In an effort to make your online accounts safe, many websites and services offer two-factor authentication solutions. Adding an extra layer of security to your online accounts by linking it to another device and sending a unique, one-time code that you would need to enter together with your login credentials. It sounds a lot safer than the usual password-only logins. However, it isn’t foolproof. Ask a hacker if it is possible to hack common two-factor authentication. The answer is a resounding YES.
How? Through the classic method of phishing.
The Art of Phishing
Phishing is not a new concept in fraud schemes. In fact, it can be dated way back to the early 1990s. However, even though the act of phishing is now more than a decade old, many people still fail to identify it and easily fall victim to phishing scams.
How do hackers bypass two-factor authentication by phishing? The concept is actually pretty simple.
Credential phishing attack begins when a hacker sends a seemingly authentic email by using look-alike domain names or spoofing a coworker’s email address. For example, they can use linkedun.com instead of linkedin.com or email@example.com instead of firstname.lastname@example.org. Coupled with very convincing messages and body texts, not everyone would be able to spot the difference, especially on a busy workday.
Note how ‘u’ was used to replace ‘i’ and ‘rn’ was used to replace ‘m.’
Malicious emails usually contain a link that prompts the user to log in to the target website and use a two-factor authentication code from their phone. A spoofed work email may also contain seemingly-important attachments that need to be fetched from target applications that also involve a login. However, the truth is the login goes through the hacker’s server instead of a real site. The hacker would get their hands on the session cookie and would be able to access your account as if they were you. That’s it. You are hacked.
Worse thing is, the entire hacking process and the tool to pull off these attacks have been made known to the public. Kevin Mitnick, formerly one of FBI’s most wanted hacker and now the chief hacking officer of cybersecurity company, Knowbe4 told CNBC that ‘any 13-year-old could download the tool and actually carry out these attacks.’
Better Security Solutions
This doesn’t mean that two-factor authentication solutions are useless. They do their job in making online accounts safer. And furthermore, it’s not so much the websites that are vulnerable to phishing but users. One way to protect yourself from these attacks is by being careful and paying close attention to your emails even if you are using two-factor authentication. Spoofed domains and email addresses they use are legitimate, so it won’t get detected by a spam filter.
Still, the consequences for getting your login credentials stolen can be very severe. Especially for businesses, having this hole exploited by malicious parties can harm the company’s interests and make your clientele at risk.
Are you serious about protecting your company from potential security breaches? You should know that there are better security solutions that can make your business more secure on the web. To protect from potential attacks like this one, cybersecurity companies found a new solution called physical security keys. One example is Google’s Titan Security Key which they tagged a ‘phishing-resistant 2FA device.’
These devices are like keychains with hardware chips that can be connected to devices via Bluetooth or USB. Instead of sending a code to your phone, this becomes the additional factor needed for logins. However, these small devices also have disadvantages. They can be easily misplaced or lost. Or worse yet, they can be forgotten and left in the computer, allowing access to your credentials.
Modern approach to multi-factor authentication solutions
Passwordless multi-factor SSO by TraitWare that can support up to four-factor authentication. Its concept is similar to using physical security keys. However, instead of USB devices, TraitWare turns your mobile gadgets such as smartphones or tablets into your security asset by creating a unigue mathematical code that is used to authenticate your login. Then the authentication server produces a onetime QR code to be read by the secure token. It’s simple, reliable and secure.
Ease your worries and move on from the soon to be outdated two-factor authentication solutions that are vulnerable to hacking. TraitWare offers a seamless user experience starting from account enrollments to logins. No need for vulnerable passwords. OTP countdown panic gone. Need not worry about your credential keys getting stolen. Maintain the highest security standards for your business online.