Two-factor authentication, also known as 2FA, might not be the best security alternative for your online account. In fact, new reports say that 2FA could make your account vulnerable instead.
Several online services like social media accounts, banks accounts and brokerage accounts often implement 2FA for their user security. This means that users log in with an email or username, password, and a six-digit code one-time password (OTP) sent to the user via short message service (SMS).
ZDNet reported that 99.9 percent of automated attacks get blocked through this method.
Unfortunately, cybercriminals have come up with new ways to bypass the 2FA system.
Hackers Find Way to Break Through Two-Factor Authentication Security
TheNewWeb said that 2FA solutions are renowned for having poor security. Their report listed some of the most common two-factor authentication hack strategies.
3. SIM swapping or SIM hijacking
The most prevalent attack reported is the SIM swapping strategy. Attackers will contact the victim's mobile service provider and request the victim's phone number be switched to a different device. Attackers often impersonate the victim in the process and use the excuse of "accidentally losing their phone" to get the number.
This will redirect the victim's calls and texts to the newly registered device with the attacker, including the OTP codes used for 2FA verifications.
2. Modlishka and Reverse Proxy
Modlishka is a recently discovered reverse proxy tool reported by ZDNet. In summary, this tool pretends to be the target website and steals login credentials in the process.
For example, a user plans to log in to Google. Modlishka will pretend to be Google by imitating its interface. Users will log in with their username, password, and OTP, which the hacker will steal to access the real account.
Read Also: T-Mobile Data Breach 2021: 100 Million Users Exposed in Latest Hacking, Is There a Fix?
1. Android Apps and Permissions
Another method to bypass 2FA was discovered in Android smartphones. Details for the app used were withheld to prevent others from exploiting the same system. However, an explanation for the attack was provided.
An app installed in Google PlayStore was designed to synchronize user's notifications across different devices. Through social engineering techniques, a hacker could use this system and convince the user to unable system "permissions." Afterward, the hacker would gain access to all communications sent on the victim's phone, including their 2FA codes.
Stop Using 2FA to Stop Your Account from Getting Hacked
With all these ongoing issues against 2FA systems, it would be better to reconsider using it. Users can try different alternatives, like app-based one-time code generators such as Google Authenticator.
Moreover, users can try using online security programs to check if their account has been hacked. A dedicated hardware device like YubiKey can also be helpful, as this is a physical device (USB) that mitigates the risks associated with OTPs sent by SMS.
Lastly, users must have a level of responsibility for their own security. They must not share their credentials online unless they have properly checked the validity of the website.
Related Article: Dogecoin Price Boost: Elon Musk Joins Mark Cuban in Empowering Doge