Cloud Security Tip: 2FA Vulnerabilities

For quite a while, IT security experts have been touting the value of two-factor authentication (2FA) as a better way to keep data safe than simply using passwords alone. We have even spoken about it here. In its most popular form, 2FA sends a confirmation code to your phone, which you must then enter into the appropriate log-in confirmation window within a short amount of time. This is like having a second key to the safe, like many bank vaults used to have. But security is a never-ending horserace, and it probably comes as no surprise to most that even 2FA is not invincible, and that hackers can indeed bypass it and have made this ability public knowledge. A presentation to the Hack in the Box Security Conference held in Amsterdam in May 2019, featured a video showing how two pieces of software work to bring the two authentication keys together, thus destroying its integrity. In one instance, a tool called Muraena does the phishing work, intercepting an unsuspecting person’s browser-clicks and setting up the form for the 2FA code to be entered. Then, a second tool, called Necrobrowser tracks the accounts of thousands of people, and finds the right phone numbers to send the authorization code to. Though there are other, more sophisticated ways to defeat Two Factor Authentication, security experts say this Muraena/Necrobrowser combination makes it easier for low-level hackers to get in on the action. This spreads the crimewave to the more numerous, lazier criminal population. Two Factor Authentication is still a much better way of protecting access to websites than passwords alone, but certain companies already in the know, like Google, insist that employees carry a physical USB key as their second factor. This tip originally appeared here: https://cisoseries.com/passwords-so-good-you-cant-help-but-reuse-them/