The password, especially if they are too simple and not very protected, they are not safe enough. For this more and more services offer two or more factor authentication, which allows you to access your accounts via a code sent via SMS or using a smartphone app. But unfortunately the hacker they found some ways to bypass two-factor authentication as well and steal our data (including banking ones) even if they are well protected. Here’s what the risks are and how to limit them.
Two-factor authentication, hackers know how to bypass it
One of the simplest ways hackers have to attack your devices and accounts is by using phishing attacks to steal your passwords, or by guessing the weakest ones. Two-factor (2FA) or multifactorial (MFA) authentication adds an extra layer of security. A verification code sent via SMSand’app authentication (like Google Authenticator, but there are many) or even one physical key (someone may still have a device for their bank’s verification code).
In this way, if the hacker also knows the password but does not have the device on which you receive the code (the smartphone or a special key), he cannot access your accounts. So much so that this solution prevents most hacker attacks, and from Google to Apple, passing through all the major tech operators, more and more companies are integrating multifactorial solutions to increase your security.
But sadly, hackers are aware of this and are developing ways to bypass two-factor authentication. According to a Microsoft analysis, over ten thousand companies have been attacked in this way in the past year.
The opponent in the middle
One of the most used ways to bypass multifactor authentication are called attacks Adversary-in-the-Middle (AitM). They are attacks that combine phishing attacks, which steal an account password. And when victims try to log into the site, using a proxy server between your device and the site you are trying to access.
When you log in, the hackers they steal the authentication cookie. So you have unlocked your account for the cybercriminals, who can now log in because the system thinks you are the ones browsing the site.
Microsoft points out that this “is not a vulnerability of the multifactor authentication system. Since AitM phishing steals the session cookie, the attacker authenticates himself for the user, regardless of the method used to access “.
In other wordsthe added security of two-factor authentication is not compromised by hackers. Simply, they get around the problem by stealing the cookie which allows you to browse the service once logged in. Needed to visit different pages on the site and to return later without having to log in again to 2FA.
Security company ZScaler explains: “Although security features such as multifactor authentication add a layer of security, they should not be regarded as a silver bullet against phishing attacks. With AitM attacks and intelligent evasion techniques, hackers can bypass both traditional and advanced security solutions ”.
Pay attention to the authentication code
In addition to adversary-in-the-middle attacks, there are other ways to bypass the threshold protected by two-factor authentication. Especially since, in many cases, when a code is required, you must then enter it. It’s a skilled hacker can trick you to get it.
A complex but viable method involves hackers pretending to be the service you want to access (for example the bank for the online account) and getting your code. This is why usually these operators in the message they send the code explain that they will never call to request it.
Other methods require the installation of malware on your device, which for example can record which keys you use on the keyboard when entering the code. Or there are malware that remotely perform operations on your smartphone, using authentication apps after you unlock them to access a service.
Two-factor authentication isn’t foolproof, but it remains the best defense against hackers
A good two-factor authentication service usually protects users even when hackers try to compromise it. For example, if it recognizes that this is the first time you are logging into an account on a device, it could send you an email asking if it was you who logged in (anyone who has recently changed their smartphone will probably have noticed). But no system is infallible: hackers can find a way to bypass even this last defense, perhaps by changing the access passwords immediately.
In short, multifactor authentication increases security but you shouldn’t consider it foolproof. Cybercriminals are becoming more sophisticated and the risk remains. By using 2FA or MFA, you will not be the most vulnerable: many hacker attacks will fail to hit you and you will avoid the most basic hacker campaigns. However, you must continue to pay attention to safety.
Therefore avoid logging in to unsafe sites, do not reply to unsolicited emails of service and non-service operators download email attachments of which you do not know the origin. All basic cybersecurity measures, which you should maintain even after activating multi-factor protection. And if you notice any strange activities, do not hesitate to contact the service operators directly from the official website.
No security tool is definitive. It should always be combined with some common sense practices and a great attention to cybersecurity.