Monday 11 April 2016

Two Researchers Discover Two-Factor Authentication Weak Spots Into Cyber Security

Two Researchers Discover Two-Factor Authentication Weak Spots Into Cyber Security

Two Researchers Discover Two-Factor Authentication Weak Spots Into Cyber Security

The Two-Factor Authentication or you can say 2FA, there is a new attack developed by two researchers at a university in Amsterdam explains that weak spots already exist in authentication scheme that open users to attack.

There are  two researchers who are Radhesh Krishnan Konoth and Victor van der Even said that they have found the defects back in 2014 as well as they alerted Google and another online service. And even they presented their findings to a series of banks, but there was no avail.

As the researchers describe that because until now they haven't gone public and  many of them have said that the vulnerability was never become more dangerous and there is no need enough to demands the attention. The both of them think differently.

App syncing between devices is 2FA's Achilles heel.

According to the researcher’s explanation, the attack does not influence software defects but there is a design issue with 2FA. As a concept called that "anywhere computing," that prefers to the ability of the syncing apps as well as content across devices. Two-Factor Authentication that can be overcome with this problems if an attacker gains the access to a victim's PC.

There are the defects in the design of 2FA mechanism of various services that permits the attackers to use the services such as iTunes or the Google Play Store to push malicious apps to a user's phone without pointing the 2FA authentication system or even show an icon on his home screen.

Obviously, the attacker must also pass their malware to the Google and Apple in the past and have it listed on their stores, but this has recently started to become a common occurrence.

But still, this also needs for crooks to have full access to the user’s PC. Either physically or through malware that is controlling the device, or has stolen your identifications in order to use for the attackers.

App syncing across devices is not a bad idea, just poorly implemented.

However, the risk still also presents and the researchers declares that services are using 2FA should be very suspicious of executing app which is used to syncing with the among various devices.

According to the researchers, asked them how they see the services of 2FA fixing this issue which existing especially with Google, where this authentication scheme is used. The researchers said that the best judgment is to "move the app installation process (where the user is prompted to accept the app's permissions) to the mobile device instead of handling it in the browser."

You can see here are two new active attacks that are harmful to 2FA:

1. Man-in-the-Middle Attack: In this attack, an attacker puts up a fake bank website and attracts user towards that website. And then user types his password, and the attacker, in turn, uses it to access the bank's real website. Even the user will never realize that he isn't at the bank's website. And the attacker disconnects the user as well as makes any deceptive transactions which he wants, or if he wants then he passes along the user's banking transactions while making his own transactions at the same time.

2. Trojan Attack: In this attack, the attacker gets Trojan installed on user's computer. When the user logs into his bank's website, the attacker piggybacks on that session through the Trojan to make any frauds transaction which he wants.

And now see here how 2FA doesn't solve anything? 
  • In the first case, the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. 
  • As well as in the second case, the attacker is relying on the user to log in.

The real threat is the fraud due to imitations and two-factor authentication will force attackers used to modify their strategies. Here is the research Paper that How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication

Watch Conference Video:


Post a Comment

Note: only a member of this blog may post a comment.

Toggle Footer