Two-Factor Authentication (2FA) is a popular security process in which two of five authentication factors—knowledge, possession, biometric, location and time—are asked from users for verification. This system for the most part works, with both Microsoft and Google reporting in 2019 that 2FA successfully blocks as much as 99.9% of automated attacks.
But those reports were from 2019 and neither looked into cybercriminals actively looking to crack the 2FA puzzle. Fast forward to now, in 2021, and it appears that hackers are succeeding and with alarming frequency. So, the question is: How are they doing it?
The simple answer is that cybercriminals are rapidly advancing in their sophistication. In the case of cracking 2FA, for instance, hackers routinely employ—pun intended—a variety of hacks to obtain both factors, with some of these being SIM swapping and reverse proxy, along with a dose of simple social engineering. Others are even cracking 2FA with relative ease using legitimate apps that synchronise users’ notifications across multiple devices.
Unsurprisingly, the most hacked 2FA is one that utilises a combination of knowledge and possession factors, which in this case are the password (knowledge factor) and one-time password (OTP) sent to the users’ smartphone (possession factor), respectively. This option is quite popular, with even major banks using SMS-based one-time codes as the other component of their authentication process. It is also increasingly under threat nowadays due to SMS having notoriously poor security, to begin with.
In fact, authentication factors sent via public switched telephone networks, like SMS codes, are among the least secure according to Alex Weinert, Microsoft’s Director of Identity Security. SMSs and phone calls, specifically, are not encrypted and are susceptible to being intercepted using software-defined radios, mobile malware, femtocells, phishing mechanisms and, lately, SIM swapping.
Here is how SIM swapping happens: A hacker, for example, gets your personal data, either by hacking or through the information you may have shared online, contacts your wireless provider and convinces the contact centre representative that they are you. They will then ask the representative to switch out the number of your SIM card to a SIM card that they have. Once successful, your calls or messages will be received by the hacker, including the OTPs being sent to you, whether by your email provider, your bank or even your social media account. With the hacker having completed the SIM swap, they will already be in possession of one-half of the 2FA, meaning they are halfway to cracking it.
To complete the hack, cybercriminals can choose from a range of nefarious mechanisms, like credential stuffing, where hackers test databases of stolen credentials against different accounts for possible matches, and phishing, in which hackers send you what appears to be a legitimate email asking for your credentials. Worse, hackers who have your number likely know from where you are receiving OTPs and this knowledge allows them to localise their hacking search to your accounts.
Modlishka: An Emerging Threat
SIM swapping, though, is not the only hack cybercriminals have in their arsenal. Others are using a tool named Modlishka, an example of a reverse proxy, but designed by Polish researcher Piotr Duszyński specifically for login pages and phishing. Unlike traditional phishing, Modlishka does not lead users into bogus but legitimate-looking sites (or “clones” as phishers call them); instead, it lets users receive authentic content from actual legitimate sites, like Google or Yahoo! Mail, only to record all traffic and the users’ interactions with the said site on a server.
All passwords are then logged in automatically on the backend panel of Modlishka, which at the same time prompts a 2FA request when users do so. With credentials and OTPs on hand, hackers can easily access users’ accounts and do so repeatedly. The ease with which cybercriminals can bypass 2FA using this tool is alarming for two reasons. First, Modlishka can potentially lower the entry barrier for “script kiddies”, hackers with minimal technical know-how but with nefarious intentions nonetheless. Second, syndicated cybercrime groups are likely to use it to prey on hundreds, if not thousands, of unsuspecting victims.
Curiously, Duszyński is unapologetic for creating Modlishka, telling ZDNet via email, “We have to face the fact that without a working proof of concept, that really proves the point, the risk is treated as theoretical, and no real measures are taken to address it properly.” He added, “This status quo, and lack of awareness about the risk, is a perfect situation for malicious actors that will happily exploit it.”
Staying Ahead, Even if Barely
While hackers are starting to figure out how to crack the 2FA puzzle, security experts are in agreement that it is not yet time to abandon multifactor authentication (2FA being under it). It is for the most part better than relying solely on a single password, which is easier to break for high-level hackers. That said, it is important to be more vigilant to stay ahead of cybercriminals, even if just barely.
For starters, cybersecurity experts from Deakin University recommend making sure that you have a super-strong password—alpha-numeric with at least eight characters long, plus different symbols—to make it harder to crack, to begin with. Next, check that your password, your initial line of defence, is not compromised by running it through a security program, like Google’s password manager (passwords.google.com) and Have I Been Pawned (https://haveibeenpwned.com/).
Where possible, Weinert encourages users to do away with SMS-based 2FA and instead utilise app-based authentication in which an app generates the code for you. Examples of these generators include Microsoft Authenticator, Google Authenticator and Duo Mobile by Cisco. Using these apps afford you more control, along with an added layer of security since communication here is encrypted. For enterprise security, meanwhile, Weinert recommends using physical devices, like smart cards and security keys, as the other authentication factor.
At the end of the day, users themselves need to be extra vigilant when it comes to their credentials and in safeguarding their devices and online activity. It may seem like added work, but it is certainly better than being victimised by cybercriminals.