{"id":325536,"date":"2021-08-16T16:11:05","date_gmt":"2021-08-16T13:11:05","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/heres-how-hackers-are-cracking-two-factor-authentication-security\/"},"modified":"2021-08-16T16:11:05","modified_gmt":"2021-08-16T13:11:05","slug":"heres-how-hackers-are-cracking-two-factor-authentication-security","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/heres-how-hackers-are-cracking-two-factor-authentication-security\/","title":{"rendered":"#Here\u2019s how hackers are cracking two-factor authentication security"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3cd18c8705e\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3cd18c8705e\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/heres-how-hackers-are-cracking-two-factor-authentication-security\/#So_whats_the_problem_with_SMS\" >So what\u2019s the problem with SMS?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/heres-how-hackers-are-cracking-two-factor-authentication-security\/#The_attack_on_Android\" >The attack on Android<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/heres-how-hackers-are-cracking-two-factor-authentication-security\/#Whats_the_alternative\" >What\u2019s the alternative?<\/a><\/li><\/ul><\/nav><\/div>\n<p>&#8220;<strong>#Here\u2019s how hackers are cracking two-factor authentication security<\/strong>&#8221;<br \/>\n<img decoding=\"async\" src=\"https:\/\/img-cdn.tnwcdn.com\/image?fit=796%2C417&amp;url=https%3A%2F%2Fcdn0.tnwcdn.com%2Fwp-content%2Fblogs.dir%2F1%2Ffiles%2F2021%2F08%2F2-step.jpg&amp;signature=9ac4fa056fa73c597ea59dad6305b276\" \/><\/p>\n<div>It\u2019s now well known that usernames and passwords aren\u2019t enough to securely access online services. A recent study highlighted more than 80% of all hacking-related breaches h<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>en <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/link.springer.com\/article\/10.1007\/s00779-020-01477-1\">due to compromised and weak credentials<\/a>, with three billion username\/password combinations stolen in 2016 alone.<\/p>\n<p>As such, the implementation of two-factor authentication (2FA) has become a necessity. <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">General<\/a>ly, 2FA aims to provide an additional layer of security to the relatively vulnerable username\/password system.<\/p>\n<p><iframe loading=\"lazy\" src=\"https:\/\/fast.wistia.net\/embed\/iframe\/xo23fcyip6?videoFoam=true&amp;autoPlay=true\" title=\"Whats it like to be a startup founder in Barcelona? Video\" allowtransparency=\"true\" frameborder=\"0\" scrolling=\"no\" class=\"wistia_embed\" name=\"wistia_embed\" allowfullscreen=\"\" msallowfullscreen=\"\" width=\"100%\" height=\"100%\"><\/iframe><\/p>\n<p>It works too. Figures suggest users who enabled 2FA ended up blocking about <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.zdnet.com\/article\/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks\/\">99.9% of automated attacks<\/a>.<\/p>\n<p>But as with any good cybersecurity solution, attackers can quickly come up with ways to circumvent it. They can bypass 2FA through the one-time codes sent as an SMS to a user\u2019s smartphone.<\/p>\n<p>Yet many critical online services in Australia still use SMS-based one-time codes, including myGov and the Big 4 banks: ANZ, Commonwealth Bank, NAB, and Westpac.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"So_whats_the_problem_with_SMS\"><\/span>So what\u2019s the problem with SMS?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Major vendors such as <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.helpnetsecurity.com\/2020\/11\/12\/sms-voice-mfa\/\">Microsoft<\/a> have urged users to abandon 2FA solutions that leverage SMS and voice calls. This is because SMS is renowned for having infamously poor security, leaving it open to a host of different attacks.<\/p>\n<p>For example, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/gbhackers.com\/sim-swap-attack\/.\">SIM swapping<\/a> has been demonstrated as a way to circumvent 2FA. SIM swapping involves an attacker convincing a victims\u2019 mobile service provider they themselves are the victim and then requesting the victim\u2019s phone number be switched to a device of their choice.<\/p>\n<p>SMS-based one-time codes are also shown to be compromised through readily available tools such as <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.zdnet.com\/article\/new-tool-automates-phishing-attacks-that-bypass-2fa\/\">Modlishka<\/a> by leveraging a technique called <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.zdnet.com\/article\/new-tool-automates-phishing-attacks-that-bypass-2fa\/\">reverse proxy<\/a>. This facilitates communication between the victim and a service being impersonated.<\/p>\n<p>So in the case of Modlishka, it will intercept communication between a genuine service and a victim and will track and record the victims\u2019 interactions with the service, including any login credentials they may use).<\/p>\n<p>In addition to these existing vulnerabilities, our team has found additional vulnerabilities in SMS-based 2FA. One particular attack exploits a feature provided on the Google Play Store to automatically install apps from the web to your android device.<\/p>\n<p>If an attacker has access to your credentials and manages to log into your Google Play account on a laptop (although you will receive a prompt), they can then install any app they\u2019d like automatically onto your smartphone.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_attack_on_Android\"><\/span>The attack on Android<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Our experiments revealed a malicious actor can remotely access a user\u2019s SMS-based 2FA with little effort, through the use of a popular app (name and type withheld for security reasons) designed to synchronize user\u2019s notifications across different devices.<\/p>\n<p>Specifically, attackers can leverage a compromised email\/password combination connected to a Google account (such as [email\u00a0protected]) to nefariously install a readily available message mirroring app on a victim\u2019s smartphone via Google Play.<\/p>\n<p>This is a realistic scenario since it\u2019s common for users to use the same credentials across a variety of services. Using a <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.businessinsider.com.au\/are-password-managers-safe-2020-6\">password manager<\/a> is an effective way to make your first line of authentication \u2014 your username\/password login \u2014 more secure.<\/p>\n<p>Once the app is installed, the attacker can apply simple <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">social<\/a> engineering techniques to convince the user to enable the permissions required for the app to function properly.<\/p>\n<p>For example, they may pretend to be calling from a legitimate service provider to persuade the user to enable the permissions. After this, they can remotely receive all communications sent to the victim\u2019s phone, including one-time codes used for 2FA.<\/p>\n<p>Although multiple conditions must be fulfilled for the aforementioned attack to work, it still demonstrates the fragile nature of SMS-based 2FA methods.<\/p>\n<p>More importantly, this attack doesn\u2019t need high-end technical capabilities. It simply requires insight into how these specific apps work and how to intelligently use them (along with social engineering) to target a victim.<\/p>\n<p>The threat is even more real when the attacker is a trusted individual (e.g., a family member) with access to the victim\u2019s smartphone.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Whats_the_alternative\"><\/span>What\u2019s the alternative?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To remain protected online, you should check whether your initial line of defense is secure. First, check your password to see if it\u2019s compromised. There are a number of <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/au.norton.com\/breach-detection\">security programs<\/a> that will let you do this. And make sure you\u2019re using a well-crafted password.<\/p>\n<p>We also recommend you limit the use of SMS as a 2FA method if you can. You can instead use app-based one-time codes, such as through Google Authenticator. In this case, the code is generated within the Google Authenticator app on your device itself, rather than being sent to you.<\/p>\n<p>However, this approach can also be compromised by hackers using some <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/au.pcmag.com\/security\/65791\/android-malware-can-steal-2fa-codes-from-google-authenticator-app#:%7E:text=To%20steal%20the%20Google%20Authenticator,be%20advertised%20by%20Cerberus's%20creators\">sophisticated malware<\/a>. A better alternative would be to use dedicated hardware devices such as <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.yubico.com\/\">YubiKey<\/a>.<\/p>\n<p>These are small USB (or near-field communication-enabled) devices that provide a streamlined way to enable 2FA across different services.<\/p>\n<p>Such physical devices need to be plugged into or brought into close proximity of a login device as a part of 2FA, therefore mitigating the risks associated with visible one-time codes, such as codes sent by SMS.<\/p>\n<p>It must be stressed an underlying condition to any 2FA alternative is the user themselves must have some level of active participation and responsibility.<\/p>\n<p>At the same time, further work must be carried out by service providers, developers, and researchers to develop more accessible and secure authentication methods.<\/p>\n<p>Essentially, these methods need to go beyond 2FA and towards a multi-factor authentication environment, where multiple methods of authentication are simultaneously deployed and combined as needed.<\/p>\n<p><em>Article by <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/profiles\/syed-wajid-ali-shah-1257004\">Syed Wajid Ali Shah<\/a>, Research Fellow, Centre for Cyber Security Research and Innovation, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/institutions\/deakin-university-757\">Deakin University<\/a>; <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/profiles\/jongkil-jay-jeong-943442\">Jongkil Jay Jeong<\/a>, CyberCRC Research Fellow, Centre for Cyber Security Research and Innovation (CSRI), <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/institutions\/deakin-university-757\">Deakin University<\/a>, and <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/profiles\/robin-doss-1259609\">Robin Doss<\/a>, Research Director, Centre for Cyber Security Research and Innovation, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/institutions\/deakin-university-757\">Deakin University<\/a><\/em><\/p>\n<p><em>This article is republished from <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\">The Conversation<\/a> under a Creative Commons license. Read the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/theconversation.com\/how-hackers-can-use-message-mirroring-apps-to-see-all-your-sms-texts-and-bypass-2fa-security-165817\">original article<\/a>.<\/em><\/p>\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/thenextweb.com\/news\/hackers-cracking-two-factor-authentication-security-syndication\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#Here\u2019s how hackers are cracking two-factor authentication security&#8221; It\u2019s now well known that usernames and passwords aren\u2019t enough to securely access online services. A recent study highlighted more than 80% of all hacking-related breaches happen due to compromised and weak credentials, with three billion username\/password combinations stolen in 2016 alone. As such, the implementation of&#8230;<\/p>\n","protected":false},"author":1,"featured_media":325537,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/img-cdn.tnwcdn.com\/image\/tnw?filter_last=1&fit=1280,640&url=https:\/\/cdn0.tnwcdn.com\/wp-content\/blogs.dir\/1\/files\/2021\/08\/2-step.jpg&signature=f4cf8d0bd1a62911eacf3783a9acc790","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-325536","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/325536","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=325536"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/325536\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/325537"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=325536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=325536"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=325536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}