More than 80 percent of all hacking-related breaches happen due to compromised and weak credentials, with three billion username and password combinations stolen in 2016 alone.
As such, the implementation of two-factor authentication has become a necessity. Generally, two-factor authentication aims to provide an additional layer of security to the relatively vulnerable username and password system.
It works too. Figures suggest users who enabled two-factor authentication ended up blocking about 99.9 percent of automated attacks.
But as with any good cybersecurity solution, attackers can quickly come up with ways to circumvent it. They can bypass two-factor authentication through the one-time codes sent as an SMS to a user’s smartphone.
Yet many critical online services in Australia still use SMS-based one-time codes, including myGov and the Big 4 banks: ANZ, Commonwealth Bank, NAB, and Westpac.
Is two-factor authentication secure?
Major vendors such as Microsoft have urged users to abandon two-factor authentication solutions that leverage SMS and voice calls. This is because SMS is renowned for having infamously poor security, leaving it open to a host of different attacks.
For example, SIM swapping has been demonstrated as a way to circumvent two-factor authentication. SIM swapping involves an attacker convincing a victims’ mobile service provider they themselves are the victim and then requesting the victim’s phone number be switched to a device of their choice.
SMS-based one-time codes are also compromised through readily available tools such as Modlishka by leveraging a reverse proxy technique. This facilitates communication between the victim and the service being impersonated.
So in the case of Modlishka, it will intercept communication between a genuine service and a victim and track and record the victims’ interactions with the service, including any login credentials they may use).
In addition to these existing vulnerabilities, our team has found additional vulnerabilities in SMS-based two-factor authentication. One particular attack exploits a feature provided on the Google Play Store to automatically install apps from the web to your android device.
If an attacker has access to your credentials and manages to log into your Google Play account on a laptop (although you will receive a prompt), they can then install any app they’d like automatically onto your smartphone.
Is Android particularly vulnerable?
Our experiments revealed a malicious actor could remotely access a user’s SMS-based two-factor authentication with little effort through the use of a popular app (name and type withheld for security reasons) designed to synchronize user’s notifications across different devices.
Specifically, attackers can leverage a compromised email/password combination connected to a Google account (such as firstname.lastname@example.org) to nefariously install a readily available message mirroring app on a victim’s smartphone via Google Play.
This is a realistic scenario since it’s common for users to use the same credentials across various services. Using a password manager effectively makes your first line of authentication — your username and password login — more secure.
Once the app is installed, the attacker can apply simple social engineering techniques to convince the user to enable the permissions required for the app to function properly.
For example, they may pretend to be calling from a legitimate service provider to persuade the user to enable the permissions. After this, they can remotely receive all communications sent to the victim’s phone, including one-time codes used for two-factor authentication.
Although multiple conditions must be fulfilled for the aforementioned attack to work, it still demonstrates the fragile nature of SMS-based two-factor authentication methods.
More importantly, this attack doesn’t need high-end technical capabilities. It simply requires insight into how these specific apps work and how to intelligently use them (along with social engineering) to target a victim.
The threat is even more real when the attacker is a trusted individual (e.g., a family member) with access to the victim’s smartphone.
How to stay secure online
To remain protected online, you should check whether your initial line of defense is secure. First, check your password to see if it’s compromised. Several security programs will let you do this. And make sure you’re using a well-crafted password.
We also recommend you limit the use of SMS as a two-factor authentication method if you can. You can instead use app-based one-time codes, such as through Google Authenticator. In this case, the code is generated within the Google Authenticator app on your device itself rather than being sent to you.
These are small USB (or near-field communication-enabled) devices that provide a streamlined way to enable two-factor authentication across different services.
Such physical devices need to be plugged into or brought into proximity of a login device as a part of two-factor authentication, therefore mitigating the risks associated with visible one-time codes, such as codes sent by SMS.
It must be stressed an underlying condition to any two-factor authentication alternative is the user themselves must have some level of active participation and responsibility.
At the same time, further work must be carried out by service providers, developers, and researchers to develop more accessible and secure authentication methods.
Essentially, these methods need to go beyond two-factor authentication and towards a multi-factor authentication environment, where multiple authentication methods are simultaneously deployed and combined as needed.