All multi-factor authentication (MFA) mechanisms can be compromised, and in some cases, it’s as simple as sending a traditional phishing email. It’s important to know that the latest phishing attacks can bypass Two Factor Authentication (2FA) protection without being noticed.
Have New Phishing Attacks Made 2FA Useless?
Google researchers are seeing more phishing attacks that are 2FA-aware. Attackers know that organizations are embracing two-factor authentication as a means of thwarting phishing attacks seeking to compromise credentials.
NIST Advises That You Not Use SMS For 2FA
NIST (the National Institutes of Standards and Technology) sets technical standards for U.S. government agencies; and although 2FA is a reliable form of identity authentication, they advise that SMS not be used for two-factor authentication.
SMS (Short Message Service) is the most widely used form of text messaging. NIST reports that SMS won’t be permitted in future versions of its Digital Authentication Guideline.
Who Uses 2FA?
Decades of successful attacks against single-factor authentication methods, like login names and passwords, are driving a growing widescale movement to more secure, multi-factor authentication (MFA) solutions.
Although MFA solutions have been available for decades, due to a variety of reasons, there is now an ongoing, wide-scale, rapid adoption of MFA/2FA in both corporate environments and by internet websites.
This trend is exemplified by the fact that over the last few years, the most popular websites and services, including those owned by Google, Microsoft, Facebook, and Twitter, have offered 2FA solutions to their customers. Many internet sites and services now offer both traditional login name/password solutions and more secure 2FA options.
How Does 2FA Work?
Two Factor Authentication helps you protect your identity and accounts. More organizations are using it for its security and ease-of-use.
You’ve probably already used 2FA. For example, when you go to the ATM to deposit or withdraw money, you swipe your bank card and enter your personal ID number (PIN).
It’s much the same when you go online to your bank account. You sign in with your ID and enter a passcode, but there’s one more step. A one-time code is sent to you via text message on your mobile phone or in an email. Once you enter this code on the bank’s website, you can get into your account.
How Are Hackers Bypassing 2FA?
By using a second authentication factor (which usually is an SMS text message-based verification code), attackers who only capture usernames and passwords have little use for the details collected.
Attackers exploiting authentication often look for weaknesses in implementations along the entire process. They will look to see if there are gaps in the linkages between the identity, authentication, and authorization… and there often is.
According to a recent talk with Gmail security engineering lead, Nicolas Lidzborski, cybercriminals are evolving the art of the credential phish, and are adding in mechanisms to capture and instantly use the combination of username, password, and verification code.
In essence, the bad guys have come to realize that SMS-based verification will be a part of the process and have painstakingly built detailed lookalike login pages that not only accept user credentials but also facilitate making the Google request to provide the second authentication factor.
As the victim provides the details, the malicious webpage simultaneously logs on to gain access to their entire G Suite.
Today, it’s Google; tomorrow, you can expect attackers to attempt this on every 2FA platform that uses some kind of single sign-on.
How Can You Defend Your Business From This 2FA Phishing Scam?
This is a tough attack method to crack. The pages look identical. The process looks identical. So, the only thing that would stand out is the potentially abnormal email request to view something in the user’s Google account.
2FA is good but don’t over-rely your security assurance on it. It’s an excellent tool to increase security, but there’s a huge difference between 2FA improving security assurance and it being unhackable. Understanding the difference is crucial to all entities and security administrators relying on MFA solutions.
Education Is Essential To Defend Your Business Against 2FA Scams
Your users should be educated to be mindful of emails that take them to any kind of login page on the Web. Just because they are prompted to authenticate, doesn’t mean they just blindly should.
Ongoing Security Awareness Training can help your employees stay current with attack trends, methods, and techniques used, empowering them to know when they see something that just isn’t right, and how to avoid falling for even the most realistic scams that capture 2FA.
• 2FA isn’t unhackable.
• 2FA doesn’t prevent phishing or social engineering from being successful.
• 2FA is good. Everyone should use it when they can, but it isn’t unbreakable.
• If you use or consider going to 2FA, security awareness training has still got to be a big part of your overall security defense.
Don’t take chances with the security of your data. Stay up to date on these and other IT topics.