 |
| How did hackers bypass two-factor authentication? |
We all know that passwords are no longer enough to protect online accounts. In a recent study in particular, 80% of successful hacking attacks are caused by weak passwords, underscoring the importance of two-factor authentication.
Two-factor authentication, called 2FA, is used to prevent hacker attacks and account theft. In fact, more than 99.9% of bot hackers fail this feature.
While this method is effective, it does not prevent hackers from finding more than one way to get around it. This is done by obtaining a confirmation code that reaches the user via SMS text message on the user's mobile phone.
Beat two-factor authentication
The appearance of this vulnerability is not due to the bug in the functionality itself, but to the two-factor authentication method. In most cases, the company completes the identity verification process through text messages or automated voice calls to the phone owner.
Traditional SMS is one of the most insecure methods of communication. SIM swapping method (otherwise known as SIM swapping) is perhaps the most important way to decode the two-factor authentication function.
Here the hacker disguises himself as a victim by receiving his phone number. In this case, hackers can obtain and use two-factor verification codes very freely before the victims find out that they have lost their phone numbers.
In addition, hackers who hack the victim's cell phone or even use an app to cancel the notification can allow access to the same target. The hacker receives a copy of every notification received by the phone owner, including an SMS notification with a verification code.
A very cool method has emerged to hack 2FA users freely and with high efficiency. This method is based on a function provided by Google, which is the ability to install applications on smartphones via a computer's Internet browser.
Once the password of the victim's Google account is obtained, an application can be installed to cancel the notification and in a few simple steps this application can be activated and a copy of the above notification is sent.
Hackers can trick users into installing this app themselves. Send it to him on a friend's phone or call him with an official number, convince him to download and use the application, etc.
Leading companies like Microsoft have called for getting rid of two-factor SMS authentication and instead relying on authentication apps like Google Authenticator and Microsoft Authenticator.
Another more secure method is to implement two-factor authentication through hardware and physical accessories based on USB ports.