Not a day goes by without phishing scams occurring somewhere in the world. The internet brings with it many conveniences but can also be dangerous at times, especially if the users do not observe due diligence.

While there are scores of measures you can adopt for cybersecurity, there are some that we can consider the primary essentials. Firstly, it is always advisable to keep usernames and passwords a secret. Secondly, internet security demands the use of strong passwords that are challenging to hack. An example of a robust password is one that contains a combination of alphabets in the capital and small cases, numbers, and special characters.

However, cybercriminals and their phishing scams have become smarter today, and they can decipher reasonably strong passwords. The two-factor authentication (2FA) is an excellent step towards securing your valuable data, but hackers have now become smart enough to crack even this additional layer of security.


Two-Factor Authentication (2FA)

Before going into the details of how hackers bypass 2FA, let’s take a brief look for an understanding of how 2FA works. The 2FA is a concept that necessitates every transaction to clear two layers of authentication. The first layer is the password that users enter when logging into a system. The second layer of security is the One-Time-Password (OTP) that the system sends to the user’s mobile number registered with the organization. The transaction is complete and access granted when the user clears both these levels of authentication.

Another method of 2FA is the use of third-party software such as Google Authenticator or Authy to deliver the code. This method requires the user’s mobile phone to have internet access at the time of the transaction. The web application’s login function communicates with the cloud interface to generate, as well as synchronize, the timings of the operation.


2FA – Can It Be Hacked?

Theoretically, 2FA should be hack-proof because the final authentication is in the form of an OTP sent to a device that the users have in their hands at the time of the transaction. The incorporation of 2FA for access to the user’s accounts ensures that hackers have a challenging time to break into it. However, cybercriminals have proven once again to be smart adversaries with the ability to bypass the 2FA system with a new kind of phishing scam. Let’s take a look at a couple of examples showing how cybercriminals have managed to crack 2FA and access accounts of users worldwide.


Examples Of 2FA Hacking

Cyber thieves have proven that it is possible to hack any interconnected system in the world irrespective of having security measures like 2FA in place. Here are some examples of 2FA hacking – physical and automated.  

  • 2FA entails the use of an OTP sent to the registered phone number of the user. There are instances of hackers gaining access to the user’s phone (by force or otherwise), following which it becomes easy for these criminals to clear the additional layer of security.
  • It is also possible to hack into the system without possessing the phone to which the system sends the OTP. Hackers are smart talkers, whereby they coerce unsuspecting victims to part with their private credentials such as passwords and OTP.
  • In spite of having a security feature like 2FA, cybercriminals have managed to hack into accounts. They do this by compromising the user’s account by replacing the latter’s registered phone number with theirs. It results in the OTP being sent to the hacker’s phone number instead of the user’s, thereby making it easy for criminals to access the system.
  • Recently, security experts have unearthed an automated phishing scam that enables hackers to bypass 2FA. They have demonstrated the modus operandi at the ‘Hack in the Box Security Conference’ in Amsterdam. It was also posted on YouTube on June 2, 2019, to educate people on how hackers crack multiple layers of security, including 2FA

The hack involves two tools, Muraena and NecroBrowser, working in tandem to enable hackers to gain access into the system. Muraena acts as a proxy between the user and the target website by intercepting web traffic between the two. It looks out for users who visit and enter their login credentials in a phony site. It authenticates the session’s cookies and passes the information to NecroBrowser, which then keeps track of the private accounts maintained by the potential victims.     


Commonly Used Methods To Bypass 2FA

Cybercriminals use four conventional methods to bypass 2FA.

  • Password Resetting Functions: Usually, web applications allow login by the user after completing the password reset procedure. It does not implement the 2FA system under such circumstances, thereby making it possible for the hacker to access and maintain a session immediately after the reset.
  • Oauth Mechanism: Renowned web applications like Google, Facebook, Amazon, and Twitter allow users to share information about their accounts, but without giving passwords, to third-party apps or websites. It does not involve the use of 2FA. If the hacker gains access to the username and password, it becomes easy for him/her to access the system on behalf of the user.
  • Brute Force: At times, web developers ignore to put rate limitation on the 2FA input fields. It makes it easy for criminals to use brute force and guess the 2FA code using modern computers.
  • Race Conditions: Race conditions involve using a previously used or unused token value recursively. It requires the cyber attacker to know or have access to already generated values. Intercepting a previous code or reversing the code generation app’s algorithm allows the hacker to gain access to the previously created values.


Protection From Bypassing 2FA Authentication

Users can take advantage of additional precautions to safeguard your data from 2FA hacks.

  • Google has introduced a new push-authentication system to generate a prompt on the user’s mobile phone. It proves handy when users access Google using a different system to the one they usually use. Google sends a notification presenting a set of three random numbers, out of which the user has to tap the right one to authenticate the access.
  • Another safeguard is to use a VPN that allows users to browse anonymously online while creating an encrypted internet connection irrespective of the device or the location. This encryption procedure uses the highly secure AES-256 algorithm to make it impossible for anyone to access your private data.
  • Technology has made people smarter in the sense that they use it to perform various activities daily. Cyber attackers are intelligent people who use phishing scams to glean information from users. 2FA has a reputation for being one of the safest procedures to access the internet. However, hackers have managed to break into the 2FA authentication procedure and gain access to valuable private information.

We don’t mean, by this article, to discourage you from using the 2FA method. But you should know that it is not a foolproof protection against phishing scams. To thwart the attempts on your account, make use of the precautionary countermeasures like the ones mentioned above.