Don't miss the latest stories
Hackers Have Learned To Bypass Two-Factor Security—What Now?
By Alexa Heah, 18 Aug 2021
Subscribe to newsletter
Like us on Facebook
Image via Shutterstock
While most people in the know have activated two-factor authentication (2FA) on their apps and devices, hackers have stepped up their game, too.
While it was previously believed that 2FA security was able to block 99.9% of attacks, it appears hackers can now bypass 2FA through the one-time codes sent to users’ smartphones.
Microsoft has cautioned against solutions that make use of text messages or voice calls, as these channels are known for having poor protection, and are left open to a wide array of attacks.
For example, according to TNW, hackers can leverage the method of SIM swapping to circumvent the 2FA codes.
The intruder could convince a victim’s mobile carrier that they themselves are the victim, and request for the victim’s phone number to be switched to their device. This allows them to gain access to the one-time SMS and phone call codes companies send.
There are also reverse proxies, such as Modlishka, that intercept the messages between the mobile carrier and a victim. It allows hackers to track and record the victim’s interactions with the service provider, including 2FA codes or login credentials.
TNW reporters have also recently discovered another loophole. By exploiting the auto-download feature on the Google Play Store to a victim’s device, a hacker can install any app onto the smartphone if they manage to log into the Google account through a laptop. This will enable them to download a particular app that remotely accesses a victim’s messages, giving them the 2FA security codes.
As it’s probable that a victim uses the same login credentials on multiple sites, hackers who access a list of breached usernames and passwords can try to get into the same user’s Google account.
While this all sounds pretty frightening, there are ways to take precautions and lower your chances of being hacked. The first step is to ensure your existing passwords haven’t been compromised, with a variety of sites allowing you to check. Even if they haven’t, it’s best to use a password generator to ensure you’ve set a strong password for your user accounts.
There are also dedicated hardware devices, such as YubiKey, that plug directly into the device as part of the 2FA security. However, as most people aren’t privy to such methods, the onus is also on service providers and developers to come up with safer authentication methods in the near future.
Who knows; in a few years, we might even go from two-factor authentication to five-factor instead!
[via TNW, cover image via Shutterstock]
Receive interesting stories like this one in your inbox
Also check out these recent news