11 ways to hack 2FA

Always use two-factor authentication (2FA) when it is offered, but don't assume that it is completely secure.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

I love two-factor authentication (2FA), and I love being in IT when its merits are finally  appreciated and it is being deployed across a wide range of sites and services. Once found only in high-security government and corporate scenarios, ordinary people are now using 2FA for website and account authentication. 2FA can only help reduce the risk of hacking.

With that said, too many people are overly confident about the security 2FA provides. They think 2FA is unhackable…undefeatable, when that clearly isn’t true. They think 2FA will stop advanced persistent threats (APTs), defeat phishing and social engineering, and stop all sorts of threats that it was never designed to do. 2FA suffers from a perception problem that gives it more credit than it deserves. It can be and is often hacked in myriad ways, including the ones I thought of quickly below.

1. Man-in-the-middle attacks

If a man-in-the-middle (MitM) attacker can trick you into visiting their rogue website and prompt you for your 2FA credentials, it’s essentially game over. The MitM attacker can fake a website that you trust where you use 2FA, and then trick you into to respond to a prompt and steal your 2FA-generated credential. Even more common is that after you successfully authenticate using 2FA, they can steal the resulting (non-2FA) token. Here’s a great example video of this type of attack.

Most people don’t understand that once you authenticate using 2FA (no matter how you do it--be it biometric, hardware token, or smartcard), the operating system now handling your authorization to allowed objects uses a secondary-generated soft token. That token can be stolen and reused. For example, maybe your Windows laptop requires a fingerprint to authenticate and logon. Once you have successfully done that, behind the scenes it often uses NT Lan Manager (NTLM) or Kerberos tokens. How you authenticate usually has little bearing on how you are then authorized to access objects. If you’re going to be a good computer security person, you need to understand that concept and its repercussions. They are huge.

2 Man-in-the-endpoint attacks

Similar to MitM attacks, if a hacker can get their malicious software onto your computer, they can modify the software that is used in your 2FA process enough to either steal the secrets protected by the 2FA token or use your already approved authentication to access something behind the scenes.

Banking (or bancos) Trojans have been doing this since early 2000s. I first wrote about them and how they worked in May 2006. Essentially, these Trojans wait for you to successfully authenticate and then start hidden, rogue sessions in the background. You think you’re simply checking your bank balance, and behind the scenes, the Trojan is transferring all your money to an offshore bank account.

Banks thought they defeated these types of Trojans by generating a secondary 2FA code that was keyed off the transaction figure and unique to that transaction. Bancos Trojan creators responded by intercepting the original requested transaction, generating and submitting their own, much larger transaction, and sending that to the bank. The bank, unaware that the new transaction was bogus, would create the secondary 2FA transaction using the rogue figure and then send it to the legitimate user. The legitimate user would type in the secondary 2FA code never knowing that the code they were sent was only valid for the hidden rogue transaction that was stealing all their money.

Banks responded to these new types of attacks by sending the transaction amount (and other related details) for the user to confirm typing in the 2FA code. The banks were surprised to learn that many banking customers didn’t pay attention to the transaction details and were content to type in the code. The bancos Trojans were still able to steal money in many cases.

No matter how you authenticate to your computer or device, 2FA or not, once you authenticate, a hidden rogue user or malware program can do whatever it wants. It just waits for your computer to time-out, for a time when you’re likely asleep, or for you to lock your screen. Even when you lock your screen, your authentication and authorization tokens are active and can be reused.

3. Compromised 2FA software

A specialized man-in-the-endpoint attack is a compromise of the software related to the 2FA device. For example, to use a smartcard on a device, it must have smartcard-related software that operates and understands the smartcard. The smartcard vendor can give you the software to install or a generic driver can be preinstalled on the operating system or device you use.

If you allow a hacker to install rogue software, it can manipulate or replace the legitimate 2FA-related software. In the case of the smartcard example, the software could ask the smartcard to share its stored secrets the next time the smartcard is used or to keep the token that indicates authentication success active in memory for a much longer time than the legitimate software would ordinarily permit, allowing the hacker to steal or replay. In some scenarios, rogue software could be used to completely steal and replace the smartcard on another rogue device.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.