It is now well known that usernames and passwords are not enough to securely access online services. A recent study found that over 80% of all hacking-related violations occur due to compromised and weak credentials, with three billion username / password combinations stolen in 2016 alone. .
As such, the implementation of two-factor authentication (2FA) has become a necessity. Generally, 2FA aims to provide an additional layer of security to the relatively vulnerable username / password system.
It also works. The numbers suggest that users who enabled 2FA ended up blocking around 99.9% of automated attacks.
But as with any good cybersecurity solution, attackers can quickly find ways around it. They can bypass 2FA via one-time codes sent as an SMS to a user’s smartphone.
Yet many essential online services in Australia still use SMS-based one-time codes, including myGov and the Big Four Banks: ANZ, Commonwealth Bank, NAB and Westpac.
Read more: A computer can guess more than 100,000,000,000 passwords per second. Still think yours is secure?
So what’s the deal with SMS?
Major vendors such as Microsoft have urged users to ditch 2FA solutions that leverage SMS and voice calls. Indeed, SMS are notorious for their low security, which leaves them open to a multitude of different attacks.
For example, SIM swapping has been shown to be a way around 2FA. SIM swapping involves an attacker convincing a victim’s mobile service provider that they themselves are the victim, and then requesting that the victim’s phone number be switched to a device of their choice.
SMS-based one-time codes are also compromised by readily available tools like Modlishka by exploiting a technique called reverse proxy. This facilitates communication between the victim and a service whose identity is spoofed.
So, in the case of Modlishka, it will intercept the communication between an authentic service and a victim and will track and record the victims’ interactions with the service, including the login details they can use).
In addition to these existing vulnerabilities, our team found additional vulnerabilities in SMS-based 2FA. One particular attack exploits a feature provided on the Google Play Store to automatically install apps from the web on your Android device.
If an attacker has access to your credentials and manages to log into your Google Play account on a laptop (although you receive a prompt), then they can automatically install any app they want on your computer. smartphone.
The attack on Android
Our experiments revealed that a malicious actor can remotely access a user’s SMS-based 2FA with little effort, through the use of a popular application (name and type withheld for security reasons) designed to sync user notifications across different devices.
Specifically, attackers can exploit a compromised email / password combination logged into a Google account (such as [email protected]) to maliciously install a readily available message mirroring application on a victim’s smartphone via Google Play.
This is a realistic scenario because it is common for users to use the same credentials on a variety of services. Using a password manager is an effective way to secure your first line of authentication (your username / password).
Once the app is installed, the attacker can apply simple social engineering techniques to convince the user to activate the permissions required for the app to function properly.
For example, they can pretend to call a legitimate service provider to persuade the user to activate permissions. After that, they can remotely receive all communications sent to the victim’s phone, including the one-time codes used for 2FA.
While several conditions must be met for the aforementioned attack to work, it still demonstrates the fragile nature of SMS-based 2FA methods.
More importantly, this attack doesn’t need high-end technical capabilities. It just requires an overview of how these specific apps work and how to use them intelligently (along with social engineering) to target a victim.
The threat is even more real when the attacker is a trusted person (for example, a family member) with access to the victim’s smartphone.
What is the alternative?
To stay protected online, you need to check whether your first line of defense is secure. First check your password to see if it is compromised. There are a number of security programs that will allow you to do this. And make sure you use a well-designed password.
We also recommend that you limit the use of SMS as a 2FA method if you can. You can use app-based one-time codes instead, for example via Google Authenticator. In this case, the code is generated in the Google Authenticator app on your device itself, rather than being sent to you.
However, this approach can also be compromised by hackers using sophisticated malware. A better alternative would be to use dedicated hardware devices such as YubiKey.
These are small USB (or near-field communication) devices that provide a simplified way to enable 2FA on different services.
Such physical devices should be plugged in or placed near a connecting device as part of 2FA, thereby mitigating the risks associated with visible single-use codes, such as codes sent by SMS.
It should be emphasized that an underlying condition for any 2FA alternative is that the user himself must have some level of active participation and responsibility.
At the same time, more work needs to be done by service providers, developers and researchers to develop more accessible and secure authentication methods.
Essentially, these methods need to go beyond 2FA and towards a multi-factor authentication environment, where multiple authentication methods are simultaneously deployed and combined as needed.
Read more: Can I still get hacked with 2FA enabled?