Recent study highlighted more than 80% of all hacking-related breaches happen due to compromised and weak credentials, with three billion username/password combinations stolen.The implementation of two-factor authentication (2FA) has become a necessity. Generally, 2FA aims to provide an additional layer of security to the relatively vulnerable username/password system. But modern hackers can come with ways to bypass 2FA
Major vendors such as Microsoft have urged users to abandon 2FA solutions that leverage SMS and voice calls. This is because SMS is renowned for having infamously poor security, leaving it open to a host of different attacks.
SIM swapping involves an attacker convincing a victims’s mobile service provider they themselves are the victim, and then requesting the victim’s phone number be switched to a device of their choice.
SMS-based one-time codes are also shown to be compromised through readily available tools such as Modlishka by leveraging a technique called reverse proxy.It will intercept communication between a genuine service and a victim and will track and record the victims’s interactions with the service, including any login credentials they may use.
A particular attack exploits a feature provided on the Google Play Store to automatically install apps from the web to your android device. Due to syncing services, if a hacker manages to compromise your Google login credentials on their own device, they can then install a message mirroring app directly onto your smartphone.
Once the app is installed, the attacker can apply simple social engineering techniques to convince the user to enable the permissions required for the app to function properly.
Although multiple conditions must be fulfilled for the aforementioned attack to work, it still demonstrates the fragile nature of SMS-based 2FA methods.This attack doesn’t need high-end technical capabilities. It simply requires insight into how these specific apps work and how to intelligently use them to target a victim.The threat is even more real when the attacker is a trusted individual with access to the victim’s smartphone.
To tackle these type of attacks restrict the use of SMS mode authentication. Use Mobile app authenticator such as Google authenticator. Moreover these app also vulnerable to hackers exploitation. To mitigate the fraud use hardware key such has Yubi Key..which will relies on 2FA and additional mode of authentication which is secure.