2FA: A guarantee of complete safety?

Hi there, hope you are doing well on your side of screen. I am back with small social awareness blog regarding some misconceptions of 2 factor authentication. I’ve heard several folks believing that 2FA is entirely unbreakable. Which, I believe, is a false impression. In this writeup i’ll try my best to explain why only having 2FA doesn’t minimize the risk of getting hacked.

PC: Shutter stock

What is 2FA?

Two-factor authentication (2FA) is a specific type of multi-factor authentication (MFA) that strengthens access security by requiring two methods (also referred to as authentication factors) to verify your identity. The verification code is generated by an application on your smartphone or email. Generally the one time code is delivered to you from following means:

1. OTP through Phone
2. OTP through Email
3. Using a third party software (Authy, Google Authenticator)

Why to use 2FA ?

2FA makes your account more secure by requiring a second layer of authentication. Even if your password is hacked, guessed, or even phished, that’s less likely to be used without approval at the second factor. Which unquestionably creates some obstacles for hackers. But even 2FA can’t guarantee that your account is 100% safe. Here i have tried explain some ways which attacker can use to bypass your 2FA and get access to your account:

1. Phishing Attacks:

OTP only can’t protect you in the face of today’s sophisticated phishing attacks.
Threat actors can trick victims into logging into a portal with valid credentials and then force them to submit an OTP. After this, they can potentially steal the victim’s session cookie and use it to access the victim’s account, even if it is protected by two-factor authentication. Here you can find small demo of this attack which was presented by Nitesh Bhatta brother on the topic: “INT all the way — Hold my prod, I’m going Phishing!” at Threat Con 2021:

2. Code exposure via screenshots/live videos:

It has come to my attention in the past that a significant number of streamers had their Facebook accounts hijacked as a result of the one-time verification code being displayed publicly on their broadcasts. The following is an example of what a threat actor can do: while the victim is on live stream, the threat actor can request that the victim’s password be reset. When the reset code finally reaches the victim’s mobile device, the victim receives a notification on their mobile device that reveals the one-time verification code that is being used to reset the password. Now the threat actor who was watching the victim’s broadcast has the ability to utilize the code to change the victim’s password and seize control of his or her account.

3. Reusing passwords on 2FA medium:

Imagine that someone broke into your Facebook account and stole your login information, but that you have two-factor authentication on Facebook connected with your Gmail account. (Let’s pretend your email service doesn’t have 2FA enabled).Now, if you have used the same password on your Gmail as well as on facebook, the attacker may use the same password on Gmail too in order to access your gmail, which is also known as Password spraying. By logging into gmail, the attacker can now have your one-time password because it was sent to your gmail. As a direct result of this, the two-factor authentication on your Facebook account can be bypassed.

4. Sim Swapping:

This is done by an attacker pretending to be the customer, often using information gained from social media to answer security questions that the provider asks. Once the attacker has the target’s mobile phone number transferred to their SIM card, they can then access the target’s SMS messages or voice mails, all without the target knowing. There is a significant risk to those who are targeted because the attacker can use their access to the target’s number to perform sensitive tasks — like changing passwords and authorizing financial transactions.

Read more about this attack here:
https://www.cert.govt.nz/individuals/common-threats/sim-swapping-attacks/

5. By Brute Forcing the 2FA:

In some cases, the application don't have proper protection mechanism on 2 Factor Authorization which also results in bypass of one time code. When the length of the two-factor authentication code is four to six characters (often just numbers), it makes it possible for attackers to bypass 2FA by using brute-force attack against the account. When the application does not have any rate limit to verify the 2FA codes, attackers are free to try as many possible combinations as they can in order to extract a valid code from it. Here’s simple demo of such attack on Portswigger Academy’s Lab:

6. Misconfigured 2FA:

Bypass of 2FA can even be possible due to the misconfiguration on the application that you are using. For example: the server verifies the one-time password to determine whether or not it is correct, but it does not check the user’s identity before making this determination. As a direct consequence of this, an attacker may be able to access your account by using his own unique one-time password instead of your’s. Some other popular misconfigurations i have seen are: Response Manipulation, 2FA Code Leakage in Response, 2FA Code Reusability, Bypassing 2FA with null or 000000, etc.

7. Exploiting Application Vulnerabilities:

There is a possibility that the website you are currently browsing contains known vulnerabilities, which an attacker could use in order to obtain access to your account. Supposing the attacker has found XSS on the site you are browsing, at this point they are able to take control of your account by convincing you to click just one link. Even if you have two-factor authentication (2FA), an attacker might steal your cookie with one click and take over your account if you are logged in within the current browser. Getting hacked in 1 click even after having 2FA, sounds scary right? It’s not always your fault, in this case the website owner should be responsible for maintaining their customer’s privacy.

That’s all, I wish you learnt something from this article.Here’s what i suggest you to do for preventing yourself from such incidents:

1. Never ever click any susceptive links.
2. Verify the domain before logging into it.
3. Try to keep your OTP confidential.
4. Don’t share confidential datas on social medias like National ID card, Passport, license or any private documents which can be used in Sim Swapping attacks as described above.
5. Don't use same password everywhere.

Thank you for making this till end, You can get connected with me on Twitter if you wish to. Stay Safe, Stay SayCured. Good bye until next time :)