Top 5 techniques for defeating two-factor authentication

Two-factor authentication (2FA) has been renowned for some time now for the security it can bring to organizations. The combination of something you know, something you have and something you are is the heart and soul of 2FA and helps explain its relative security strength. 

Despite this fact, attackers are known to have several ways to successfully attack 2FA, and as an ethical hacker, it is your job to understand these potential attacks. This article will detail the top six techniques for attacking 2FA and present you with an all-around picture for the kind of 2FA attackers you can expect to encounter when working as an ethical hacker.

What is two-factor authentication?

 Two-step verification or two-step authentication is a method of confirming a user's claimed identity by utilizing something they know (password) and a second factor other than something they have or something they are. An example of a second step is the user repeating back something that was sent to them through an out-of-band mechanism (such as a code sent over SMS), or a number generated by an app that is common to the user and the authentication system.

There are two ways to authenticate:

• One-way: This is the most common type of authentication. This is a server-only/client-only method, with server-only authentication being the most used
• Two-way (mutual authentication): Both client and server must authenticate with this method. It is not as common as one-way authentication but is more secure

Advantages

• No additional tokens are necessary because it uses mobile devices that are (usually) carried all the time.
• As they are constantly changed, dynamically generated passcodes are safer to use than fixed (static) log-in information.
• Depending on the solution, passcodes that have been used are automatically replaced in order to ensure that a valid code is always available, transmission/reception problems do not therefore prevent logins.

Advances in mobile two-factor authentication

Advances in research of two-factor authentication for mobile devices consider different methods in which a second factor can be implemented while not posing a hindrance to the user. With the continued use and improvements in the accuracy of mobile hardware such as GPS,^] microphone, and gyro/acceleromoter, the ability to use them as a second factor of authentication is becoming more trustworthy. For example, by recording the ambient noise of the user's location from a mobile device and comparing it with the recording of the ambient noise from the computer in the same room in which the user is trying to authenticate, one is able to have an effective second factor of authentication. This^[ also reduces the amount of time and effort needed to complete the process

In India, the Reserve Bank of India mandated two-factor authentication for all online transactions made using a debit or credit card using either a password or a one-time password sent over SMS. This was temporarily withdrawn in 2016 for transactions up to ₹2,000 in the wake of the November 2016 banknote demonetisation. Vendors such as Uber have been pulled up by the central bank for allowing transactions to take place without two-factor authentication

Top 5 techniques for defeating two-factor authentication

 Duplicate code generator

Depending on how your organization has implemented 2FA, code or number generators may be used for generation of “something you know” (see Google Authenticator). 

“Random” number generators normally start with a seed value generated at random which is in turn used to generate the first number in the code. This first value is used by the algorithm to generate the subsequent code values. If attackers learn the algorithm and the seed number, they can use this information to create a duplicate code generator that is identical to the compromised user’s code generator. 

Ss7

Using SS7 exploits we can intercept any SMS and bypass 2FA SMS Authentication.

You can hack gmail accounts, Whatsapp, Telegram, bitcoin accounts, credit cards which require Verified by VISA or MasterCard Secure Code or any other site that requires a SMS to authenticate.

Usually, banks send those one-time passwords in SMS text messages. Unfortunately, SMS is one of the weakest ways to implement 2FA, because text messages can be intercepted.

SS7 is a telephony signalling protocol used since 1975, when it was designed. It’s widely used in fixed and mobile networks around the world. Every day billions of calls and SMS messages are handled by this system.

This protocol despite an update in 2000 to add IP networking – hasn’t changed much since. As you can guess, its security concepts are pretty outdated. Hence, why it is so easy to hack.

Brute force

What would authentication attacks be without the quintessential brute-force attacks? Even though 2FA offers better security than 1FA, brute force can help attackers get around it. 

Brute-force attacks are possible if the 2FA authentication screen does not enforce account lockouts for a predetermined number of bad attempts. How this works is that the attacker sends a password reset message to the compromised user’s email. The attacker can then navigate to this password reset email and set a new password, and then simply brute-force the user’s 2FA code.

Buggy two-factor authentication

Bugs are still a fact of life in today’s world and this extends into the world of 2FA. Within the last year or so, there have been several examples of this affecting widely-used websites and services, including Uber. 

The dangerous thing about buggy 2FA is the sheer volume of machines it can impact. For example, in 2017 the Return of Coppersmith’s Attack vulnerability (ROCA) was discovered to impact all 2FA products, including smart cards and TPM chips, that use Infineon Technologies-generated RSA keys of 2048 key lengths or less (which most are). To this day, there are hundreds of millions of impacted devices.

Social engineering

Without a doubt, the top technique to attack 2FA is social engineering. 2FA relies heavily on knowledge that is only known by the user and when a website or service that uses 2FA is seemingly not working, users naturally reach out to tech support. Attackers have been observed socially engineering tech support in order to get the user to reset their password or steal sensitive information related to 2FA. 

This is a natural point of vulnerability for 2FA, as any tech support interaction will make the odds of sensitive user information disclosure near inevitable, and by asking just a few questions (or none at all, if the user volunteers this information).