For years, cybersecurity experts have tried to hammer the need for two factor authentication (2FA) into the minds of users. There’s a reason why. It is one of the most fundamental things one can do to protect digital assets. Yet, 2FA is not a panacea, and new phishing techniques show why.
Recently Google has identified an unsettling trend: a rise in phishing scams that are designed to trick users into coughing up their 2FA code. These “phishing kits” steal both a user’s password as well as the 2FA code, allowing an attacker to pilfer an account even if that account utilizes the added security 2FA provides.
Generally, 2FA involves a code being send to a second device (usually a smartphone) that a user must enter to access an account. These codes typically are time-based and run out after a brief period of time (like 30 seconds). Attackers have discovered ways to steal these codes, bypass the security feature, and break into accounts.
The traditional way that 2FA could be bypassed involved hardware. In a SIM swapping scam, an attacker would trick a mobile phone provider to port an existing telephone number to a new SIM, one owned by the attacker. Then they would have access to the second factor.
In this new 2FA scam, an attacker doesn’t need to go through the hassle of duping cell phone providers, just a single user. In this new type of attack, a user receives a convincing looking security alert via email from Google or Yahoo. This fake login page prompts a user to change his password. A legitimate second factor is sent to the user’s mobile device, and when the user types the code into the fake login page, the attacker then has access to all the information they need to break into the account. All of this has to be done very quickly, because of the code’s time-sensitivity. Because the attack is automated it can bypass the code’s time restraints.
This is a very significant development in the all-enduring phishing scam. Yet there are things you can do to protect yourself and your organization.
You Still Need 2FA: Don’t let this news deter you or your organization from using 2FA. You still want to implement 2FA wherever you can, especially on your most sensitive accounts like email. When you think about 2FA you can think of it like a moat around a castle. A strong password is like your drawbridge; a moat is going to further deter an army from attacking, so you are going to want to have one.
Most hackers are lazy, and they are allowed to be because most users of the internet are lazy. If you make it even slightly demanding for an attacker, they likely will move on to another user, because there are plenty more of them who won’t make it difficult.
If a password is a drawbridge and 2FA is a moat, a YubiKey hardware key is a fire-breathing dragon. You may want to consider a fire-breathing dragon.
Consider a YubiKey: A YubiKey is a hardware based authentication token. It provides 2FA through a fob that must be inserted into a device to access an account. An attacker, in theory, would have to physically steal the hardware key to bypass 2FA, and this is much less likely than someone intercepting an authentication code sent to a device. YubiKey is the most popular type of hardware key. It works with many online services and many different password managers.
Never Enter a Password in an Email: It’s important to remember that you should never change your password in/from an email. If you get an email from one of your providers telling you that you need to change your password or share personal information, don’t. Never click on a link to change the password or enter credentials into the email. Instead, go to your web browser, type the website into the URL (or search for it using the search engine), and then change it there. In this way, you can be sure you are changing the password at the legitimate website and not through an elaborate scam based on phishing/spear phishing techniques. If you get a phone call from your bank asking you for your account credentials, you should hang up and call the bank yourself, so that you are sure you are talking to that organization and not a scammer. In the same way, when you get an email asking for information, hang up the email and dial back on the provider’s website.
Training, We Must Have Training: It is critical for all organizations to provide training to their employees, and this is an example of why. We won’t let people drive forklifts without training, and yet we allow people on to our network without training? It doesn’t make any sense. People can only recognize phishing and spear phishing attacks like the one this article describes if they understand that these types of attacks exist. Training your team on how attackers are going to try and exploit them, the tools and tricks they are going to use, and how best to avoid falling victim to these attacks is one of the most essential steps you can take to keep your organization safe in an increasingly dangerous digital world.
Two Factor Authentication remains an important component toward keeping your digital assets safe from attackers who would wish to poach it. You must understand, however, that 2FA is not an unbreakable shield, because it isn’t. Diligence must remain. Continue to improve your behavior and your methods of authentication online while also strengthening your cybersecurity IQ. It will make the difference.