accounts (devices, websites, etc.), launch phishing scams, steal data, money or identities, and even to blackmail individuals, companies or governments. Even the most used and trusted enterprise services using 2FA, including Apple, Microsoft, PayPal, and LinkedIn, are not invulnerable to attack. For these reasons, in September 2019, the Cyber Division of the FBI issued a private industry notification (with real-world examples) to warn US companies that even if they enable 2FA on their systems and networks, they may not be able to keep the bad guys out permanently.
So what are some of the ways cybercriminals can bypass two-factor authentication? Here are five of the most common.
5 Ways Hackers Get Past Two-Factor Authentication
1. Phishing scams with fake login pages
Over the years, phishing attacks have not only increased in number (they accounted for a whopping 93% of all data breaches in 2018) but have also moved beyond their traditional playground of email to messaging and social media apps (particularly on mobile devices).
An attack begins when an unsuspecting user has presented a fake site that is a reasonably accurate copy of a page they usually access. Because the page looks ‘familiar,’ it is able to capture their user credentials without them knowing that they have been fooled. Traditional phishing detection and 2FA methods cannot recognize such pages and therefore are unable to protect the user. The user’s data that is captured by bad actors is then used to steal their money or identity or to perpetrate other crimes.
2.Technical support scams
A criminal convinces a user (or users) to install TeamViewer or some other kind of remote login software. He then installs a functioning backdoor, which provides the full backdoor capability to the user’s device. Access details to these compromised machines are subsequently sold on the Dark Web for enormous sums of money. 2FA cannot prevent such a phishing scheme from compromising the device and accomplishing its nefarious goals.
As the name indicates, scareware is a way to frighten an unsuspecting user into taking a particular action that benefits a criminal. A hacker initiates a security ‘alert’ in the form of a popup that looks like a genuine warning from a real provider. This alert prompts a user to reset their password due to a ‘security threat or breach.’ The password is captured by the hacker to take control of the system.
The malware may even claim that the user’s files have been infected and that they need to purchase software to fix the so-called problem. But they actually end up downloading malware masquerading as an antivirus software that then steals their data, money, or identity.
4. Man-in-the-Browser (MitB) attacks
Some types of browser extensions, such as ad blockers, offer bad actors a workaround for devices that rely heavily on two-factor authentication. These extensions – many of them free – often act as ‘Man-in-the-Middle’ spyware to monitor a user’s browser session and capture data that is accessed during that session. Once 2FA is complete, the extension starts collecting and then transmitting session data to a command-and-control (C2) server that is controlled by hackers.
5. Social engineering
In the report mentioned earlier, the FBI stated that social engineering was one of the methods used by criminals to circumvent 2FA.
Social engineering is the practice of exploiting human behaviors to bypass 2FA and hack into user accounts. By using emotional triggers and other psychological tactics like manipulation, deception, or influence, hackers persuade users to comply with their criminal requests. This may involve clicking on a link on a fake website, scaring them into giving up their personal information, etc. In the recent past, criminals have even social engineered cell phone carriers that then allowed them to clone their victims’ phone SIM cards and steal their data.
Other weaknesses in two-factor authentication systems
Cybercriminals also exploit the cybersecurity holes in 2FA in other ways.
1. Intercept text messages
A user inadvertently downloads malware on their phone that is then used by a hacker to intercept their SMS messages.
2. Redirect call forwarding
Once again, malware plays a starring role in this hacking drama. When installed on a user’s mobile phone, it opens backdoor access to the device for the hacker, who then hijacks the device and redirects voice calls transmitting 2FA codes to his own phone.
3. Hack hard tokens
Tokens are a popular method for 2FA, but sophisticated hackers have found ways to get around their supposed security features. Most of these weaknesses can be traced back to poor human practices, such as sharing tokens.
4. Fake push-to-accept requests
Push-to-accept requests are a weak method to implement 2FA because most users tend to accept them without realizing what they agree to. An inattentive user can quickly approve an attacker’s push-to-accept request without knowing that he is doing so.
5 Ways To Mitigate the Weaknesses of Two-Factor Authentication Systems
As we have already seen, two-factor authentication is no silver bullet. However, there are a few things that users – both individuals and organizations – can do to mitigate its weaknesses and stay safe in shark-infested waters.
1. Dynamic linking with end-to-end encryption
Dynamic linking – also known as ‘What You See Is What You Sign’ – consists of 2FA done at the time of transaction. The user is presented with the transaction details before completing the signing process. Once signed, the signature is valid only for that specific transaction, making it harder for an attacker to take control of the transaction or device.
2. Continuous monitoring
Continuous monitoring of sessions on digital platforms is an excellent way to recognize, prevent, and defend against a variety of attacks. It enables organizations to keep an eye out for typical indicators of known attacks, and to correlate this information across its user base to further their understanding of risk and establish a continuous risk profile. If and when anomalies are detected, appropriate real-time actions can be taken.
Organizations must also conduct regular audits on their current security infrastructure, security awareness training programs, plans to deal with future breaches, etc. This will enable them to understand the gaps in their security protocols better and take the necessary actions to close them.
3. Education and awareness
Often, criminals can exploit the weaknesses inherent in 2FA due to human error caused by carelessness or lack of awareness. That’s why organizations need to train their employees to recognize and identify phishing attempts and to understand that these attacks can (and do) take place across different channels.
4. Make use of technology
None of these three methods is entirely foolproof to foil 2FA bypass attempts. Therefore, organizations should employ technology to block connections to known – and, if possible, unknown – phishing domains. Trusted tools can prevent dodgy pages from ever loading, thus stopping attacks before they even begin. They can also allow the firm to execute appropriate responses to cybercriminals, immediately and continuously.
5. Use multi factor authentication
Multi-factor authentication (MFA) takes 2FA a step further by combining three or more factors to provide even more robust authentication and system security. Despite worries that MFA makes logging into accounts more complicated, it actually simplifies the login process by allowing the use of advanced options like single sign-on. Another advantage of MFA is that it makes compliance with several standards (such as those required or recommended by HIPAA) easier.
The goal of this article was to demonstrate the weaknesses of two-factor authentication and to show that organizations that enable 2FA alone are not completely protected from hackers and cybercriminals. Organizations relying on 2FA would be better served by considering 2FA as part of a ‘layered’ approach to security that also includes other ‘gateways’ such as technology, human awareness, and multi-factor authentication.