MADRID, XX (Portaltic/EP)

The two-step or two-factor authentication, is one of the most popular protection measures today for prevent online account access credentials from being exposed to the mercy of cybercriminals.

Although these mechanisms achieve block about 99.99 percent of automated attacks In the accounts that have it activated, cybercriminals have already found ways to circumvent them, as Panda has warned in a statement.

Although it is not an easy task, some ‘hackers’ are succeeding intercepting the one-time codes that are sent in the form of SMS to the ‘smartphone’ of the user. For example, it has been shown that through SIM Swapping) it is possible to bypass two-step verification.

This method implies that an attacker convinces the mobile service provider that he is the victim and then request that the owner’s phone number be changed to a device of their choice.

This is not the only method to breach two-factor authentication, as cybercriminals have devised ways such as reverse proxy tools or attacks via the Google Play Store.

SMS-based one-time codes can be compromised via reverse proxy tools, like Modlishka. A reverse proxy is a type of server that retrieves resources on behalf of a client from one or more servers different. These resources are then returned to the client as if they originated from that web server.

But some hackers are modifying it to redirect traffic to login pages and phishing operations. In those cases, the ‘hacker’ intercepts the communication between an authentic service and a victim, and tracks (and records) the interactions of the victims with the service, including login credentials.

Cybercriminals have also devised other ways to circumvent two-factor protection through new SMS-based attacks, such as one that uses a Google Play feature to automatically install web apps on Android mobiles.

In this way, the attacker obtains access to the credentials to log into the Google Play account on a laptop (although in theory the user has to receive a warning on his smartphone), for later operate any application you want on your phone.

A similar variant involves the use of a specialized application to synchronize user notifications across different devices. This allows attackers to install a message mirroring application and, once installed, can try to convince the user to enable the necessary permissions for the app to function properly.

Although several conditions must be met for the aforementioned attacks to work, they demonstrate vulnerabilities in SMS-based two-step identification methods, as well as that these attacks do not require high-level technical capabilities, as Panda has warned.

By Editor

Leave a Reply