11 ways to hack 2FA

Always use two-factor authentication (2FA) when it is offered, but don't assume that it is completely secure.

secure two-step authentication via laptop and mobile phone

I love two-factor authentication (2FA), and I love being in IT when its merits are finally  appreciated and it is being deployed across a wide range of sites and services. Once found only in high-security government and corporate scenarios, ordinary people are now using 2FA for website and account authentication. 2FA can only help reduce the risk of hacking.

With that said, too many people are overly confident about the security 2FA provides. They think 2FA is unhackable…undefeatable, when that clearly isn’t true. They think 2FA will stop advanced persistent threats (APTs), defeat phishing and social engineering, and stop all sorts of threats that it was never designed to do. 2FA suffers from a perception problem that gives it more credit than it deserves. It can be and is often hacked in myriad ways, including the ones I thought of quickly below.

1. Man-in-the-middle attacks

If a man-in-the-middle (MitM) attacker can trick you into visiting their rogue website and prompt you for your 2FA credentials, it’s essentially game over. The MitM attacker can fake a website that you trust where you use 2FA, and then trick you into to respond to a prompt and steal your 2FA-generated credential. Even more common is that after you successfully authenticate using 2FA, they can steal the resulting (non-2FA) token. Here’s a great example video of this type of attack.

Most people don’t understand that once you authenticate using 2FA (no matter how you do it--be it biometric, hardware token, or smartcard), the operating system now handling your authorization to allowed objects uses a secondary-generated soft token. That token can be stolen and reused. For example, maybe your Windows laptop requires a fingerprint to authenticate and logon. Once you have successfully done that, behind the scenes it often uses NT Lan Manager (NTLM) or Kerberos tokens. How you authenticate usually has little bearing on how you are then authorized to access objects. If you’re going to be a good computer security person, you need to understand that concept and its repercussions. They are huge.

2 Man-in-the-endpoint attacks

Similar to MitM attacks, if a hacker can get their malicious software onto your computer, they can modify the software that is used in your 2FA process enough to either steal the secrets protected by the 2FA token or use your already approved authentication to access something behind the scenes.

Banking (or bancos) Trojans have been doing this since early 2000s. I first wrote about them and how they worked in May 2006. Essentially, these Trojans wait for you to successfully authenticate and then start hidden, rogue sessions in the background. You think you’re simply checking your bank balance, and behind the scenes, the Trojan is transferring all your money to an offshore bank account.

Banks thought they defeated these types of Trojans by generating a secondary 2FA code that was keyed off the transaction figure and unique to that transaction. Bancos Trojan creators responded by intercepting the original requested transaction, generating and submitting their own, much larger transaction, and sending that to the bank. The bank, unaware that the new transaction was bogus, would create the secondary 2FA transaction using the rogue figure and then send it to the legitimate user. The legitimate user would type in the secondary 2FA code never knowing that the code they were sent was only valid for the hidden rogue transaction that was stealing all their money.

Banks responded to these new types of attacks by sending the transaction amount (and other related details) for the user to confirm typing in the 2FA code. The banks were surprised to learn that many banking customers didn’t pay attention to the transaction details and were content to type in the code. The bancos Trojans were still able to steal money in many cases.

No matter how you authenticate to your computer or device, 2FA or not, once you authenticate, a hidden rogue user or malware program can do whatever it wants. It just waits for your computer to time-out, for a time when you’re likely asleep, or for you to lock your screen. Even when you lock your screen, your authentication and authorization tokens are active and can be reused.

3. Compromised 2FA software

A specialized man-in-the-endpoint attack is a compromise of the software related to the 2FA device. For example, to use a smartcard on a device, it must have smartcard-related software that operates and understands the smartcard. The smartcard vendor can give you the software to install or a generic driver can be preinstalled on the operating system or device you use.

If you allow a hacker to install rogue software, it can manipulate or replace the legitimate 2FA-related software. In the case of the smartcard example, the software could ask the smartcard to share its stored secrets the next time the smartcard is used or to keep the token that indicates authentication success active in memory for a much longer time than the legitimate software would ordinarily permit, allowing the hacker to steal or replay. In some scenarios, rogue software could be used to completely steal and replace the smartcard on another rogue device.

4. Steal and replay the passcode generator

A lot of hardware and software 2FA tokens generate a one-time code that is unique for that user and device. Both the authenticating software and the user’s device can generate the one-time code at the same time, and then compare the user-submitted code against the authenticating system’s own generated copy to see if they are identical.

In most cases the one-time codes are generated, in perpetuity, from a shared, random “seed” value unique for each 2FA device and user, and then all subsequent codes are generated from the seed at pre-set time intervals using a shared algorithm. This is the type of 2FA token where the user is prompted for the one-time code and only has 30 seconds to a few minutes to respond before a new value is generated. RSA’s SecureID tokens popularized these types of 2FA devices, although there are dozens if not hundreds of similar hardware tokens today, and hundreds, if not thousands, of software-only based versions.

(In general, the software-only based versions are not nearly as secure as the hardware-based versions because the software versions are far easier to compromise. The hardware tokens usually require physical access to compromise.)

Hackers learned a long time ago that if they can capture the original seed value and know the time-sync’d generating algorithm, then they can generate and match the same one-way code just as accurately as the real system and 2FA device. Some 2FA devices have used such weak one-time code generators that the attackers could capture any of the one-time values and then generate all future values. If this can occur without knowing the original random seed value, the algorithm used isn’t very cryptographically sound. You should not be able to capture one randomly generated value and use it to more easily find the next “randomly generated” value.

Common widely used, everyday hacking tools have included related functionality, so that if the hacker can get the seed value, they can create a fake 2FA device. APT attackers have also used these types of attacks to their advantage. The most famous example is when Chinese hackers compromised RSA to get the seed values of Lockheed Martin, which they then used to break into Lockheed Martin.

5. 2FA not required

Many services, including popular websites, that allow you to use 2FA don’t require it, and this defeats its purpose. Most users think that once they have enabled 2FA, that it must always be used. This is often not true. Most websites allow users to put in their password, answer their password reset questions, or call tech support to get around the 2FA blocker.

On sites that allow users to log on using multiple methods, including 2FA, but won’t allow the legitimate user to require 2FA, hackers have become adept at social engineering those sites’ tech support into resetting the user’s password, or the hackers simply figure out and answer the password reset questions.

I hate password reset questions. They are always millions of orders easier to guess than the password they protect. I consider password reset questions to be the scourge of the authentication industry. They should be stamped out like a cockroach.

Hackers can also social engineer the user out of their password credentials for the same site, and then use the password credentials instead of the 2FA logon. When a 2FA-enabled site doesn’t require 2FA to log on in all instances, it defeats the purpose of having 2FA in the first place.

If your corporate world uses 2FA but doesn’t enable it on all company sites and services, this means you have a corporate logon name and password, and it largely defeats the purpose of having 2FA, at least on the sites that will take your non-2FA credentials instead.

6. Faking the subject

Here’s a dirty little secret that smartcard vendors don’t want you to know about. Each 2FA device/software is hooked to a user/device’s identity. That identity must be unique within the authentication system. In many 2FA systems, especially smartcards, if you can change a person’s identity, even temporarily, you can use any 2FA device, even connected to another person, and use it to authenticate as the targeted user. Let me explain by giving an example.

Suppose your smartcard is attached to an identity called user1@example.com. A hacker who obtains any other smartcard and PIN (say from user2), can go into the authentication system and change user1’s identity to user2, and vice-versa. Then they can log on as user2 using user2’s smartcard and PIN, and the system will log them on and track them in auditing as if they were user1. After they are through doing their rogue activities, they can simply switch the identities back, without ever having known user1’s PIN or having possession of user1’s smartcard, and user1 would be none the wiser. Smartcards are ripe for internal insider 2FA attacks.

This is true of many 2FA devices. Whatever is used to uniquely identify the user/device “ties” the 2FA device to that user/device. If someone has permissions to change someone’s identity, they can literally switch that user’s/device’s identity to any other 2FA device (to which they have control). You should control and audit any relied upon identity attribute changes as closely as you do password changes.

7. Stolen biometric

Your biometric identity attributes (e.g., fingerprints or retina scan) can be stolen and reused, and you will have a hard time denying the attacker’s use of it. There are many other issues with biometric identities (such as a huge rate of false-negatives and false-positives), but the biggest is that if they get stolen, they are forever compromised. With a stolen password, you can just change it. You can’t easily change your fingerprints or retina scan.

8. Shared, integrated authentication

I’m a huge fan of shared, integrated authentication schemes, like oAuth, which allow a user to log on once and then reuse that credential (often behind the scenes) to log onto more services and websites. When integrated, shared authentication is used, oftentimes the 2FA component that was required in the original authentication is not required again for the second and other subsequent logons, even if that subsequent logon would normally otherwise require a 2FA logon. Integrated, shared logons often use the already authenticated token for additional log-ons.

9. Social engineering

As more and more websites allow or require 2FA, hackers have learned how to socially engineer users out of them. These attacks can be like the MitM or man-in-the-endpoint attacks I discussed above, but can be more elaborate and involve the vendor requiring the 2FA’s unintended participation. Here’s an example of such an attack. In short, just because you are using 2FA doesn’t’ mean you can’t be tricked out of it.

10. 2FA brute force attacks

It is not unheard of for 2FA tokens to be lost and recovered by hackers. If the site or service using the 2FA logon does not have bad logon attempt controls, it might be possible for attackers to guess at the 2FA’s typed in required PIN code over and over until they get it right. Most 2FA sites do have lockout controls, but not all. Here’s a recent example of someone complaining about the lack of bad logon controls on a very popular service, which was subsequently fixed.

11. Buggy implementations

It is a safe bet to think that there are more 2FA logon sites and software that have bugs that allow 2FA to be bypassed than sites that have it completely secure. Here’s an example, but there are hundreds more examples of buggy 2FA implementations.

How to defend against 2FA attacks

Just because 2FA logons can be successfully attacked doesn’t mean that you can’t make it harder to do. Here are some recommendations to stop 2FA attacks, many of which you should already be using:

1 2 Page 1
Page 1 of 2
Subscribe today! Get the best in cybersecurity, delivered to your inbox.