The Perils of Two-Factor Authentication
The realities of 2FA and how it has led to too many digital attacks
Frequent hackings in the last few years have exposed numerous security holes even in platforms managed by tech industry giants. Whether it be traditional social media platforms like LinkedIn or Twitter, or newly popular cryptocurrency exchanges like CoinCheck or Mt. Gox, it seems that no one is safe from being hacked. With the increasing prevalence of digital attacks, two-factor authentication has often been prescribed as the magic pill that can secure digital accounts. As a result, two-factor authentication seems to have become ubiquitous amongst all online platforms like Google, Facebook and Twitter to name a few. However, its wall of defense against hackers is wearing thin as they continue to find ways to infiltrate large-scale systems and databases.
Just how risky is it to depend on 2FA alone?
In this case, David, the victim of an invasive hack that took his phone, Google, Twitter and Coinbase accounts not only had two-factor authentication set up on his Gmail account, but he also used an authenticator app called Authy. Despite his efforts, he still ended up losing access to his entire digital identity. The reality of the current digital environment is that this story is not unique. With the rise of cryptocurrency trading and crypto wallets in turn becoming attractive targets, many users have reported losing access to their accounts when 2FA is in effect. Even an established German bank couldn’t escape a double-layered attack that exploited their use of 2FA through the mobile network.
Why is 2FA Failing as a Security Tool?
To understand why 2FA is failing, it’s important to examine the components that form the mechanism through which identities are authenticated. The two factors used in this identification process generally refer to the user’s password and the user’s possession of his/her mobile device. If any hacker gains access to both of these factors, he/she is able to take over the user’s account(s) quite easily.
Even though when used together, these two factors can meaningfully increase account security, evidence shows that they are not very secure on their own.
Below, we examine the present vulnerabilities within both password protection and the mobile networks individually.
Your passwords might be floating around the dark net
Passwords have historically proven to be un-secure on their own. But the biggest problem with passwords is that it is digital information that can be stolen without the user’s knowledge. According to Verizon’s Data Breach Investigations Report (2017), 81% of hacking-related breaches leveraged either stolen and/or weak passwords. This shows just how popular it has become for hackers to use passwords as an entry point into targeted accounts.
Passwords can be stolen in a number of ways, but spear phishing has become an increasingly popular way for scammers to obtain password information. Spear phishing is a technique that draws victims to click or interact with malicious material (like emails) by personalizing the attack. For example, hackers will impersonate people from the victim’s network through email communication to minimize suspicion. According to the SANS Institute, 95% of all attacks on enterprise networks are the result of successful spear phishing. The dominance of this technique speaks to its ability to trick even internet-savvy users into giving up sensitive information. As these types of attacks become more and more sophisticated, users can easily give up their passwords without knowing that they have been attacked.
Stolen personal information is often then sold on the dark web for buyers to access valuable accounts. In addition to phishing, data breaches affecting large-scale organizations like Eurostar and Reddit have become commonplace. It is difficult to know exactly how many people’s accounts are currently affected, and anyone’s private information could be being sold on the dark web. In a hack that stole more than 160 million passwords and account details from LinkedIn, the hacker reportedly sold 117 million email and password combinations on a dark web marketplace.
This just displays the magnitude of how weak password protection has become in today’s digital age, no matter how secure your passwords are. Even if you employed the use of high-security password combinations or password managers, it is difficult to defend against accidentally giving up your information through a phishing attack or having your personal information leaked when a large company is hacked.
The mobile network is often the weakest link
The mobile network was not designed to be a security tool, but has unfortunately become a big part of two-factor authentication in recent years. Because control of mobile accounts are ultimately handled by customer service representatives, it only takes one person to not exactly follow protocol for a potential victim to lose control of all of their accounts to a committed hacker. In one case of a digital takeover, the AT&T customer service line explains to the victim what transpired:
“The man on the phone reads through the notes and explains that yes, someone has been dialing the AT&T call center all day trying to get into my phone but was repeatedly rejected because they didn’t know my passcode, until someone broke protocol and didn’t require the passcode.”
However, even when standard protocol is followed, mobile users can still be defenseless against scammers. In a hack where the victim lost $8k worth of bitcoins, the user first received a text that read: “You’re on the phone with Verizon and just authenticated with an alternative method.” Shortly after, he started noticing that his Gmail and Coinbase accounts were both overtaken. After looking into how he lost access to his Verizon account, he realized that the only information the hacker needed to take over the account was his phone number and billing information.
In another story detailed on Wired, the victim found out that “a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account.” He subsequently lost access to his Amazon, Apple, Google and Twitter accounts, in turn losing valuable memories that were stored on his computer.
With mobile network vulnerabilities coming to light in the last few years, even the National Institute of Standards and Technology has declared that they don’t support using SMS for authentication. Evidently, it is now time to look beyond what is currently existent towards technology designed specifically for verification.
In order for two-factor authentication to deliver on its promises of increased security, it is essential for both factors used in the authentication process to be dependable and secure. The harsh reality is that both of these factors have increasingly become vulnerable to hacking and phishing attacks. We need to think of new ways to not only bring in new types of factors (biometric data) into the cybersecurity equation, but also to protect the data that we already own by using blockchain technology to decentralize the storage of data.
Written by Renee Yang