The latest findings state that more than 80% of all hacking-related breaches happen due to compromised and weak credentials, with three billion username/password combinations stolen in 2016 alone.
Two-factor authentication (2FA), referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves.
It provides an additional layer of security to the relatively vulnerable username/password system. Statistics say that 99.9% of automated attacks will be blocked for users who enabled 2FA.
Vulnerabilities in SMS-Based 2FA
SMS is well-known for having poor security, leaving it open to a host of different attacks. Microsoft has advised users to abandon 2FA solutions that leverage SMS and voice calls.
SIM swapping lets an attacker convincing a victims’ mobile service provider they are the victim, and then requesting the victim’s phone number be switched to a device of their choice.
SMS-based one-time codes are compromised through readily available tools such as Modlishka by leveraging a technique called a reverse proxy.
Experts also found attack exploits a feature provided on the Google Play Store to automatically install apps from the web to your android device.
The Attack on Android
The attackers can leverage a compromised email/password combination connected to a Google account to install a readily available message mirroring app on a victim’s smartphone via Google Play.
As a result, the attackers can use social engineering techniques to convince the user to enable the permissions required for the app to function properly. For instance, they may pretend to be calling from a legitimate service provider to influence the user to enable the permissions. Now that attackers remotely receive all communications sent to the victim’s phone, including one-time codes used for 2FA.
How to Stay Protected?
Users should make sure to use a well-crafted password. It is recommended to limit the use of SMS as a 2FA method. It is better to use app-based one-time codes, such as through Google Authenticator, where the code is generated within the Google Authenticator app on your device itself.
Users can utilize dedicated hardware devices such as YubiKey, an authentication device designed to support one-time password and 2FA protocols without having to rely on SMS-based 2FA.
Therefore through these physical devices, the risks associated with visible one-time codes, such as codes sent by SMS will be reduced, reads the article published on The Conversation.