Authentication in two steps, or two factors, is one of the most popular protection measures at present to prevent online access credentials from being exposed to the mercy of cybercriminals.
Although these mechanisms manage to block around 99.99 percent of automated attacks in the accounts that have activated it, cybercriminals have already found ways of circumstration, as Panda alerted in a statement.
Although it is not an easy task, some ‘hackers’ are getting it by intercepting the single-use codes that are sent in the form of SMS to the user’s ‘smartphone’.
For example, it has been shown that by SIM SWApping scams (SIM exchange) it is possible to avoid the verification in two steps.
This method implies that an attacker convinces the mobile service provider that he is the victim and then request that the owner’s phone number be changed to a device of his choice.
It is not the only method for violating the authentication of two factors, since cybercriminals have devised ways such as reverse proxy tools or attacks by Google Play Store.
SMS-based single-use codes can be compromised through reverse proxy tools, such as Modlishka.
A reverse proxy is a type of server that recovers resources on behalf of a client from one or more different servers.
These resources are then returned to the customer as if they originate on that web server.
But some ‘hackers’ are modifying it to redirect traffic to login pages and ‘phishing’ operations.
In those cases, the ‘hacker’ intercepts communication between authentic service and a victim, and trace (and records) the interactions of victims with the service, including login credentials.
Likewise, cybercriminals have devised other ways to overcome the protection of two factors through new SMS-based attacks, such as one that uses a Google Play function to automatically install web apps on Android mobile.
In this way, the attacker gets access to credentials to log in to the Google Play account on a laptop (although in theory the user has to receive a warning on his smartphone), and then operate on the phone any application you want.
A similar variant involves the use of a specialized application to synchronize user notifications on different devices.
This allows attackers to install a message duplication application and, once installed, you can try to convince the user to enable the necessary permissions so that the APP works correctly.
Although several conditions must be met for the aforementioned attacks, they demonstrate vulnerabilities in the two-step identification methods based on SMS, as well as that these attacks do not require high-level technical capabilities, as Panda has warned.