October 12, 2019 at
Hackers breaking into accounts for the purpose
of stealing money, data, or gaining further access to entire platforms is
nothing new, and security researchers have been at war with them for ages. One
of the more successful measures in keeping the hackers out has been to set up a
Dual Authentication security measure, commonly known as Two-Factor
However, according to the new warning issued by the Federal Bureau of Investigation (FBI), not all types of 2FA security will work these days. The warning was passed down to US companies only recently, through a briefing note that has been circulating for the past month.
The briefing note claims that the FBI managed
to identify several methods that cybercriminals have been using to bypass 2FA and
obtain one-time passcodes that are being sent to users when they try to access
How are hackers bypassing
As mentioned, the warning includes several methods that the hackers have been known to use to overcome additional security measures, with the most popular and simplest one being SIM swap fraud. This method relies on the attacker convincing or bribing an employee of mobile networks to port a mobile number of their target, which results in the hacker receiving the security codes sent by websites and services.
These cases have become quite common in recent years, and they were used in many cases, usually to steal money from other people’s bank accounts, cryptocurrency wallets, exchange accounts, PayPal, and other similar services. The victims usually do not even realize that they were robbed for quite a long time, and there is pretty much nothing that they can do to prevent this.
Another method that has been used on a regular
basis is phishing, which tricks victims into revealing their login credentials,
as well as their OTP code by planting a fake website. As soon as the victim
tries to log into their account on the fake website, the hacker gathers their
login credentials and uses them on the real site. The most recent example of
this was noticed only a month ago, and it involved an attack on YouTube users,
many of which had 2FA enabled.
There is also another method, although this
one is a bit more advanced, and it relies on session hijacking. This means that,
despite the fact that the website to which the user is trying to log into is
real, hackers still manage to steal login credentials as they travel between
the user’s device and the website. Of course, this method provides only a small
window of opportunity, but skilled hackers have been known to use it.
Then, there are regular security vulnerabilities on the websites themselves, which often allow hackers to slip in without even bothering with 2FA. One such case was reported earlier in 2019 when a security flaw on a site of a certain bank allowed hackers to gain access to users’ accounts without having to deal with security questions, PINs, or other security methods. Hackers simply used phishing to obtain user credentials, after which they accessed their accounts directly.
2FA is still a valid security
Despite the fact that 2FA is generally
considered to be a strong and useful security measure — companies likely did
not need the FBI to tell them about it in order to know that no method works
100% of the time. However, despite all of the methods that the hackers use, and
despite all of the mentioned and recorded cases of hackers bypassing 2FA — this
method still works most of the time.
In other words, while 2FA is clearly not 100%
hacker-proof, it is still much better to have it in place than to simply rely
on login credentials for the protection of the account.
While the fact that the warning was issued is
ultimately considered a good and necessary step, one big question is how it
might influence the users themselves. Hacking attacks still work quite often
because a lot of people do not use 2FA, at all. Those who do can get hacked, as
mentioned, but such cases are a rarity when compared to the hacks against those
who do not use Dual Authentication.
With reports such as this, these people might be further discouraged from enabling extra security, which makes them that much more vulnerable to potential attacks. In the meantime, developers are coming up with more advanced security measures that the users could protect themselves with, including FIDO2 hardware tokens, or WebAuthn, that allows devices to authenticate one another automatically.