In recent years, the use of two-factor authentication (2FA) increased significantly because it is commonly believed to be a significantly more secure account authentication process. Imagine this – you wake up in the morning and try to log into your account… only to discover it has been compromised. You didn’t think this could happen because you require 2FA authentication to access the account. Turns out, 2FA has flaws you did not know about that can help hackers to bypass the 2FA procedure. This blog post explores the 2FA vulnerabilities and recent security breaches to show that 2FA is not as secure as many people think.
2FA Email Vulnerability
CloudFlare CEO, Matthew Prince’s email was compromised by exploiting a flaw in the 2FA authentication. According to Prince, the hackers used a weakness in the Google email recovery process to hack his email and change the DNS records. Additionally, they also hacked AT&T’s 2FA security system for Prince’s mobile phone and forwarded his voicemails to a different account.
Below is a description of the exploit, quoted from a post on the CloudFlare blog page.
- AT&T was tricked into redirecting my voicemail to a fraudulent voicemail box;
- Google’s account recovery process was tricked by the fraudulent voicemail box and left an account recovery PIN code that allowed my personal Gmail account to be reset;
- A flaw in Google’s Enterprise Apps account recovery process allowed the hacker to bypass two-factor authentication on my CloudFlare.com address; and
- CloudFlare BCCing transactional emails to some administrative accounts allowed the hacker to reset the password of a customer once the hacker had gained access to the administrative email account.
Signaling System Seven (SS7) Network Vulnerability
In their recent research, Positive Technology experts showed that by exploiting Signaling System Seven (SS7) vulnerabilities, it is possible to steal consumer financial information, determine a mobile’s geographic location, compromise messages and calls, and many more malicious activities.
A mobile communication network is complex, built on inter-related subsystems. The SS7 subsystem is used to set up and tear down telephone calls. It is used for both landline calls and mobile calls. The unfortunate fact is, that like a chain the weakest link determines the security of the whole network. The SS7 transport system – SIGTRAN, was designed in the 1970s before the modern Internet and current networking programs. Obtaining access to an SS7 network using a separate unauthorized host was once deemed impossible, but that is not the case today.
Positive Technologies successfully initiated various SS7 attacks during network security testing. They were able to identify a subscriber’s location, disrupt a subscriber’s service, intercept SMS and voice calls, tap conversations, and disrupt mobile switch availability.
PayPal Hacking Exploit
PayPal uses a 2FA system that has been shown to be vulnerable. According to Duo Security, the vulnerability lies in the PayPal Application Programming Interface (API) that is used by smartphones and third parties to perform payments. The PayPal API incorporates OAuth in their 2FA implementation. OAuth is an open source authentication process commonly used as a way for Internet users to log onto third-party websites.
Duo found that during the authentication process, PayPal API did not properly execute the communication with the PayPal server. This allowed Duo to intercept traffic between the PayPal apps and the remote web services. The intercepted information contained service addresses (URLs), OAuth related tokens, and 2FA authentication attributes.
According to Duo, the hackers only need to have the user ID and passcode to send money to a different account. PayPal worked heavily, in this case, to make sure that the problem is fixed. The complete article about the research, published on CyberKendra, can be found here.
Phishing to Compromise 2FA
LastPass is a popular password manager that stores users’ passwords in a database, protected by two-factor authentication (2FA). Researchers have found a tool which can bypass this protection. The exploit relies on the user visiting a malicious site, which then it checks to see if there is a LastPass plugin installed in the browser. If there is, the password manager notification is copied prompting the user for a username, password, and 2FA authentication key. The malicious site now has the full administrative power of the account, and access of all of the user’s data.
Social Engineering to Compromise 2FA
According to Clearbit Co-founder, Alex MacCaw, a text message can be used to bypass 2FA on Google accounts. It works like this – First, the hacker tries to access the target’s account, creating an alert from Google. The hacker then immediately sends a text to the target’s mobile phone, telling them there is irregular activity on their account and instructing them to send back the authentication key that was just sent to their phone. The third part of this exploit requires the hacker to possess the target’s password, which is obtained via compromised account lists available on the dark web. Once the target sends the authentication key, the hacker has full access to the target’s personal information.
VeriClouds was founded by Rui Wang and Stan Bounev in 2014 to resolve the authentication security issues in Cloud Services. Information Security is not just a business opportunity. It is a calling, a passion, even an obsession. Rui and Stan joined forces to create ways to make the world more secure by making it safer to do business online. Rui has a Ph.D. in Cyber Security, and Stan is a successful entrepreneur with over 14 years of corporate and startup experience in the banking and technology industries.