It’s no secret that usernames and passwords alone do not provide secure access to online services. According to a recent study, more than 80% of all hacking-related breaches were corrupted and caused by weak credentials, with 3 billion username / password combinations stolen in 2016 alone.
As you can see, the implementation of two-step verification (2FA) has become mandatory. In general, 2FA aims to provide an additional layer of security for relatively vulnerable username / password systems works for it. The numbers suggest that users who have 2FA enabled blocked about 99.9% of automated attacks. But like any other good cyber security solution, an attacker can come up with a way to fix it quickly. 2FA can be bypassed via a one-time code sent to the user’s smartphone by SMS.
Then what’s the problem with SMS?
Major suppliers such as and Microsoft have urged users to abandon 2FA solutions that utilize SMS and voice calls. SMS is notorious for its weak security and is exposed to a variety of attacks.
For example, SIM swap has been demonstrated in a way that bypasses 2FA. SIM swap is a method in which an attacker requires the victim’s carrier to convert the phone number of the next victim who was convinced that he or she is the victim to the desired device.
SMS-based one-time codes also mean that ready-to-use tools like Modlishka are being compromised using a technique called a reverse proxy. This facilitates communication between the victim and the disguised service.
Therefore, in the case of Modlishka, it blocks communication between the genuine service and the victim, and tracks and records the victim’s interaction with the service, including login credentials that the victim can use.
In addition to this existing vulnerability, our team discovered additional vulnerabilities in SMS-based 2FA. One specific attack exploits a feature available on the Google Play Store to automatically install applications on Android devices from the web.
If an attacker gains access to your credentials and logs into your Google Play account from a laptop (although you will be prompted), the attacker could automatically install the necessary applications on your smartphone.
Attack on Android :
In our experiment, a malicious attacker used a popular application designed to synchronize notifications from other users (the name and format were rejected for security reasons), with little effort, It turns out to be accessed remotely Device.
Specifically, an attacker can use the compromised email and password combination linked to the Google account (firstname.lastname@example.org) to install an unauthorized message mirroring application on the victim’s smartphone through Google Play.
This is a realistic scenario. This is because it is common for users to use the same credentials for different services. Using a password manager is an effective way to make the first line of authentication (username/password login) more secure. Once the app is installed, an attacker can apply simple social engineering techniques to persuade the user to enable the permissions required for the app to work properly.
For example, you can pretend to call from a legitimate service provider to convince a user to activate their privileges. They can then remotely receive all communications sent to the victim’s cell phone, including the one-time code used for 2FA.
If some conditions are not met for the above-mentioned attack to work, it still shows the vulnerabilities of the SMS-based 2FA method.
Best of all, this attack does not require a high degree of technical skill. You need insight into how these particular apps work and how to use them intelligently to target victims.
The threat is much more realistic if the attacker is a reliable individual (eg. a family member) who can access the victim’s smartphone.
What is the alternative?
To stay protected online, you need to make sure that your first line of defines is safe. First, make sure your password is corrupted. There are several security programs that can perform this task. And make sure you are using a well-made password.
We also recommend that you limit the use of SMS using the 2FA method if possible. Instead, you can use app-based one-time code via Google Authenticator. In this case, the code is not sent to the user and is generated within the Google Authenticator app on the device itself.
However, this method has the potential to be compromised by hackers using advanced malware. A better alternative is to use a dedicated hardware device such as a YubiKey.
These are tiny USB (or near field communication counterparts) devices that provide a streamlined way to use 2FA between various services.
These physical devices may need to be connected to or placed near the login device as part of 2FA, thus reducing the risks associated with visible, one-time codes, such as codes sent via SMS. It should be emphasized that a fundamental condition of the
2FA alternative is the need for the user himself to have some degree of active participation and responsibility.
At the same time, more work is needed by service providers, developers and researchers to develop more accessible and secure authentication methods.
Essentially, these methods go beyond 2FA, requiring simultaneous deployment and migration of multiple authentication methods as needed to a combined multi-factor authentication environment.