Even with the Two-Factor Authentication, You’re Still Not Safe

Google reported new findings on phishing scams at the ongoing RSA 2019 cybersecurity conference in San Francisco. Hackers have been adjusting email phishing scams to successfully breach even two-factor authentication systems.

A lead security engineer in Gmail, Nicolas Lidzborski, revealed that Google has recorded a growing number of „2F phishing attacks“. Lidzborski confirmed that two-factor authentication was still better than using only username and password. He warned that Google had noticed an increasing number of hackers’ attacks on this 2F system. In his talk at the RSA 2019 conference, he explained how is this possible.

In a two-factor authentication system, the system asks the user for his password and afterward sends a short-term passcode. This passcode exists only on the user’s device and disappears after 30 seconds. Hackers make phishing emails aiming not only to steal the regular password but also the one-time passcode.

They send phishing emails that pretend to be from the legitimate website but have a link that leads to a fake login page. Hackers make “phishing kits“ – malware that steals the user’s password and one-time passcode while the user is submitting it to the fake login page. Then, hackers invade the user’s account in 30 seconds while the passcode still works.

This is not the first time security companies have noticed 2F attacks. In December 2018, Amnesty International reported a successful attack on the 2F authentication system. Hackers used automated phishing attack that stole and used the passcode in 30 seconds. In January 2019, a cybersecurity expert shared a toolkit for making 2F phishing pages available to everyone.

Sim swapping scams are also a potential danger for 2F authentication. Since the passcode is created on the user’s smartphone, it can be sent by SMS. The hacker can pretend to be the user and obtain their phone number from the wireless carrier. Lidzborski described this as a loophole where people could transfer the number from the provider and get 2F authentication.

Google protects Gmail accounts by disabling login attempts from geographic locations unknown for certain user. They also warn Gmail users about phishing emails and fake links that hackers share via email.

For business users, Lidzborski recommended USB Security Keys as a security measure against 2F authentication phishing attacks. These security keys are USB hardware that serves as a one-time passcode. To access user account, you need to connect your USB key. According to Lidzborski, USB security keys make accounts completely safe from phishing techniques. In July 2018, Google company made USB security keys for all its employees. However, two of Google’s USB security keys cost 50 dollars.

Lidzborski said the only way a company could be absolutely safe from phishing is to switch to USB security keys, so the gain is much more worth than the pain. He reminded that earlier, only the most skilled hackers , for example, state-sponsored ones, could breach 2-factor authentications. But now when open-source phishing toolkit is available, it leads to a boom of 2F authentication phishing attacks anyone could perform. That means the danger is greater than before. Google records an average of 100 million phishing emails per day.

Google’s Jigsaw even developed a quiz in order to educate users about phishing attacks. Lidzborski reminded that phishing emails usually pretend to be from legitimate websites such as Google and that they contain a link for a fake login page. Everything seems to be very convincing so users should double check when clicking links in their emails.