In a webinar last week, I discussed some of the most common ways attackers bypass 2FA, and discussed ways to stop these from happening. Those who rely on 2FA are not as protected as they think, as 2FA provides a false sense of security.
As an industry it is crucial that we implement more security controls around access points than just 2FA. Using behind-the-scenes risk checks – including device, location, IP address, account type, and behavior – you can elevate identity trust and stop attackers from bypassing 2FA, even if they have stolen credentials.
Below are the 6 most common ways attackers bypass 2FA:
Real-time phishing – Humans will always be a security weak point. A tried and tested approach, it’s not difficult for an experienced cyber attacker to send emails, make calls, and develop replica websites to coerce authentication details away from users.
- Approach has been around awhile – Used in 30% of attacks against websites with 2FA back in 2010.1
- December 2018 – Attackers defeat 2FA at Amnesty International using auto-mated phishing attacks.2
- 2018 – FireEye developed “ReelPhish” tool used to successfully defeat 2FA in Red Team engagements.3
Text & call interception – A technology loophole exposes 2FA vulnerability. A weakness in the Signal System 7 (SS7) protocol used by phone carrier networks to communicate, means attackers can intercept codes and secrets sent to mobile phones.
- Details on how it works with multiple examples of successful use.4
- Attackers eavesdrop on phone calls, record them and monitoring movements of a US congressman.5
- Basis for NIST’s original proposal to phase out SMS/Text-based one-time passcodes.6
Malware – Humans unknowingly create security gaps. Unintentionally installing malicious code on PCs, tablets, and smartphones, users open door for attackers to copy and forward 2FA one-time passcodes.
- Attacker scrape passcodes to bypass 2FA and access multiple bank accounts in the Emmental attacks.7
- Bankosy Android Trojan forwards voice-based one-time passcodes to attackers.8
- Android Trojan steals money from PayPal accounts even with 2FA on.9
Phone porting fraud (aka SIM-Swap) – Attackers once again target humans, this time at network carriers. This technique involves personal details and social engineering to convince a mobile phone carrier representative to move a victim’s SIM card under their control. All phone-based authentication is compromised from that point forward.
- February, 2018 T-Mobile warned customers about SIM card scammers.10
- Watch hacker successfully use this technique in less than 2 minutes.11
- November, 2018 Forexfraud.com called this technique “the hottest new scam sweeping the planet.”12
Notification fatigue – Attackers overwhelm users with multiple authentication requests. This is particularly effective when using ‘push-to-accept’ or other 2FA methods that simple require a user to click “yes” or “accept” when authenticating. Annoyed users will click “accept”, even when not authenticating, just to remove the notification from their screen.
- ‘White hat’ hacker David Kennedy describes how this technique worked 6 out of 6 attempts.13
- “Think Before You Accept – Attackers Exploit Popular ‘Push-to-Accept’ 2FA Method.”14
Knowledge-based authentication – People share too much personal information on social media and the internet. A simple “Google” search can find answers to first grade teacher’s name, street you grew up on, and favorite pet’s name. Using this information as a secret only a user knows, exposes organizations to attacker exploitation.
- IceMiller legal counsel details the weaknesses and advises against using knowledge-based authentication.15
- 2018 Forbes article, “Everybody Knows: How Knowledge-Based Authentication Died.”16
Humans are always going to be a weak spot in any identity security program. The goal then is to protect users from themselves as much as from attackers looking to take advantage of them. Watch this quick video on how adaptive authentication protects you against attackers with ways around 2FA.