Two-factor authentication is supposed to be one of the best ways to keep your online accounts secure. But what happens when hackers figure out how to beat it? Sadly, that time has already come, which makes creating ultra strong passwords more important than ever.
Phishing for Codes
Google has been pushing users to enable two-factor authentication for years, but hackers have found a way to by-pass this security feature. It comes down to an old-school scam called phishing.
Hackers start by scaring you into trying to lock down your account. They send you a text that suspicious activity has been noticed and you should reply to the message with a 6-digit verification code. The message says you’ll receive it shortly.
The scam works when the user starts the two-factor authentication process by attempting to log in to their account. They then send the code via text back to the hacker. Suddenly, the hacker has full access to the account.
Related Read: How to Recognize a Facebook Phishing Scam
Mobile Networks Are Vulnerable
A serious flaw exists in mobile networks that allows hackers to intercept data sent two and from your smartphone. While the flaw’s existed for years, nothing’s ever been done about it. The SS7 flaw is now a hacker’s best friend. A German phone company was the most recent victim.
The company stated that cybercriminals has infected many users’ computers with malware and then started an SS7 based attack. They already had passwords from the malware and then waited for the user to request their two-factor authentication codes. The codes were intercepted and used by the hackers instead.
This isn’t the only vulnerability with mobile providers either. Grant Blakeman, an indie developer, had his Instagram account hacked via his Gmail account, even though two-factor authentication was enabled.
Hackers can enable call-forwarding or even contact the provider for a bypass. It’s easy enough for hackers to get information to answer security questions if you have public social media profiles. In Blakeman’s case, the hackers were able to gain access to his Google account via the mobile provider. They could then get the Instagram account recovery email to access his account.
Two-Factor Authentication Methods Vary
Two-factor authentication isn’t just one thing. It simply describes a login process that takes two steps. The three main options include a physical USB key, a verification app, and the more popular SMS method. Naturally, there are individual options and platforms for each of these three. Sadly, they’re not all created equal.
While it’s nearly impossible for hackers to bypass an account that requires a physical USB key, someone could steal the key or you might lose it, which is why many users opt for one of the other two methods.
With verification apps, such as Google Auth and Duo, hackers would either need to hijack those systems or have malware on the user’s device. Another issue here is how secure similar systems might be.
SMS is the most flimsy of the three. It’s much easier to compromise a phone system or signal to catch verification codes in transit.
Overall, there are hundreds of different two-factor services and it’s hard to know which are good and which are less than secure. The Verge even refers to two-factor authentication as “a mess” due to all the security flaws.
Related Read: 4 Must-Know Cybersecurity Tips
Ethical hacker, Shahmeer Amir, showcases four major ways to bypass two-factor authentication. He says one of the most common methods is a feature you’ve probably used yourself – password or account recovery.
During the process, you’re normally sent a link or code to reset your password or asked a series of questions to recover your account. Most of the time, the two-factor process doesn’t even exist during account recovery.
According to Amir, two-factor authentication by itself isn’t the problem. It’s the implementation. If creators don’t take the time to secure the process and prevent workarounds, then it’s no safer than anything else.
As with most security features, hackers will continue to try and find ways to bypass two-factor systems. He says it’s still one of the best ways to secure an account.
Despite hackers finding ways to still break into accounts, you shouldn’t bypass two-factor authentication yourself. It’s still an extra layer of security. Right now, the biggest two-factor hacks are happening in the cryptocurrency industry, such as the Coinbase hack.
A few ways to stay more secure yourself include:
- Be careful with any suspicious texts or emails that ask for your verification code
- Avoid SMS and email based verification code methods (both are more secure than password alone, but are the most vulnerable to hackers)
- Consider having a separate number that’s only for online services (Google Voice is a good option)
- Only download apps from trusted sources (malware gives hackers their first key – your password)
It may still take years before companies switch to more secure versions of two-factor authentication, but until they do, take extra precautions.
For more information, PixelPrivacy has created an in-depth guide to two-factor authentication, including visual references for common accounts.
Contribution by Crystal Crowder
About the Author
Crystal lives and breathes tech. She’s spent over a decade writing tutorials, reviews, and more on tech, business, and lifestyle sites. Her idea of fun is settling down with the latest tech and gadget news.