'Two-factor authentication' using the verification number that reaches the phone number is no longer secure

Many people have encountered the message 'Please enter your phone number for security' while trying to create an account for your internet service.

Two-factor authentication (2FA), which logs in with both a password and an authorization code that arrives at a phone number, is useful as a strong security, but security companies warn that it is almost meaningless to hackers.

Bypassing 2FA --Secret double octopus

According to Double Octopus, a passwordless authentication technology for enterprises, using passwords is not basically secure in the first place. Therefore, the login method that introduced 2FA is only a makeshift countermeasure, and it seems that it is better than the login method that requires only a password at best.


The Focal Project

Double Octopus has introduced the following four typical techniques that hackers use to break through 2FA.

◆ Necro browser
Necro browser is a tool designed to automatically perform phishing in combination with Muraena , which enables reverse proxy.

According to Double Octopus, the basic mechanism is the same as a normal phishing tool, but unlike typical phishing using a site that resembles a legitimate site, Necro browser 'mediates communication between the victim and the legitimate site. There is an improvement that it functions as a 'proxy'. Therefore, hackers can steal both passwords and 2FA verification codes automatically and in real time without being distracted by the victim.

About the Necro browser Double Octopus said, 'The most annoying thing about this tool is that the Necro browser is fully automated, even though you have to make relatively complicated settings to perform this kind of attack normally. Thanks to that, anyone can break 2FA regardless of their technical capabilities. '

◆ Man-in-the-browser attack

A man-in-the-browser attack is an attack that uses a proxy Trojan to steal or tamper with browser communications.

A hacker attempting a man-in-the-browser attack first puts a Trojan horse in the target browser using techniques such as phishing and social engineering. Hackers then have free access to their browser history and activity, making it easy to steal any input, including passwords.

Many Trojan horses created for man-in-the-browser attacks have the ability to add a fake verification code entry field to the login screen, so you can get the verification code for 2FA at the same time as the password. It is also possible to steal it. 'Many people rely too much on their browsers,' Double Octopus pointed out.

◆ Social engineering and fishing
Social engineering and phishing, sometimes used as a preparatory step for man-in-the-browser attacks, pose a threat in their own right. According to Double Octopus, the method of breaking through 2FA by this method can be roughly divided into the following two scenarios.

Scenario 1: The hacker already has the target ID and password
The hacker first sends a message to the user, such as 'Your user account has been accessed from a suspicious IP address. Please reply to the verification code sent to your phone number for confirmation.'
The hacker then enters the ID and password on behalf of the user to log in to the service they want to break into.
-The service misunderstands that the user has logged in and sends the user an authentication code for 2FA.
-The user returns the verification code to the hacker.

Scenario 2: If the hacker does not yet have an ID or password
Hackers first target clever emails that look like emails from legitimate services.
-The user accesses the fake login page described in the URL of the email and enters the ID and password.
-Hackers use their ID and password to log in to legitimate services. The rest is the same as scenario 1.

◆ Privilege promotion
If a hacker who breaks into a company's system successfully elevates their privileges , they will be able to change the phone number associated with one account to another. As a result, the hacker himself receives the one-time password issued by 2FA, and it is very easy to break through 2FA.

In summary, hackers can avoid 2FA in the following ways.
・ Specify the 2FA authentication code by brute force
・ Interrupt during communication and steal the authentication code
· Encourage hackers to send verification codes to their devices
・ Obtain the authentication code directly from the victim by spoofing or other means
・ Stealing 2FA session tokens and deciding that 2FA is over
・ Use system bugs such as 2FA tokens not expiring

At the end, Double Octopus emphasized the effectiveness of their passwordless authentication, saying, 'The only way to solve this problem is to let go of the password.'

in Security, Posted by log1l_ks