My 11 ways to hack 2FA column a few weeks ago continues to be a popular discussion topic with readers. Most people are shocked about how easy it is to hack around two-factor (2FA) and multi-factor authentication (MFA). It isn’t hard. Sometimes it’s as easy as a regular phishing email.
The number one resulting question is how 2FA users can better protect themselves. It, of course, depends on the strengths and weaknesses of the 2FA method used in the particular deployment scenario. All it takes in many of the hacking scenarios is to use and require two-way, mutual authentication in a linked one-to-one relationship where both the client and the server authenticate each other before transacting business.
Unfortunately, the digital world, and the real world, are full of one-way authentication, where either the server authenticates itself to the user or users authenticate themselves to the server. The video demo by Kevin Mitnick that I referenced in the hacking 2FA column is a great example of how easy it is to hack one-way authentication.
In Kevin’s demo, the user is authenticating to the service using a 2FA logon, but the server isn’t authenticating itself to the user. Because the user doesn’t notice that their logon link isn’t HTTPS encrypted to the legitimate site, they are fooled into allowing a man-in-the-middle proxy to capture their typed in logon responses and valid session cookie. A two-way, mutual authentication solution, like the FIDO Alliance’s Universal Second Factor (U2F), would prevent that type of attack.
The lack of required, consistent, linked, one-to-one, mutual authentication is the cause of many authentication attack scenarios. The problem isn’t just digital. It’s increasingly becoming a real-world problem, too, and one that all vendors need to address. Here are some examples of the one-way authentication problem.
Fake offers of technical support over social media is a growing problem. I don’t mean when someone calls your phone and claims you have a virus that they will help you remove. That’s old school. I’m talking about a new school tactic where you have almost no idea that you’re being scammed.
It usually starts when someone posts a negative review about a product or service to Facebook or some other social media service. It’s often to the vendor’s legitimate social media site. Then someone claiming to represent the company reaches out, usually starting on social media, and says they will help you. All you need to do is provide your relevant account information and they would be glad to give you a refund or a replacement.
Of course, what really happens is that they rob you blind. People’s normal skeptical defenses are down, because the scammer didn’t just contact them out of the blue making a claim that the user wasn’t aware of. Pass this warning around because this type of scam is just taking off in popularity.
Here’s another similar example. Some banking trojans, after they install themselves on your computer, watch everything you type. When you type the word “bank” in a browser URL, they wake up and start interfering with your online banking experience. They usually make the browser seem to go super slow or stop.
Then the trojan pops up a window pretending to be a bank customer service representative. They are sorry for their web site and the issues it is having. They want to help you complete your online transaction, and all you have to do is provide your account number and other relevant information. How nice.
Fake calls have been growing in popularity for a decade. I just got multiple, repeated robo calls from “the police,” claiming that I had four serious charges pending against me and I need to call ASAP to take care of the matter. Last week, I had a call from the “IRS” asking me to go to the local Walmart to get some “green dot” money cards to pay down my “very large and substantial” penalty for fraudulently filing my taxes.
I’m so skeptical of any unilateral-authenticated transaction that I refuse to do business with any online or real-world vendor without first getting strong evidence I am dealing with a real vendor with real transaction details.
Recently, my phone rang and the person on the other end said they were with my local cable company. They had a new deal where I could get faster internet speed, more premium channels, and pay less per month. It was a “special deal for our most valuable customers.” Who wouldn’t want better things for less? I said, sure, I’ll take it. Then they asked me for my account password or PIN so they could complete the transaction.
I immediately became skeptical, because I had zero way of knowing if this telemarketer worked for my local cable company or not. I got zero real authentication from them. I asked them to tell me what my account number was, what my PIN was, or anything about my account beyond my home address, which anyone could look up, before I would give them my PIN.
They replied that they could not access any of my personal information until I gave them my PIN…that requesting my PIN was how they protected my personal information. I refused to give it directly, and at a stalemate, I told them that I would hang up, call the main cable company number, transfer to sales, and try to get the deal that way instead.
I’m not giving up my personally identifiable information to anyone without absolutely verifying their legitimacy first, and neither should you. If you decide that you’re being overly skeptical and you need to trust more, know that sometimes you can lose a lot of money.
I recently closed on a new house. At the end of every house purchase in the U.S., the buyers must wire money to the sellers, or their representatives (or escrow companies). Wire transfer fraud has been rampant in the housing selling and mortgage industry for a decade. My bank representative told me story after story about customers he had worked with that had been scammed out of tens to hundreds of thousands of dollars of their hard-earned cash, and most never recovered it.
To read the full article and other informative security articles refer to the source.
Source: CSO