Hubsecurity Blog

Major Risks of Two-Factor Authentication (2FA) %%sep%% %%sitename%%

Written by Andrey Iaremenko | Aug 6, 2020 10:00:00 PM

Two-Factor Authentication (2FA) is a legitimate method of secondary security but it’s not as foolproof as many believe. Cybercriminals are always one step ahead of the experts -  and they’ve learned to adapt to a world with 2FA

On July 15th, the popular social media site Twitter was hacked causing a disruption in service for users as internal security teams scrambled to mitigate damage. Using social engineering and SIM swapping, hackers were able to successfully access Twitter’s admin panel made only available to internal support teams. The results were over 130 hacked user accounts and $120,000 worth of funds stolen from victims of a vicious phishing attack. By hacking a company Slack channel hosting system admin credentials, hackers were able to gain access to employee accounts and even bypass two-factor authentication (2FA) -  a security policy often cited by security experts as a ‘necessary’ tool to safeguard company data.  
2FA is only as strong as the trust its users place in it. Once a user receives a phishing message requesting them to log in to their account, the manipulation of social engineering begins

In a breakdown of the incident, custodian of the @6 account, Lucky225, said the attackers got around 2FA by first resetting the associated email address, then revoking 2FA, and finally resetting passwords. This worked to their advantage, as when a Twitter employee updates the email address on file, it doesn’t send a notification to the owner of the account,” Lucky said. “So after the email address is updated, an email about 2FA being revoked goes to the new email address. While what happened is clear, how it happened highlights major internal security flaws many companies still hold when relying on two-factor authentication as a fallback method for safeguarding employee access and security. Phishing attacks are only successful because of the psychological manipulation of social engineering. By using well-known security methods like 2FA, cybercriminals not only manipulate victims into handing over sensitive personal data but also reinforce a false sense of security for employees and company admins.

What is 2FA?

While it’s true that 2FA is a legitimate method of secondary security that in many cases has the potential to prevent phishing and ransomware attacks, it’s not as foolproof as many believe. As we’ve seen, cybercriminals are always one step ahead of the experts -  and they’ve learned to adapt to a world with 2FA.  
2FA data can also be recorded in session cookies. Once a victim adds their 2FA code to a website, a hacker has the ability to sniff session cookies from a developer tool in a web browser

2FA allows users to authenticate their identity using two separate authentication methods, such as a username and password coupled with a randomized or memorized pin/code. ATMs are good examples of systems that rely on two-factor authentication - for customers to access their account, they must present a debit card as well as a private pin. Financial institutions that provide digital services often require 2FA as a default security method where a randomized pin can be delivered via email, text message, or phone call.

2FA Risks & Flaws

The primary flaw in 2FA is that it’s only as strong as the trust its users place in it. Once a user receives a phishing message requesting them to log in to their account, the manipulation of social engineering begins. Next, the user may enter their username, password, and 2FA information into a site completely unaware it is a phishing site designed to convince them they are logging in to their real account. Since the user seemingly trusted the phishing site, they easily gave away their credentials and rendered 2FA useless. In addition, 2FA data can also be recorded in session cookies. Once a victim adds their 2FA code to a website, a hacker has the ability to sniff session cookies from a developer tool in a web browser. Using the session cookie, hackers have no need for a victim’s username and password – they simply need to paste the session cookie into a browser to log in to the victim’s account.

Conclusion

What happened to Twitter is first and foremost a huge shame and the social media giant tweeted that it is still investigating the breach and is “rolling out additional company-wide training” to mitigate the effectiveness of social engineering and phishing attacks on its employees. “We’re embarrassed, we’re disappointed, and more than anything, we’re sorry.”