Cyber Crime
How Cyber Criminals Break Two-Factor Authentication Security By Intercepting SMS and Voice Calls
According to the most recent estimates, compromised and weak credentials account for more than 80% of all hacking-related breaches, with three billion username/password combinations taken in 2016 alone.
Two-factor authentication (2FA), often known as two-step verification or dual-factor authentication, is a security procedure in which users submit two distinct authentication factors to validate their identity.
It adds an extra layer of security to the otherwise susceptible username/password system. According to statistics, users that use 2FA will be able to prevent 99.9% of automated attacks.
Vulnerabilities in SMS-Based 2FA
SMS is well-known for having lax security, leaving it vulnerable to a variety of attacks. Microsoft has encouraged users to discontinue using 2FA solutions that rely on SMS and voice conversations.
SIM swapping allows an attacker to convince a victim’s mobile service provider that they are the victim before requesting that the victim’s phone number be moved to a device of their choice.
SMS-based one-time codes are compromised using widely available tools such as Modlishka and a technique known as a reverse proxy.
Experts also discovered an attack that takes use of a function given by the Google Play Store to automatically install programmes from the web to your Android smartphone.
The Attack on Android
Attackers can use a hacked email/password combination associated with a Google account to install a widely available message mirroring app on a victim’s smartphone via Google Play.
As a result, attackers can employ social engineering techniques to persuade the user to grant the app the rights it needs to function properly. They may, for example, appear to be phoning from a legitimate service provider in order to persuade the user to enable the permissions. As a result, attackers can now remotely intercept all messages transmitted to the victim’s phone, including one-time codes required for two-factor authentication (2FA).
How to Stay Protected?
Users should ensure that their passwords are well-crafted. It is advised that SMS be used as a secondary authentication mechanism only when absolutely necessary. It is preferable to utilise app-based one-time codes, such as those provided by Google Authenticator, where the code is created within the Google Authenticator app on your smartphone.
Users can use dedicated hardware devices such as YubiKey, an authentication device designed to handle one-time password and two-factor authentication protocols without relying on SMS-based two-factor authentication.
As a result of these physical devices, the hazards connected with visible one-time codes, such as SMS codes, will be decreased.