Two-factor authentication (2FA) is a great security tool and it should be used when available, but it’s not unhackable. While everyone knows that two-factor authentication is more secure than simply using a login name and password, this authentication process can be hacked in several different ways.
This type of attack fakes a website you trust that uses two-Factor Authentication and then tricks the user into responding to a prompt to steal the 2FA generated credentials. What is even more common is after successfully authenticating the 2FA, someone can steal the resulting token. Once you authenticate using two-Factor Authentication, then the operating system that handles the authorization is allowing objects entry using a secondary generated soft token. This token can be reused or stolen. An example of this is a Windows laptop requiring a fingerprint to authenticate and log on. Once that is done, behind the scenes it is using Kerberos or NT Lanan manager.
These attacks are similar to a man in the middle attacks. If you can get malicious software on a computer, then the software can be modified in the 2FA process to either steal the secrets or use the approved authorization to access something else behind the scenes. This is a common technique that has been used by banking Trojans since the early 2000s. The Trojans will wait in order to be successfully authenticated and then start going rogue and run hidden sessions in the background. A user can think they are checking the bank balance but instead, in the background, the Trojan is transferring the money to a different account. Even with changes, Trojans have been updated to still steal money. Once a Trojan is on the computer, all it must do is wait for the computer to time out, or for the screen to be locked, and the authentication can be hacked.
Steal and Replay the Passcode Generator
Many 2FA tokens will generate a one-time code that is supposed to be unique for the device and user. The device and authenticating software can generate the code at the same time and compare it to the user-submitted code, in order to make sure they are identical. The one-time code is generated from a shared random seed value unique to each 2FA user and device, and subsequent codes are generated from a pre-set time interval with a shared algorithm. Hackers can capture the original seed value and know the time sync generating algorithm, so they can generate and match the code just as accurately as a system and device.
Faking the Subject
Since 2FA software and devices are hooked up the user’s identity, if you can change someone’s identity, even for a temporary time, then you can use the 2FA device and authenticate it as the targeted user.
Any biometric identity, such as retina scans or fingerprints, can be stolen and used. There are already a lot of issues with biometric identities, including high rates of false positives and negatives, but once they are stolen, they are forever compromised. You can change stolen passwords, but not a retina scan or fingerprints.
Taking Advantage of Buggy Implementations
There are likely plenty of 2FA log-in sites and software that have bugs that allow two-Factor Authentication to be bypassed, which makes it easy to hack into by taking advantage of what’s already there.
To learn more about two-factor authentication and ways to hack it, Truth in IT is hosting a webinar on January 24, 2019, at 1 PM EST. Roger A. Grimes, KnowBe4’s Data-Driven Defense Evangelist, a security expert with 30+ years of experience, will join in for the video webcast and walk viewers through 6 ways hackers are currently exploiting common 2FA solutions. Sign up today!