It has been well known for some time that it is not enough to use just a username and a password for secure access to online services. This is why another level of security has been added; indeed, multifactor authentication has become essential for many applications. It adds another independent verification method on top of logging in with a password. However, as it turns out, even this may not be enough. The problem is not so much the technology itself as the people using it.
Studies show that more than 80 per cent of all security breaches are related to hacking. This is mainly due to compromised and weak login details. Figures released by Microsoft suggest that users who enabled two-factor authentication ultimately blocked about 99.9 per cent of automated attacks.
“This is a great figure. But as with any good cyber security solution, attackers may still find ways to get around it. And as the recent case of the Coinbase cryptocurrency exchange shows, this has actually happened,” says Martin Lohnert, the head of the Void Security Operations Centre and an IT specialist at Soitron.
The way that two-factor authentication can be breached is connected to its operating principle – i.e. by tracking down or stealing one-time codes sent by SMS to the user’s mobile phone. With this method, hackers use a leaked lists of email addresses to send users an email message that pretends to be from a trustworthy sender – such as a bank. If a user clicks on an included link, a website will open that looks legitimate – just as if it were a bank. Cautious IT-savvy users will discover that something is wrong. The address of the fake website is not that of the bank and it may well contain a typo.
So far, there is nothing new about this technique. What is novel is what follows. The URL address used may look something like www.mybank.com.passwordreset.com. At first glance, this appears to be your bank’s domain, so everything looks fine. An experienced user, however, will notice that the second-order domain is not actually www.mybank.com but rather passwordreset.com. And that is a big difference, because this domain belongs to the attackers. Even more alarming is that if a user visits the website from a mobile phone and the bank address is longer, it may not be displayed in full. Users actually only see the familiar part of the address. This is not a bug, but rather an exploited UX vulnerability, with hackers knowing that mobile phone browsers only display a limited number of a URL’s characters. A fraudulent website using this “trick” may even use SSL security (the URL starts with https: //) to evoke a sense of security in the user by displaying the lock symbol in the browser. Few people open and verify the details of SSL encryption certificates.
If a user is tricked by the fraudulent address, hackers use a phishing attack. All they have to do is make their website look exactly like the one belonging to the bank. On the login page, the user enters their username and password. This allows the hacker to get hold of the first key for access. Immediately upon receipt and in real time, the hacker enters the login data manually into the bank’s true web interface. The bank sends an authentication SMS code to the owner’s mobile number. If the user enters it into the fraudulent website, the hacker then has what they need.
Within a moment, they can log in to the user’s internet banking and immediately enter a payment order. The order needs to be confirmed again. That is why the user receives another SMS code on their mobile phone. As the user is still waiting to enter their bank account, the fraudulent website may send them a message such as “Please wait, your login is being processed”. Subsequently, they inform the user that the first login failed and ask them to enter the second SMS code that was just sent to them. “And that’s the code used to confirm the actual payment. If the user fails to notice this warning in the SMS and enters it on the phishing website, the hacker will copy the code to the internet banking page and in this way they will successfully take money from the victim’s bank account,” says Lohnert.
As can be seen, two-factor authentication security can be broken with minimum effort. „That’s why it’s much safer to use newer types of two-factor authentication through specialized applications. These applications eliminate the risk of code copying, and everything happens automatically within the bank’s interface,“ says Lohnert. Older methods involving manual code copying are still used today by various services, including Google Authenticator and Microsoft Authenticator, as well as by some banks.
Although several conditions and consecutive steps must be met for the above attacks to work, this demonstrates the vulnerability of two-factor SMS-based identification methods and the fact that such attacks do not require high technological expertise.
We are in the process of finalizing. If you want to be redirected to our old version of web site, please click here.