Old-School Ways To Bypass Two-Factor Authentication
We regularly remind our readers to always take advantage of 2FA (Two-Factor Authentication) on all web services that they are signed-up for if the option is available. All mainstream web services have an optional 2FA feature, disabled by default but can be enabled by the user. 2FA is available in Facebook, Twitter, Gmail/Google account, Microsoft account and possibly all mainstream online banking websites. Google itself uses hardware-based 2FA device, which made the company virtually immune to phishing and minimize the chance of information leak.
However, just like everything in the world, 2FA has certain weaknesses and we will guide you not to fall for tricks that takes advantage of these weaknesses:
Blackmailed people tend to do what the other party wish for them to do. That means that the 2FA feature is basically useless if the person is targeted and blackmailed. The information will be leaked by the very people that use the 2FA system to protect the information they hold, hence a loophole in security. It only shows that the human operator is the weakest part of any IT security policies; people who are prone to blackmail are those that have their own skeletons in the closet that the attackers know about. This is a classic example on how information can be extracted regardless of the level of security precaution and policies implemented inside the organization. It only takes one employee that fell for that blackmail to release the information that the attackers wish to have.
Fake apps are a dime-a-dozen for smartphone users who download apps outside the official app stores. This is the very reason that Apple has restricted their iOS devices to just download apps from the iTunes App Store, and it requires a significant level of knowledge to jailbreak the device to bypass this. While Google allows sideloading of Android apps, such feature is disabled by default. Fake 2FA apps are usually trojanized version of the original apps. This way, they make way for the 2FA code to reach the command and control servers within the timeframe of the useful life of the randomly generated code.
Social Engineering is a skill for someone to successfully pull-off. With socially engineered employees information can be extracting from them, while not being aware of it. The art of persuading someone is not a skill that can be learned overnight, it requires careful preparation and a lot of practice in order to sound reasonable and believable. Any campaigns that attack human weaknesses will be able to bypass whatever technological barriers, restrictions and policies.
Also known as Man-in-the-middle attack, it is strongly linked with using fake apps. When the fake app runs in the background, it can monitor everything that is entered in the virtual keyboard, whatever the clipboard contains and can read any SMS stored in the device. This is enough to capture the user credentials and the 2FA code of the user if they are using the mobile device as the source of the 2FA. For those that use the PC for logging-in and the mobile device for 2FA, the chances of the attackers to receive the 2FA code on time is astronomically small. We are strongly recommending not to sideload any apps if the user can, as it is very difficult to assure that the app is clean when downloaded outside of the official app stores.