Two-Factor Authentication Flaws

by AKM

Posted on August 20, 2017 at 11:39 PM

How it's applied, How it's flawed

Two-Factor Authentication. Every major social media site uses it. The method of authenticating resides within the mobile empire for at least a decade now. It's quite simple. You have your email/username and password, alongside a text containing a code which is sent to your phone so you can then enter on the site. Major sites like Google, Twitter, Facebook all use this as a form of authentication. It's designed to keep unauthorized users out, in case they figure out the password you're using. Now it does work to some degree, the flaw is usually within the ISP that handles the phone number attached to the person trying to access his/her account.

Here's the problem with this system. It all revolves around phones! Now some sites have different methods but a majority use phones and the classic send SMS and enter code scheme. This can be exploited, in fact it takes almost zero skills to pull off. This is how your most popular celebrities on social media sites like Twitter are hacked, no their password wasn't abc123 it was the phone they were using. Haven't you noticed that every time they get hacked they report their phones stopped working? Now allow me to explain.

SMS Fraud / "Sim Swapping"

This is a social engineering method that many are quite familiar with. You call an ISP, impersonate either an employee (you might need an ID number or something) or impersonate the person (you'll need info on the person). Most ISP support teams are (no offense) not the brightest people. They never verify if you're really the person you say you are, in fact, many support agents never do! They'll ask you simple things like your date of birth or maybe *sometimes* the last four digits to your social security. There are many ways to obtain this type of data, in fact celebrities are even easier to find than a regular person.

Most call this "ISP doxing" but you can take it up a notch. Once the support agent has verified that you're the person you say you are, you can ask them to add a line to your account, or just perform a call forwarding on "your" account. Call forwarding is a feature that redirects all calls to a given phone number (some sites like Twitter use 2factor auth via calling). Some more experienced "hackers" would get new lines delivered to them in sim cards or they'd manually make them using SIM UID information onto blank sim cards. This is done using the same exact method described.

So, what happens now? Well, if successful, you now can intercept all SMS and Calls directly to your own mobile device. All you have to do is go on the email provider or social media site and reset the password. Yea it's that easy. It's also how most celebrities are being hacked these days. Not sophisticated at all, very easy to pull off if you have the time and patience. This is very easy to fix if you've fallen victim to this. Simply disassociate yourself from whichever ISP that can't hire adequate support team agents! I mean seriously, do you know how many Verizon and T-Mobile customers fall victim to this? Why use their service when their security is shit?

You're probably thinking at this point "well, I'm not a celebrity, this will never happen to me", false. You don't fall victim for just being famous, you fall victim if you attract attention one way or another. Let's say you own a Coinbase account or PayPal with a lot of funds, and everyone knows that you own a lot of money inside it, you are considered valuable. If someone were to piece together your phone number and email attached to those accounts (very effortless) what will stop them from gaining access? Almost nothing. Especially when your ISP is prone to attacks like this. Use services like Google Voice to handle all your accounts and never make your number public.

Lastly, the methods I described above are not all the ways Mobile based Two-Factor Authentication are bypassed. There are much more elevated methods onto achieving this like the SS7 flaw that is found in nearly all mobile carriers.

Blog Search