Two Factor Authentication or 2FA, is now widely accepted as the required minimum for increasing the safety of users against the threat of phishing attacks. For some years now, hackers, cyber-criminals, and identity thieves have used phishing tactics to lure unsuspecting victims into downloading booby-trapped file attachments, visiting bogus websites, and divulging sensitive information.
Account profiles and credentials such as usernames and passwords have long been favored targets – and the introduction of a second stage in verifying the identities of users before allowing them access to their various accounts (i.e., two factor authentication) has been making life more difficult for the perpetrators.
In this article, we’ll be discussing how 2FA assists in thwarting phishing attacks. We’ll also observe how the war against the phishing community is far from won – and look at measures for increasing your resistance.
Phishing for Profit
In the earlier days of the phishing era, cyber-criminals mostly targeted private individuals, in hopes of gaining access to usernames and passwords through a combination of clever lures, fake websites, key-loggers, and spyware. Corporate bodies and individuals alike were also targeted for their potential to distribute various strains of malware.
With the growth of eCommerce, digital marketing, and online financial services, getting unsuspecting users to do exactly what an attacker wants through phishing tactics now makes phishing a potentially lucrative exercise for the perpetrators. The capture of individual or corporate credentials can enable attackers to gain access to bank and credit card accounts, where they may potentially authorize transactions that directly yield funds. And business or financial information captured through phishing has resale value on the darker side of the open market.
The Role of Two Factor Authentication (2FA)
The construction of bogus websites (where text input or keystrokes can be captured directly) as the final destination for their victims, is an established phishing practice. Some degree of protection against these sites is given by the Secure Sockets Layer communications and encryption protocol used in building secure websites.
SSL was specially designed to prevent ” Man in the Middle” or MitM attacks, where hackers can insert themselves in the clear line of communication between a user (or client) and a website (or server), to steal information as it passes between them, or to introduce their own data into the stream.
Two Factor Authentication looks to reduce this risk further, by requiring users to identify or authenticate themselves to a website by another method, in addition to their standard “username plus password” login procedure.
Authentication typically relies on some combination of the following:
- Something you Have: Like a username.
- Something you Know: Like your password.
- Something you Are: Typically a physical trait or biometric, like your fingerprint or retinal (eye surface) pattern.
Strictly speaking, the simplest form of 2FA is the username / password combination, but in practice this is usually considered as a single stage of authentication.
2FA normally requires a further identifier, to complete the authentication process. This might be a PIN (Personal Identification Number), a one-time password (OTP) generated by a mobile device or digital token, or some form of biometric.
How 2FA Thwarts Phishing Attacks
On the technical side of things, phishing attacks often meet with success because in many cases it’s only the server or website which authenticates itself to create the SSL communications channel. Under 2FA, the SSL client or user is also required to authenticate before the information exchange can continue. For an attacker, this stage of client / user authentication becomes much more difficult to interfere with, if the second identifier is something that can’t be easily replicated or accessed on the attacker’s side.
Of course, if the attacker is allowed access to the user’s login information (through interception over an open channel like public Wi-Fi, for example), the system breaks down immediately. Well constructed two factor authentication systems can get around this obstacle by not requiring a client or user to share secret identifiers “over the airwaves” as part of the authentication process.
The most common way of achieving this is to have the second factor in the authentication sequence available in the form of something that the user always carries around, or that is a physical part of the users themselves. Getting access to a user’s fingerprints, retinal patterns, voice signature or other biometrics (for example) would be virtually impossible for most attackers. And if the second factor of authentication is a one-time password that’s generated on a personal device or token, this also presents difficulties for a potential eavesdropper or hacker.
So even if a phishing ploy conducted through a messaging channel such as email or SMS text succeeds in netting an attacker the user’s password and username, the next stage in the 2FA process becomes a stumbling block.
For these reasons, 2FA has been widely adopted by many top businesses and many of the internet’s biggest names. Google implements the procedure in its Two-Step Verification, and two factor authentication protocols are used by the likes of Facebook, while distributions of the Google Authenticator platform are used by Amazon Web Services (AWS), and numerous other organizations.
Where Two Factor Authentication Can Fail
It’s not all good news, however. As far back as 2015, a sophisticated spear phishing attack was discovered which targeted a victim’s email address and mobile phone number to exploit their email provider’s password recovery feature, as a step in bypassing two factor authentication.
Under a typical password recovery process, an email provider will send a verification code to the requesting user’s mobile phone via SMS. This text code can then be entered by the user into the appropriate dialog, enabling them to go on and reclaim their account and / or reset their password. Attackers were able to trigger this protocol by visiting major email services and clicking on the “I forgot my password” link, prompting the service to send the targeted subscriber a recovery text message.
The attacker could then simply send a phishing message to the targeted user’s mobile phone, along the lines of “XYZmail has detected unusual transactions on your account. Please respond with the code sent to your mobile device, to rectify”. The victim would then respond with the genuine SMS recovery code just sent by their email service – which the attackers could then use to gain password recovery rights in their name.
Gmail, Yahoo Mail and Hotmail users were successfully targeted with this ploy.
And this year (2018) has seen the attackers turn their attention to mobile messaging platforms such as Skype, WhatsApp, and Tinder as tools in bypassing 2FA, as well as setting their sights on higher profile targets like LinkedIn, Microsoft, and Paypal.
Bogus sites constructed to look just like the real thing are the attacker’s way in here, coupled with phishing messages suggesting some urgent course of action that the victim should take, in order to avoid losses to their account, exposure of their sensitive documents, or worse. On the fake login page, user credentials may be extracted or captured through various means.
URL spoofing techniques, the use of mass-market digital certificates (to earn SSL certification and an HTTPS locked padlock icon), sophisticated web design, and the assistance of small mobile device screens in confusing fine details have all been assisting the phishing fraudsters in their efforts.
These developments emphasize the need for increased user awareness of the phishing threats they face – and highlights the importance of cyber-security awareness training in the working environment, coupled with personal vigilance and common sense, outside of it.
Technology can help to some extent too, in the form of tools like domain blockers, and spam filters.
Phishing is a complex and constantly mutating threat – one that requires a combination of elements to support the work of two factor authentication or 2FA.
Share this Post