October 6, 2021 — Acronis

How Hackers can Bypass Two-Factor Authentication (2FA)?

Cyber Protect Cloud

What is Two-Factor Authentication (2FA)?

Two-factor authentication (2FA) is a feature that requires a user to present two different types of identity evidence before being allowed to access an account. This includes something the user knows and something they have access to. Two-factor authentication provides a second layer of protection for a user’s online accounts – above and beyond the user’s password. With 2FA, a user logs into the online account but instead of getting immediate access, they must provide additional information, such as a personal identification number (PIN), a one-time verification code, answers to questions that only the user knows, and so on. In some cases, 2FA sends a text message to the user’s mobile phone.  

Why is 2FA important?

2FA is the most highly recommended defense to block an attacker from hijacking a user’s account. If a user’s password is stolen, the thief will not be able to access the user’s account because another verification method is required. If your phone is lost or stolen, no one can access the verification code without knowing your mobile phone’s password to open the verification text or authenticator application.

How does 2FA work?

There are different types of 2FA. Some applications let the user choose which type of verification they prefer while other applications offer just one type of verification.  

2FA via hardware – This is one of the oldest types of 2FA. It uses hardware tokens like a key fob, which produces a numeric code every 30 seconds, or it can be plugged into a computer. When a user tries to access their account, they enter the displayed 2FA verification code from the device into the application/account. This method of 2FA is easy to implement and does not require an internet connection. Since it uses a hardware token, it tends to be one of the most secure 2FA methods although it can be expensive for a business to set up and maintain for every user. It is also easy for a user to lose or misplace the hardware device.

Acronis
SMS 2FA - This method of verification asks the user to provide their phone number.

SMS 2FA – This method of verification asks the user to provide their phone number. When the user logs on later, they are asked to enter a verification code (usually six digits) that is texted to the user’s phone. This method of verification is popular, as most individuals have SMS-capable phones, and the user does not need to install an app on their phone. However, a user requires cell reception to get the verification message, and if they lost their sim card or phone, they can no longer access the verification message to authenticate. Most recently, a flaw in this method of authentication was discovered where SMS services could let hackers take over phone numbers in minutes by simply paying a company to reroute text messages.

2FA via phone call – This method is like SMS 2FA, except the user receives a phone call to receive the verification code. This method of verification has the same pros and cons as the SMS 2FA verification method.

2FA via email – 2FA via email is like 2FA SMS or 2FA via phone call, where the user receives an email with a secret code or one-time password (OTP). In some cases, a user can click a unique link in the email to grant access to the account in lieu of a passcode. This method has the same pros as SMS 2FA and 2FA via phone call, except that an internet connection is required to receive the verification email. In addition, it is easy for the verification email to go to a user’s spam folder and, of course, if an attacker has access to your email accounts, they will have access to the online account as well.

Authenticator app / TOTP 2FA – This method of verification requires the user to download an app, such as Google Authenticator, Microsoft Authenticator, Salesforce Authenticator, or Authy as examples. When the user logs into the online application from an unknown device, they are required to open the authenticator app on their mobile phone (or on the computer as well as with Authy). The authenticator app generates an OTP – typically six to eight digits – that refreshes every 30 seconds. Once the user enters this code into the online account, they have access.

On the plus side, authenticator apps are easy to implement and use. The user immediately receives the auto-generated verification passcode and does not have to wait to receive an SMS or email. On the downside, anyone that has access to the user’s phone or computer can compromise your account.

2FA via biometrics – This type of 2FA is an up-and-coming technology that utilizes a user’s biometrics as the token – the user’s fingerprint, retina, and facial or voice recognition. This method of verification is user friendly, considered the most secure type of 2FA, and does not require an internet connection. However, storing a user’s biometric data can lead to privacy issues, and this method requires special cameras and scanners.

Backup codes – Backup codes are an alternative method of verification if a user loses their mobile phone or cannot get codes via text, voice call, or an authenticator app. If the user doesn’t have their security key, they can use these onetime codes to sign in. A user can generate a set of 10 codes whenever they want. After creating a new set, the old set automatically becomes inactive.

How do hackers get around 2FA?

There are several ways a cybercriminal can get around 2FA.

Phishing – A cybercriminal can phish an authentication code just like they phish normal passwords. First, an attacker sends a user a phishing text message – that copies the style of a Google SMS alert – indicating that someone tried to sign into the user’s account. A few minutes later, the user receives an email masquerading as a Gmail log in attempt notification. The e-mail is populated with the user’s personalized details such as the user’s name, e-mail address, and profile picture. The message instructs the user to change their password. Once the password is changed, a second phishing page appears asking for the authentication code. 

Once the user changes their password, the attacker – who is actively monitoring the phishing page – logs into the user’s account using the new password. This action triggers a real Google text message to the user, which contains the authentication code. The user enters the code into a second page of the phishing site. The code only has a 30-60 second life, but that is enough time for an attacker to finish logging into the user’s account using their credentials and authentication code, change the login credentials, and gain control of the account. 

Acronis
Social engineering attacks trick users into logging into a fake account with their real credentials. First, the attacker sends a phishing email to the user to get them to click on a link to a website that is the clone of a real MFA-protected site.

Social engineeringSocial engineering attacks trick users into logging into a fake account with their real credentials. First, the attacker sends a phishing email to the user to get them to click on a link to a website that is the clone of a real MFA-protected site. Once the user clicks on the link, they land on the phishing site and are prompted to enter their username and password. The login attempt fails so the user answers the MFA security question or provides the authentication code, supplying the attacker with all the information they need to change the login credentials and gain control of the account.

Brute force – Brute force is a cryptographic attack where an attacker tries to guess an authentication code until the correct sequence is found. This is easier to do if the codes are 4 digits (0000-9999) but more difficult to accomplish if the code is six digits or longer. The longer the authentication code, the better to thwart this type of attack.

Cookie stealing and session hijacking – In this scenario, the user’s PC is infected with malware and the attacker waits till the user is logged into a session, steals the user's session ID or session cookie, and takes over the session without being detected.

If a user logs into a site, they do not need to use their password every time. In these cases, a cookie is used that contains information about the user, keeps the user authenticated, and tracks their activity during the session. The session cookie stays in the browser and is only nullified when the user logs out or is automatically logged out. Unfortunately, many users do not log out of sessions but merely close the window. This allows the attacker to use the cookie for an extended period, causing optimum damage.

OAuth – Many services, such as Amazon, Google, M365, Facebook, and others use open authorization (OAuth), which is an open standard used for access delegation. This is a way to grant a website or application access to information on other websites/applications without the need to provide passwords. OAuth 2.0 is commonly used, and in many cases, is incorrectly configured, allowing criminals to steal a user’s authorizations codes or access tokens, making it possible for the attacker to steal the user’s data.

How to prevent 2FA bypassing with Acronis Cyber Protect Cloud Advanced Email Security?

Acronis Cyber Protect Cloud is the only solution that natively integrates cyber security, data protection, and protection management to protect all data, applications, and systems. The unique integration eliminates complexity so service providers can protect customers better while keeping costs down. With Acronis Cyber Protect Cloud, you can enhance your backup service with essential cyber protection at no cost and increase your profitability with essential cyber protection functionalities that cover all endpoints. Acronis will not charge you if you don't consume backup or file sync and share storage.

Powered by the industry-leading solution from Perception Point, Acronis Advanced Email Security pack enables service providers to enhance and extend their cyber security capabilities by detecting and stopping all email-borne cyberthreats before they can reach their clients’ end users. In an evaluation by SE Labs Independent Testing, Perception Point was ranked #1 for its highest detection rate (96%), coupled with a 0% false-positive rate.

With Acronis Advanced Email Security pack, you can protect your clients from phishing, social engineering, OAuth attacks, cookie stealing (if the machine was compromised via email), and any other malicious email attack, regardless of the objective. It includes unmatched detection technologies, including:

  • A spam filter to block malicious communications
  • Anti-evasion techniques to detect malicious hidden content by recursively unpacking the content into smaller units, which are checked by multiple engines in under 30 seconds
  • Threat intelligence to stay ahead of emerging threats
  • Static signature-based analysis to identify known threats with best-of-breed signature-based antivirus engines enhanced with Perception Point’s unique tool, which identifies highly complex signatures
  • Anti-phishing engines to detect malicious URLs based on four leading URL reputation engines in combination with Perception Point’s advanced image recognition technology, to validate the legitimacy of URLs
  • Anti-spoofing to prevent payload-less attacks
  • Next-generation dynamic detection to stop advanced attacks such as advanced persistent threats (APTs) and zero-day attacks
  • X-ray insights, which provides forensics data for each email, proactive insights on threats seen in the wild, and analysis of any file or URL
  • Incident response service allowing direct access to cyber analysts who can act as an extension of your service delivery team
  • Reporting with easily accessible data sets and weekly, monthly, and ad-hoc reports from the Incident Response Team
  • Ad-hoc email analysis so end users can directly consult with Perception Point’s email security experts before taking action
  • End-user contextual help that flags emails with customizable banners on policies and rules to provide end users with additional contextual information.

In summary, Acronis Cyber Protect Cloud and Acronis Advanced Email Security pack can intercept any email-borne attack within seconds, including spam, phishing, business email compromise (BEC), malware, advanced persistent threats (APTs), and zero-days before they reach end-users’ Microsoft 365, Google Workspace, or Open-Xchange mailboxes.

Additional references:

Hoxhunt. 5 ways attackers can bypass two-factor authentication

Security Blvd. (2021) How Social Engineering Tactics Can Crack Multi-Factor Authentication

London Calling. Two-Factor Authentication Phishing from Iran

More from Acronis