Amnesty International reveals how 2FA is being bypassed automatically

Cybersecurity comes down to being slightly less of an easy target than the guy next to you. If they have a stupid easy-to-guess password while you use a password manager, then they’re an easier mark. Likewise, using two-factor authentication (2FA) is often enough to put off hackers, as it’s just more trouble than it’s worth.
But a new report from Amnesty International has highlighted how hackers in the Middle East and

Africa have automated the process to a degree where your 2FA can be cracked in seconds. Essentially, both your password and your 2FA code is phished automatically giving hackers access to your seemingly impenetrable accounts.

Amnesty International reveals how 2FA is being bypassed automatically
Before we get into the nitty-gritty, here’s a quick reminder on how 2FA works. You give the service – Google, Twitter, Coinbase, whatever – your phone number. When you log in normally with your password, the service sends you a text message with a one-time-use code that you type in to confirm that the person who entered your password was really you.
There’s a get around here though. Say somebody has made a convincing looking Google Drive and asks you to enter your password. If you do, they can take your credentials and enter them into the real Google Drive. You’ll still get a real 2FA code sent to you, and if you enter it into the fake site’s confirmation page, then the hackers now have the code to use themselves.
Enter it quickly enough, and they have full access to the site you thought you were accessing all along. Now this process is being done at scale in an entirely automated fashion, it’s only a matter of time before the most common form of 2FA is as flimsy as a regular password.

So what’s the best alternative? 

Amnesty recommends hardware security keys: USB sticks you actually have to physically connect to your computer or phone to prove that you’re there with it. “This process might appear painful at first, but it significantly raises the difficulty for any attacker to be successful, and it isn’t quite as burdensome as one might think,” the report reads.
Hardware security keys have their problems, mind: they’re not that widely adopted, for one thing, but more importantly, they run a real risk of loss. Lose your security key, and you’re locked out of your services forever.
Still, that may be a price worth paying in the long run. In the short term, be extra vigilant when scrutinising websites you’re directed to. You don’t want to be the one accidentally leaking thousands of diplomatic cables.

Leave a Reply

Your email address will not be published. Required fields are marked *