Relying solely on a username and password to protect your accounts is risky. Both can be easily compromised—through theft, guesswork, or hacking. Therefore, utilizing two-factor authentication (2FA) is advisable for any critical access points. In fact, it has been a requirement for online banking for several years.
Two-factor authentication enhances security by requiring two different forms of verification to access an account, network, or application. These forms fall into three distinct categories:
- Knowledge (such as passwords or PINs)
- Possession (like smartphones or security tokens)
- Biometrics (including fingerprints or facial recognition)
For effective protection, the two factors must originate from separate categories. If more than two factors are used, it is termed multi-factor authentication.
Although 2FA provides a strong layer of security, it is not foolproof. Cybercriminals can exploit various vulnerabilities to gain unauthorized access to accounts.
1. Phishing: The Threat of Two-Factor Theft
While a secure TLS (Transport Layer Security) connection aims to protect communications between users and online accounts, attackers can deploy various methods to intercept these interactions. Such strategies include what are known as “man-in-the-middle” attacks.
Phishing Sites: An alarming threat to 2FA is phishing. Cybercriminals create deceptive websites designed to trick users into divulging their login credentials. Victims are often attracted to these sites via deceptive emails, text messages, or social media communications purporting to be from legitimate organizations.
Standard phishing pages capture only login details. In a more sophisticated man-in-the-middle attack, cybercriminals also capture two-factor authentication codes, instantly using them to log into the targeted service. This process is time-sensitive, as one-time passwords are typically only valid for a brief period.
This kind of attack requires meticulous timing, as attackers must be poised to log in immediately after a victim enters their details on a phony site. However, since such tactics can lead to significant financial theft, cybercriminals are eager to exploit this method.
2. Browser Malware: A New Kind of Threat
A variant of the “man-in-the-middle” method employs malware that embeds itself into the victim’s browser. This malicious software waits until the user authenticates into their bank account, including any two-factor verification, before manipulating a transaction in the background. Notable examples of such malware include Carberp, Emotet, Spyeye, and Zeus.
The transaction details displayed to the user appear legitimate, prompting them to confirm the transfer by entering a one-time password. However, unbeknownst to the user, the malware has transmitted entirely different details to the bank.
Protective Measures: Most banks will resend transaction details when soliciting confirmation through a one-time password. Always review this information thoroughly before approval.
Often, attackers already possess the victim’s username and password, either obtained from a dark web password dump or introduced via info-stealer malware on the victim’s machine.
To gain the second factor, attackers may impersonate bank employees over the phone, misleading victims into providing their 2FA codes under the guise of routine security procedures.
Protective Measures: Never share your 2FA codes or authorizations over the phone. Genuine bank representatives will never request such sensitive information.
Tips for Safeguarding Two-Factor Login
Implementing these suggestions can enhance both convenience and security when accessing services using 2FA.
- Create backup codes and store them securely. It’s wise to carry a few when traveling.
- Use multiple 2FA methods, such as an authentication app and physical token, for added security.
- Avoid using SMS for 2FA with sensitive accounts, as it can be intercepted through SIM card cloning.
- Choose an authentication app that allows for backup capabilities for a smooth transition to new devices.
3. SIM Swapping: The New Hijack
What was once a trusted method for receiving one-time passwords via SMS has been jeopardized by the rise of SIM swapping, leading to massive thefts from 2FA-protected accounts, particularly in the cryptocurrency sector. This attack requires attackers to know the victim’s username and password.
In a SIM swapping scheme, also known as SIM hijacking, an attacker gains control of a victim’s phone number by persuading the mobile carrier to issue a new SIM card or eSIM. The attacker activates this new SIM on their device, thereby receiving the SMS containing the one-time password for two-factor authentication.
Attackers may falsely claim to have lost their phone to the mobile provider or, in some cases, wait until a new SIM card is mailed to the victim’s address and intercept the letter.
Protective Measures: Whenever possible, opt for alternatives to SMS for 2FA. Utilizing authentication apps or hardware tokens provides heightened security.
4. Cookie Theft: The Malware Situation
Some services allow users to save their browser on a particular device, requiring only initial verification via 2FA. While convenient, this practice increases the risk of attacks.
This approach stores an authentication cookie in the browser, which encrypts login data. If an attacker succeeds in placing an info-stealer on the victim’s computer, they can access this cookie and log into the service without additional authentication.
One such example of an information-stealing malware is Lumma, which has been preying on PC users since 2022.
Protective Measures: Install a reliable antivirus program on your Windows machine. Further, configure your accounts to require the second factor during every login attempt—this is often the default setting.
5. Weak Second Factors: A Serious Flaw
A frequent pitfall in employing 2FA is selecting a weak secondary factor. Users often resort to SMS, even when superior options are available. SMS is susceptible to attacks like SIM hijacking.
Email-based second factors are similarly unreliable, particularly if the email account does not have robust protective measures in place.
Additionally, if insecure factors are merely used as backups, they may expose the account to vulnerabilities. Protecting an account with both a one-time password and an email verification opens avenues for attackers to exploit.
Protective Measures: Store multiple login factors, primarily focusing on secure options like OTPs from authentication apps or strong passkeys, while avoiding SMS and email.
Complete Overview of Two-Factor Authentication
There are a variety of methods for deploying two-factor authentication, ranging from secure to less secure.
1. One-Time Passwords (OTPs)
SMS OTPs: Users receive a one-time password via SMS.
Security: SMS OTPs are vulnerable to SIM swapping and other attacks.
App-based OTPs: Generated by authentication apps, such as Google Authenticator.
Security: These are generally more secure but can still fall victim to phishing schemes.
Email OTPs: One-time passwords sent through email.
Security: These are less secure due to interception risks and frequent phishing attacks targeting email accounts.
Push Notifications: Sent to an authentication app requiring user confirmation.
Security: Generally secure but can be compromised through social engineering tactics.
2. Hardware Tokens
U2F/FIDO2 Tokens: USB or NFC-based hardware tokens, like Yubikey.
Security: These provide a high level of security with resistance to various forms of attacks.
3. Passkeys
Passkeys: These are utilized by many services as alternatives to traditional passwords.
Security: When properly implemented as a second factor, they can enhance security significantly. However, their effectiveness is diluted when used merely as alternatives to passwords.
4. Biometrics
Biometric Identification: Utilizes fingerprint scanners or facial recognition for access.
Security: While generally reliable, biometrics can be spoofed, especially in close contact scenarios.
Security Assessment and Recommendations
Highest Security: Hardware tokens provide the best protection because they are physical objects.
Medium Security: Passkeys and app-based OTPs, while improved, still present vulnerabilities to social engineering attacks.
Least Secure: SMS and email OTPs are the most prone to attacks and should be used sparingly.