So much easier to bypass 2FA by just calling Verizon, and switching the target’s phone to your number. They will almost always do it without question.
Then login to any of their accounts, say I forgot my password, and get the code sent to you.
Clean out the account, toss the burner phone.
2FA is terrible security when you make your public phone number your password.
If people were aware that anyone on Earth could take everything you have in the blink of an eye they would be terrified.
Roger That!
Easier for one off attacks where the hacker already knows the victim’s log in and password, perhaps, since you don’t have to set up a fake website and trick the victim into using it. But the SIM swap attack doesn’t scale efficiently. The man in the middle phishing attack in the OP is automated, and doesn’t even require knowing victim’s login, password or cell phone number - the victim supplies all of the login information and the 2FA code from their phone. So on a large scale this attack is much easier than your SIM swap attack.
I think the SMS is a real one that the fake site triggered from the real site.
The user gets the code from the real SMS, enters it on the fake site, fake site takes that and sends it to the real site to bypass the security.
Even if SMS were secure, it wouldn’t help if the process involved typing a code from a message to what the person thought was the real site.
Every single person you pass on the street could shoot you in the back the moment you pass them. We all are what we are and have what we have by the grace of others. I think we need to find a way to not be terrified by that (or a way to live in terror, I guess).
Here^s an interesting article from Dark Reading
Yahoo has a security app for the phone which handles login completely without passwords or SMS. Once it is installed and required, it seems like it would be about as secure as a hardware dongle, although there’s always the loophole of getting people to tell Yahoo “I lost my phone”. But that loophole also exists for “I lost my security dongle”.
And if anyone wonders why I still use yahoo email instead of gmail, it’s because google has too much of my data already, and without access to my email it’s harder for them to get that 360 degree view of my online activity.
I hate this new idea of 2 factor. My iphone died while away and I wasn’t able to get any email or access to my account via iCloud - because my phone was dead. You literally need two apple products to be able to use it. Currently I am bringing my iPad to work just so I can have ti to sign into iCloud when at work. (I’m looking for a smart phone with a headphone jack and haven’t replaced it yet, so I’m still screwed.)
The big difference is between two factor authentication systems that put major barriers in the way of known social weaknesses and those that do not:
The most basic implementation is a password manager that simply doesn’t volunteer to populate your password for a given login if the page you are interacting with is some other domain. This doesn’t stop the user from reusing passwords or manually circumventing the password manager in the belief that it is in error in not populating that password field for them; but it raises the bar.
The more intricate approaches, like the token binding arrangements that U2F offers, put cryptographic force behind the same concept and make it essentially infeasible to provide the credentials for one login to a different entity.
(There’s also the unpleasant fact, for SMS, that eavesdropping on codes delivered that way, even without tricking the user, is a much lower bar than one would want it to be; almost any other one time password scheme at least protects the secret well enough to require tricking the human.)
That’s not quite it. If you use any kind of 2FA that authenticates you to the service via a time limited password, it’ll work. SMS, an OTP token or smartphone software. It’s all the same.
The thing that would prevent this would be a 2FA method of some kind that would verify the web page or server that is asking you to authenticate yourself, and refuse to give you a valid 2FA password if the service isn’t a valid one, or give you a non-transferable authenticator that works only for that service.
For example, if the 2FA method hashed the URL of the web page you’re typing into, into the other secret data, so as to produce a 2FA password valid only for that site. If you’ve been tricked into typing your password and 2FA password into evil-phishing-site.com, and then evil-phishing-site.com passed that along to legitimate-bank.com, the phishers wouldn’t have a 2FA token that’s valid at legitimate-bank.com, so it would fail.
Exactly so. Rather, this is “digital Darwin”, so to speak ^^’.
That is a very observant comment. Kudos.
Well, yeah but it’s not like you get a choice a lot of the time.
Sincere question: my bank will let me use a security key to login, but says that if I’ve misplaced my key, I can choose to login with 2FA via text. Doesn’t this defeat the whole purpose?
They’re not “bypassing” anything. It’s phishing. If you’re not a fool, you won’t get phished. Pay attention to the URL. No security measures out there can save people from being careless. Getting phished is akin to “accidentally” telling someone else all of your login info. Pay attention, simple as that.
I’m not a security expert but I’m going to say “yes and no” because there are a few purposes to a FIDO key (I’m going to assume a FIDO key since you didn’t specify what kind of hardware key).
Simultaneously enabled alternate 2nd Factor Authentication methods weakens security:
Any time you add alternate ways to access an account you reduce security, such as having a super strong 100 digit password and an alternate, weaker security question (“What is your shoe size?”). A hacker can just go after the weaker authentication method. The same goes for alternate 2nd factor authentication. If a hacker has your account and password info from a mass password breach, but you have both a FIDO key and SMS enabled as alternate 2nd factor authentication, the hackers can ignore the FIDO method and just attack SMS vulnerabilities by using a SIM swap attack, or an attack on the SS7 interconnection network.
You still get phishing protection when you use a FIDO key, even if you have SMS enabled as an alternative:
Although having alternate 2nd factors enabled creates more vulnerabilities, you are still protected from man in the middle, fake login page attacks every time you use your FIDO hardware key. It uses token binding so that your key can’t be tricked into being intercepted on a fake site and then used on the real site. As long as you don’t use the SMS method as your 2nd factor, even if it is enabled as an alternate, you are protected from phishing attacks that try to trick you into using a fake log in page. But the other vulnerabilities of SMS remain.
There is one other complication to consider. Good security takes behavior into account. If a bank is smart, they could up the fraud detection level on your account if you suddenly use SMS instead of your FIDO key, and limit the amounts and places you can do transactions to ones you have historically already used. But I have no idea if any bank is currently doing that.
Also, I suspect your bank may not use a FIDO key, the only key I know of that prevents phishing attacks. A number of banks have used security tokens with LCD screens that show a series of time based one time codes that you type to a login screen. These codes work the same as Authy, and can be phished exactly like Authy and SMS in the OP.
[emphasis added]
It’s really not. My bank. Amazon. And many other companies that should know better regularly send out emails with links to click on, thus training people to trust and click on links in emails. Additionally, they often use various URLs for different web services, and even 3d party scripting and redirects, rather than just their own primary domain (PayPal, for instance, uses the very phishy sounding paypalobjects dot com), forcing users to accept alternate domains as a legitimate practice. Fake URLs can be very convincing, especially now that non-Latin characters are allowed. And security certs can be spoofed. Websites that should be using EV certs don’t (I’m lookin’ at you Google). Plus there is DNS poisoning, cross scripting attacks, and more.
Being vigilant is good, but claiming it is “simple as that” is simplistic and false.
This topic was automatically closed after 5 days. New replies are no longer allowed.
