Has two-factor authentication been defeated? A spotlight on 2FA’s latest challenge

Has two-factor authentication been defeated? A spotlight on 2FA’s latest challenge

Multiple news reports about the defeat of two-factor authentication (2FA) have been making rounds lately.

In November 2018, our friends at ESET discovered a purported Android battery utility tool called “Optimization Android” from a third-party app store. This app was designed to steal money from a user’s PayPal account without relying on stolen credentials. It operates by modifying a device’s Accessibility settings and enabling the use of Android’s overlay accessibility feature. This then allows a malicious accessibility service to mimic the user’s clicks to access the legitimate app and wire money to the criminal’s own PayPal address.

Long story short: This method effectively bypasses 2FA.

Then in mid-December, researchers at the Computer Emergency Response Team in Farsi (CERTFA) Lab released a report about “The Return of Charming Kitten,” a fresh slew of state-backed phishing attacks on individuals involved in sanctions against Iran and others, but focusing more on people based in the United States and Israel. State actors have found a way to fool targets into giving away their Gmail and Yahoo! 2-step verification codes.

Days after CERTFA’s report, Amnesty International broke the news that broad, targeted phishing campaigns were set against thousands of human rights defenders (HRDs), journalists, and political actors in countries throughout the Middle East and Northern Africa (MENA). The threat actors behind at least one campaign had also actively and deliberately taken steps to bypass common forms of 2FA.

A mantis lies in wait

The latest means to circumvent 2FA was made public by Polish security researcher Piotr Duszyński not long after the New Year. He called it Modlishka—the English pronunciation of the Polish word ‘mantis’—and described it as “a flexible and powerful reverse proxy that will take your phishing campaigns to the next level (with minimal effort required from your side).” It was a tool to aid penetration testers in conducting legitimate tests.

With its release, Duszyński emphasized the effectiveness and seriousness of social engineering attacks. In the wrong hands, a tool like Modlishka can be misused to create a compelling and sophisticated phishing campaign that is significantly easier to use but far more difficult to detect and avoid by users.

Overview of collected information from a simulated phishing campaign (Courtesy of Piotr Duszyński)

How Modlishka works

Modlishka sits between the legitimate website it is impersonating and the phishing website the user is seeing.

For this tool to successfully do its job—and, in turn, for the campaign to work—phishing campaign operators must first make their targets believe that they are on the website they expect to be on so that victims will enter their credentials without suspicion. Any interactions the user makes within the phishing page, including entering credentials, are passed through and recorded by Modlishka first before forwarding them to the legitimate website in real time.

This tool also prompts the user for tokens when their accounts have 2FA enabled. However, the phisher should be present to intercept the 2FA token—especially if it’s a time-based, one-time password (TOTP)—from the user and manually input it to the legitimate website themselves before it expires.

Assuming everything went smoothly, the user is then redirected to the legitimate website and successfully logged in to conclude the phishing attack. Below is a video of Modlishka in action.

Courtesy of Piotr Duszyński

How users can protect themselves

To stop Modlishka dead in its tracks, Duszyński advised the use of 2FA hardware tokens, such as Yubikey, RSA SecurID, and the Titan Security Key, that support the Universal 2nd Factor (U2F) standard. According to Matias Brutti, Director of Research and Exploitation at Okta, Push authentication can also render such campaigns less effective.

Since all the incidents we mentioned here are all phishing attempts, it still pays to know what to look out for when determining whether a website, email, text, or other communication is a phish. Never click unknown links without verifying their authenticity first. Always check the URLs in the address bar—and remember, the green padlock is no longer enough to identify whether a site is safe or not.

Furthermore, users might drop the use of SMS 2FA and opt for a stronger second form of authentication, such as an authentication app or biometrics. Make it a point to regularly review account access logs to check if someone other than yourself is attempting to gain entry to your online accounts. Avoid conducting business, especially that involving the exchange of sensitive information or documents, using your personal email. And if you can, put additional encryption in your messages by using Pretty Good Privacy (PGP). Lastly, use password managers—they not only have better memories than their humans, but they also keep you away from phishing sites by checking the URLs on the address bar before auto-populating fields.

For mobile users, avoid downloading apps from third-party stores. Better yet, avoid looking for app utilities you think will optimize your mobile device. For example, if you’re looking to extend battery life, don’t download an app. Adopt some simple steps, such as turning off GPS when you’re not using it, or using the phone in battery-saver mode.

2FA is still good to have

Adopting 2FA is well-known, popular cybersecurity advice we give to those who want to beef up the security—and consequently, the privacy—of their accounts. But it’s also a known fact that 2FA is not bulletproof, hack-proof, or the cybersecurity panacea many assume it to be.

It is true that some forms, such as SMS-based OPTs, are a lot easier to circumvent than others. It is also true that there are more than 10 known ways to defeat 2FA to date. However, this doesn’t mean that 2FA itself is broken. Using 2FA is still far better than having just a user name and password locking your account.

The defeat of certain forms of 2FA isn’t a call for total abandonment nor should it be considered as one. It signals us, the users, to explore and go for better, more advanced forms of 2FA in securing our accounts. It also forces us to re-think our habits, adapt accordingly to this change in the threat landscape, and continue to learn about the latest social engineering tactics and tricks that could target us in the environments and sites we frequent.

Stay safe!

Additional reading:


Jovi Umawing

Knows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.