How Phishing Can Bypass Two-Factor Authentication

How Phishing Can Bypass Two-Factor Authentication

A report from Amnesty International found hackers now possess tactics to bypass two-factor authentication protection on email accounts.  

Through automated phishing attacks, hackers send victims an apparently legitimate email asking for their email account password. They also send them to a phishing page—which looks similar to the legitimate website—on which to reset their password.

This, in turn, triggers a two-factor authentication code which is sent to the target’s phone, allowing hackers to phish the code as well. Now with the code and the password in hand, hackers can log in into their victims’ email accounts.  

Amnesty International reported hackers developed multiple versions of this attack tactic. The key takeaway, however, is that hackers can automate these phishing attacks—bypassing two-factor authentication with no manual input

This should concern your enterprise and your IT security team. It indicates hackers have figured out consistent ways to bypass more traditional and legacy identity and access management solutions with minimal effort.

While the current targets of these attacks are journalists and activists in the Middle East and North Africa, cybersecurity experts assert the criminal underground has become more collaborative. These tactics will eventually be used against your enterprise and your employees. You need to prepare.          

Two-factor authentication can rely on physical hard tokens, which are difficult to fake or steal. However, many two-factor authentication systems use a text messaging system which sends a one-time authentication code to a mobile device. This system appears secure but actually favors convenience in its authentication processes which can cause security gaps. Your enterprise will need to deploy a better authentication system.

Instead, enterprises should invest in multifactor authentication; these authentication protocols prove much harder to hack, as they also take into account geographic location, time of login, and biometric authentication factors. While two-factor authentication may appear more convenient, multifactor authentication can be as convenient while ensuring greater security.

Moreover, access management should not emphasize convenience. If you wouldn’t allow individuals to walk into your analog vaults, you shouldn’t allow them to walk into your databases.

You can read more about Amnesty International’s research into two-factor authentication and phishing attacks here.

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner