Breaking 2FA authentication: demystifying your security


So, you thought using 2-factor authentication (2FA) and multifactor authentication (MFA) was your one-stop solution to keep hackers out of your accounts. Let’s adopt a rule of thumb – if there’s a will, there’s a way.

I’m here to tell you that there is a way because I’ve done it myself. This is due to a design flaw in how the server responds to incorrect POST requests during a 2FA process.

For those of you who are not familiar with these terms, 2FA is an additional security layer that’s used to safeguard accounts from bad actors trying to gain access. It provides an element for establishing identity. It requires users to provide two different authentication factors: one for the account and one provided by the 2FA process, usually in the form of an SMS text message or email with a one-time password (OTP) or temporary code.

Even platforms that actually do set limits against erroneous login requests might not be enough to deter bad actors from gaining access to online accounts. In this same vein, platforms that don’t implement this at all can be manipulated and cracked when targeted by a skilled bad actor.

Please just use an authenticator App.

What you can learn from your 2FA

Try this exercise: to put this into perspective, when you log in to an account using your username and password and are presented with a 2FA prompt, this presents a unique opportunity to learn how the server processes 2FA POST requests.

I tested the 2FA process on several accounts of mine from different devices to learn how they handle incorrect OTPs, searching for accounts that would be vulnerable to brute force attacks using Burp Suite.

For example, Telegram executes an account lockout policy after 5-10 incorrect 2FA login requests, resulting in 2FA authentication being restricted for 23 hours. This is smart since it helps protect a user’s account from brute-force attacks, which helps reduce the risk of unauthorized access.

The following highlights the difference between messaging platforms like Telegram and WhatsApp. The process is entirely different from WhatsApp, which requires time-sensitive, real-time physical interaction with the user’s phone when either signing in to the account on a phone or the browser web application WhatsApp web.

If you’re signing in through the web browser, it will produce an 8-digit alphanumeric OTP that must be entered into the physical device where the app is installed. Sending OTP SMS via a secure network guarantees its security, ensuring that only the user with access to the mobile phone can receive it.

The art of insecurity: exploiting intercepts

Technology is like a house of cards, and we can’t deal in the realm of absolutes. I used Burp Suite in the attack I simulated against my own 2FA OPT. This allowed me to capture the login sequences during the authentication process and brute force the 2FA OTP sent to my phone. Although I am still a novice at understanding the total scope of this attack vector, I do know that Burp Suite was designed to be able to handle complicated multi-step logins.

The interesting thing about incorrect login restrictions and OTP limits is that sometimes, it’s not the end of the road for a persistent hacker. These measures can be exploited. Using the Proxy and HTTP History options in Burp Suite, an attacker could intercept the POST page requests, modify the limit rule values in the POST request, and then forward it back to the server with the manipulated values.

A curious side note: the annual price tag to use Unlimited, Burp Suite’s Enterprise Edition, costs nearly $50k, which is more than the average person earns in a year and more than the sum of my court-ordered restitution from my previous hacking conviction.

Recycled phone numbers

I used to use Metro by T-Mobile as a mobile service provider in the United States. Oftentimes, when you sign up for their services, you get a new number. The bad news is that you get the phone number of the last person who had it. This means that if they didn’t sort out the accounts they subscribed to with that number before discontinuing it, it’s now yours.

Call it a major flaw. Anyone given your old number could stumble upon your accounts and have full access to them. This is what happens when customers aren’t given new numbers but recycled numbers.

I’ve had several recycled phone numbers assigned to my SIM card by Metro in the past. Each time I went to create an account on Facebook, WhatsApp, and Telegram, I was able to log right into someone’s account, someone else’s life story, and their secrets.

As an avid OSINT enthusiast, I encourage anyone to whom this happens to make an effort to locate the previous owner of the number and let them know about it.

SIM-swapping attack

Threat actors can also defraud the SMS-based OTP authentication factor through SIM-swapping, which is a social engineering attack. This attack requires a bad actor to know what your security questions are and then be able to answer them.

To accomplish this, a bad actor will need to know what mobile service provider you use and then call them while impersonating you. The attacker may call, identifying themselves by your name and number, to begin the process of learning what the security questions they will ask, hang up, perform OSINT, and call back.

After the first security question has been solved, they will usually be presented with another security question and follow the same process until all the security questions have been satisfied. From that point, they can inform the customer service representative to transfer your number onto a different device, thus having full power to steal your accounts, satisfy every 2FA and MFA OTP, and help themselves to your money.

Once the service has been swapped to the attacker’s SIM card, mobile service will discontinue on your phone. Obviously, you will notice a sudden disruption in service, if the attack was carried out during waking hours. Call your mobile service provider immediately if this occurs.

SIM cloning

There’s not much to say about this, but it requires the attacker to have physical access to your phone and enough time to clone your SIM card so it can be inserted into a second phone.

This won’t go unnoticed by the victim’s mobile carrier since they will notice two different phones bearing the same SIM and phone number being used in two different locations. I don’t know what the response time would be until it’s discovered, but it’s still incredibly damaging. Don’t leave your phone lying around unattended at hacker conferences.

Malware

If this next section was a Reddit post, it would cause a massive argument, and I’d just end up closing the thread. But in my opinion, the security of Android mobile devices is much like the security of Windows XP. So, if you’re an Android user, somewhere out there, a hacker is laughing.

That’s not to say iOS devices aren’t vulnerable. They’re way less vulnerable to attacks due to how it was manufactured with security at its heart rather than an afterthought.

Android depends heavily on after-market security apps and does not have security at its core, upon which everything else is built. It’s ultimately up to the user to choose security apps, which most don’t even realize they need.

Due to the fact Android apps request access to privacy elements that often have nothing to do with the way an app works and what resources it needs, every day, people install apps and grant permissions to pretty much anything apps request access to.

This is where malware comes into play, which will grant an attacker full access to everything. “Everything” as in all the things. Malware is often introduced onto smart devices using droppers, which serve as envelopes for additional payloads, which, in turn, can increase the access needed by an attacker as they request more permissions to obtain more information from your device.

If an attacker has physical access to your device, downloading malicious code, installing it, and granting permissions only takes about a minute. Once they have access to your messages, your 2FA security layer is toast.

SYN-ACK

Short of having your phone backdoored or your SIM card swapped or cloned, the best way to make sure your accounts stay safe is to use an authenticator app. These can generate random OTP temporary codes every 30 seconds, which expire.

And remember, make good choices!


More from Cybernews:

Will Australia ban X?

CISA’s ransomware warnings helped patch 852 vulnerabilities

Airchat – the latest social networking platform for audio communication – review

BerryDunn suffers third-party breach, 1M affected 

Two Apple apps will be available on Philips's latest OLED TV models 

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked