Many security experts have worked over the years with two-factor authentication (2FA) solutions, they were primarily being based on the VPN connections and access to the highly regarded secured systems. The new security solution works via a something you have added with something you know mechanism wherein a user enters a pin/ password along with the numbers displayed on a certain secured device.  The main goal for the businesses is to make it completely impossible for attackers to access secured systems and accounts, however, after further analysis; it has been concluded to be perfect. Security experts will be weighing in various aspects about the two-factor authentication, Stephen Cox, Vice President and Chief Security Architect at SecureAuth and Bojan Simic, Co-founder and CTO, HYPR.

Is 2FA secured?

Bojan Simic: 2FA exists across several of the organizations and industries, but there are extremely low adoption rate because of the cumbersome user experience. Businesses are starting to provide both the businesses and employees much easier authentication capabilities that can reduce the friction, and such methods of authentication need to deploy that aren’t susceptible to various automated attacks. However, the 2FA is currently going through the range of breaches. Stephen Cox: Consumers and businesses have continued using the 2FA to protect against various corporate data breaches and different identity theft. All those using the 2FA should not put the businesses into the false sense of security wherein the businesses need to address various required authentication. 2FA is definitely the first step towards protecting the data from the rising threat landscape, but the need for building stronger security and data solutions should go beyond the basic 2FA solutions.

What are some of the recent attacks that have bypassed the 2FA?

In November 2018, a database breach that involved a communication firm Vovox, it was able to expose more than 25 million text messages that had various private customer information that included shipping notifications, 2FA codes and password reset links. In August 2018, several of the Reddit employee accounts were breached that allowed the attackers to access backup data. It made several of the Reddit officials to write that we have learned that SMS-based authentication is not nearly as secured as we would have hoped. Bojan Simic: Modliska is the tool that has been used by many attackers that allows the automation of attack by shared secrets based 2FA. There has been a rise in push notification based attack in 2FA, there are several PUSH types of attacks, as such notification type has been used to approve the authentication requests. Stephen Cox: Several of the businesses have been affected by a breach, and 2FA breach hasn’t been common, but it has certainly given a view that most of these solutions aren’t completely secured.

How 2FA attacks work?

Stephen Cox: Some of such attacks have become too simple to execute for the attackers, the attacker just has to breach a firewall and 2FA. Below are some of the most frequently used attack methods used by attackers.

1. Real-time phishing this is the most famous way to attack any user, the attacker would be sending emails, make calls, and even develop a replica website that will be impersonating and portraying to be authentic for the user. This will make many users share confidential information without complete authentication.

2. Malware, the term for malicious code installed on various devices whether its a tablet, PC, or smartphone using its open door through which the attackers can copy and forward one-time 2FA pass-codes.

3. Text and call interception, a loophole that has been exploited by many of the attackers will be using Signal System 7 (SS7) protocol used by phone carrier networks through that attackers can intercept messages that are sent to mobile devices.

4. Notification fatigue, this has been particularly effective for the users that receive multiple notifications. An attacker will disguise a steal notification in several of the harmless notifications, and a user will be frustrated and annoyed wherein he accepts the request to simply remove the notifications.

5. Phone porting fraud, in this a cyber-criminal convenience a phone carrier to transfer the control of the victims SIM card compromising all future phone-based authentication.

Bojan Simic: Various tools like Modlishka work that impersonate certain domain and act as a proxy for the real domain, the users are tricked in believing that the domain is legitimate site and is tricked in providing the required 2FA.  PUSH notification fatigue has been one of the significant because of its growing assumption that the password was already compromised.

Targets and Attackers?

Bojan Simic: Such attacks affect both businesses and employees wherein they can be executed by anyone with certain limited computer skills. What makes such types of attacks more potent that anyone with a harmless intention can even perform such types of attacks with minimal effort, the automation of 2FA attacks is becoming popular as the security solution will now require additional factors. Stephen Cox: Malicious SIM card swaps are becoming common with increased automation, certain attackers even impersonate the user and convince the mobile carriers to swap the number on the SIM card and put it one the attacker’s phone. Even in Vovox incident, the company had kept the complete database unprotected and easily searchable with names, phone numbers, and text messages from Google, Amazon, and Microsoft among the others. The database was closed after a certain time but for a brief period of time, a hacker could monitor the data stream, intercepting the two-factor authentication codes transmitted after trying to log in someone’s account.

Conclusion

Two-factor authentication can certainly be a challenge for attackers, but if not implemented by closing several of the security gaps can be a bigger challenge. A need for appropriate checks should be included with password leakage and credential misuse that has been on the rise, and with attackers devising new techniques to make 2FA simpler and secured.  Risk-based approaches, along with Modern, and adaptive solution, leverage real-time metadata and threat detection techniques that have become a standard. The need for agility and implementation can be built into the complete authentication process leveraging the dynamic controls in real-time.

To know more, download our latest whitepapers on IT Security.