2FA Immune Phishing Attacks Are on the Rise -- Security Today

2FA Immune Phishing Attacks Are on the Rise

2FA is more secure than single-factor methods only requiring a password, but it's not an impenetrable method.

By Kayla Matthews
Mar 25, 2019

People are used to two-factor authentication (2FA) security measures that bolster account protection. They require the account owner to provide something they know, as well as something they own.

For example, a person might get a text message containing a code that pops up on their smartphone. The password represents the knowledge aspect, and the code is the possession part.

Then, if a person's password somehow becomes compromised, the thief ideally wouldn't also have the smartphone text message.

That system sounds like a valid one, but experts warn hackers have even found a way to bypass the safeguards 2FA should provide.

A New Kind of Phishing

Nicolas Lidzborski, a security engineering lead at Google, mentioned the company had seen a substantial increase in 2FA phishing attacks. When speaking about the matter at a cybersecurity conference, he clarified that 2FA is more secure than single-factor methods only requiring a password, but it's not an impenetrable method.

How do hackers carry out these attacks? They use so-called "phishing kits" to create fake login pages people go to when they type in the 2FA code. After that, the cybercriminals may have to act quickly.

2FA codes typically only give access within small windows of time. Some are as long as 60 minutes. But, at Google, the codes become inactive in just 30 seconds. Automated platforms can use the 2FA code before it expires, though. If a hacker uses one of those, they could let those tools automatically wreak havoc on a victim by grabbing the information and using it to break into an account.

Like the lottery scammers that get phishing victims to divulge details by presenting them with links that go to phony login screens or forms, the people who orchestrate 2FA attacks may painstakingly create the pages that capture a victim's details, going to substantial lengths to ensure aspects like the font or graphics seem authentic.

Considering that the people received legitimate 2FA codes shortly before typing them in, most individuals wouldn't stop to think about how the forms might be fake. Indeed, this is a relatively new issue that hasn't reached mainstream consciousness yet.

A Security Researcher Makes a Tool to Bypass 2FA

Eventually, people may look back on 2019 as the year when people realized 2FA is not a foolproof method. In early January, news broke about a security researcher who created a penetration testing tool showing the potential ineffectiveness of 2FA. It's a modified reverse proxy that records all a phishing victim's interactions and traffic as they enter details into a login screen.

This example describes the phishing kits explained earlier. But, its creator says it's easier to implement and automate than other available options. If tools like this one become widely available to cybercriminals, it'd potentially become much easier for people to fool phishing victims, despite having limited tech knowledge.

Even worse, the fake forms people enter information into could seem so realistic that it becomes virtually impossible for everyday internet users to detect any oddities about them.

Advancements in 2FA

These developments illustrate why it's time for 2FA to develop beyond the method of text message codes. Fortunately, the evolution is ongoing. Some more advanced forms of 2FA send push notifications to mobile devices.

Additionally, cases exist where the second element if 2FA is not something people have, but something they are. For example, someone might fulfill the latter component of 2FA by pressing on a biometric fingerprint reader embedded in their smartphone.

Once a user interacts with those notifications, access gets granted. This method reportedly doesn't produce anything a hacker could steal. It's convenient for the user, too, because they don't need to type anything in to access the site or service. That's good news, especially since the databases maintained by the third-party companies that verify users' phone numbers and send 2FA text message codes have flaws, too.

One of those companies, called Voxox, had a database vulnerability that exposed at least 26 million text messages to a security researcher who was able to see the outgoing text messages almost in real time. Voxox took the database offline, but the event emphasizes another reason why people shouldn't blindly believe 2FA will protect them from hacks in all cases.

Hackers Continually Seek New Attack Methods

This coverage serves as a reminder that hackers keep pace with security developments and find ways to make them less effective.

Security researchers sometimes find the issues before hackers do, but people need to exercise caution nevertheless and remember how creative hackers are when they trick victims.

Featured

UL Solutions Launches Artificial Intelligence Safety Certification Services

UL Solutions Inc., a global leader in safety science, today announced the launch of artificial intelligence (AI) safety certification services, enabling comprehensive assessments for evaluating the safety of AI-powered products. Read Now
- Artificial Intelligence
Ransomware Attacks Rise for the First Time in Six Months

Ransomware attacks have risen for the first time in six months, increasing by 28% month-on-month to 421 attacks. While overall attack volume remained below 500, the uptick may signal a renewed escalation heading into the year’s most active period for cyber criminals. Read Now
- Cybersecurity
Report: 47 Percent of Security Service Providers Are Not Yet Using AI or Automation Tools

Trackforce, a provider of security workforce management platforms, today announced the launch of its 2025 Physical Security Operations Benchmark Report, an industry-first study that benchmarks both private security service providers and corporate security teams side by side. Based on a survey of over 300 security professionals across the globe, the report provides a comprehensive look at the state of physical security operations. Read Now
- Guard Services
Identity Governance at the Crossroads of Complexity and Scale

Modern enterprises are grappling with an increasing number of identities, both human and machine, across an ever-growing number of systems. They must also deal with increased operational demands, including faster onboarding, more scalable models, and tighter security enforcement. Navigating these ever-growing challenges with speed and accuracy requires a new approach to identity governance that is built for the future enterprise. Read Now
- Cybersecurity
Eagle Eye Networks Launches AI Camera Gun Detection

Eagle Eye Networks, a provider of cloud video surveillance, recently introduced Eagle Eye Gun Detection, a new layer of protection for schools and businesses that works with existing security cameras and infrastructure. Eagle Eye Networks is the first to build gun detection into its platform. Read Now
- Active Shooter

Security Today eNews

Sign up today for essential industry news and product information that can help you stay afloat in the fast-paced world of security.

Email Address*Country*

Please type the letters/numbers you see above.

Webinars

Whitepapers

New Products

Camden CV-7600 High Security Card Readers

Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.
Mobile Safe Shield

SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.
A8V MIND

Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.