Have you heard of two-factor authentication? Also known as 2FA or 2-step verification, it is a technology that has been around for quite some time.
Patented in 1984, 2FA provides identification of users based on the combination of two different components. During the last few years, 2FA has been regarded as a secure way of user identification. However, recent researchers may just prove this belief wrong.
The various types of social engineering can easily trick the user into confirming their authentication codes. How could this be done? According to Nasir Memon, Computer Science professor at Tandon School of Engineering, the crook would simply need to ask the user for the official verification code.
How? By sending a second, falsified text message or email asking the user to forward the original one. Prof. Memon has seen this happen multiple times. This type of 2FA is mostly used across the Internet to verify the identity of a user who has lost their password. Such codes are usually embedded in an email hyperlink.
To prove that 2FA is actually unreliable, Prof. Memon together with his colleagues Hossein Siadati and Toan Nguyen, published a paper based on their experiments that illustrates 2FA-related problems. As it turns out, 2FA is mostly a problem in SMS communications.
What Is SMS-based 2-factor Authentication?
SMS-based verification is a subset of two-factor authentication (2FA) mechanisms where a one-time password is used as a second factor for authentication. SMS-based verification is not able to provide security against a phishing attack. The argument is that in a successful phishing attack, the attacker will lure a victim to enter the one-time password as well. This attack is deployed by attackers in the wild.
Related Stories: Top 5 Cyber Attacks Started by Spear Phishing
The Experiment
To prove their point, the researchers gathered a group of 20 mobile phone users only to discover that a quarter would instantly forward the verification e-mail when prompted.
What the researcher did is imitate a VCFA (Verification Code Forwarding Attack) attack, a term that they crafted for the occasion of cyber crooks luring users into social engineering schemes involving 2FA.
So, here’s what happened during the VCFA on the 20 mobile users:
[…] we imitated a VCFA attack using messages similar to Google verification code messages. We bought two 10-digit U.S.A phone numbers, one for imitating the role of a service provider (e.g., Google in our experiment) and the other one for imitating the role of the attacker (e.g., sending phishing message to subjects). The area code for the phone numbers were Mountain View, CA (area code for Google’s headquarter) to make the first message appear more legitimate and the second one more deceptive. We randomly selected 20 subjects from the contact list of the experimenters. The subjects included 10 males and 10 females, mostly aged between 25-35. 70% of the subjects were students. […] We sent two messages to each subject from two different numbers. […] 5 out of 20 subjects forwarded the verification codes. This is translated to 25% success for the VCFA attack.
When VCFA attacks are happening in an email ecosystem, it’s easier for the user to determine whether a message is true or fake. However, in SMS, it’s much difficult to tell the difference. In other words, SMS is not like an email message where the user can have a good look at the sender’s address and make sure it is real.
Have a look at the whole research.