Two-factor authentication (2FA) was supposed to put an end, at least for a while, from hacking into online accounts. However… for a few years there are various techniques to circumvent it. It must be said from the start that in 2021/2222, in terms of double authentication, there is food and drink. Several modes exist, without providing exactly the same level of security.
Mostly, the preferred method of two-factor authentication for websites and organizations is the one based on single-use tokens (OTP). They are generated dynamically by an app on your smartphone or an external device. Or – which unfortunately is often the case – they can be received by SMS when necessary.
An alarming number of tools makes it easy to hack 2FA-protected accounts
Besides this type of authentication, there are also 2FA modes based on Physical security keys like Yubikey And Google Titan. Each time the idea is the same: in addition to your username and password, any connection to your accounts implies sending something else, in order to be sure of your identity for the last time.
On paper, the method seems unstoppable. But we quickly discover significant flaws. For example, it is relatively trivial to bypass two-factor authentication when the latter relies on OTP codes received by SMS. A hacker can use SIM Swap technology for this. If he has any personal data about you.
Concretely, it will then go to your carrier, and it will ask for a duplicate of your SIM card which will allow it to receive all your SMS messages. They can also infect the victim’s smartphone, thus spying on their email. Risks that can be reduced by using a physical or smartphone code generator. As are physical security keys.
However, a study conducted jointly by Stony Brook University and the Palo Alto Networks company highlights the growing popularity of new and cooler methods against two-factor authentication facilitated by distributed toolkits. On the dark web. We are talking about all-in-one solutions that create phishing campaigns and simplify 2FA connection data theft, so that an inexperienced hacker can achieve their goals.
Thanks to connection cookies, whether or not two-factor authentication is enabled is of little importance
In all, researchers report that they have discovered more than 1,200 such tools that threaten to make two-factor authentication security almost trivial. They no longer care about stealing one-time login codes – instead, it’s all about extracting login cookies, those little files that contain all the data needed to confirm your authentication well.
According to the researchers, these cookies are generally stolen in two ways. Hackers can infect their victim with specialized malware, or they can suck it up directly by pretending to be the host of a public WiFi network. A technique known as “the man in the middle” (MitM). Once the hackers get these cookies, they have unlimited access to your accounts from any device.
At least until the respective cookies expire. On some accounts such as Facebook, Instagram or TikTok, these cookies can have a very long expiration date, which presents an increased risk for victims. It remains to be seen how to connect this significant weakness in the Internet security chain: cookies are already emerging at this point as a device that must be fully audited to better secure the security of online accounts.
Read also – Iranian hackers develop Android malware to bypass two-factor authentication via SMS
Shame when the platforms were online Trying to popularize the use of two-factor authentication, which is still struggling to win. What this study shows anyway is that there is still a lot of work to do to secure our data on the internet, even before we talk about double authentication. It remains to be seen how long the situation will last before a truly effective solution is available.
By: Bitdefender
“Professional food nerd. Internet scholar. Typical bacon buff. Passionate creator.”
