Many organizations and consumers rely on SMS-based two factor authentication (2FA) as a way to protect user accounts from account takeover and brute force attacks. While this provides an additional layer of security, it does not fully secure accounts from sophisticated attacks to circumvent 2FA and access an account with a compromised password. Online banking, brokerage and cryptocurrency trading accounts have been the targets of these more sophisticated attacks in recent years, as these accounts may have access to large amounts of capital. Here are some of the ways fraudsters are able to successfully takeover and drain accounts despite the use of 2FA.
SIM Swap Attacks
What it is and how it used to beat 2FA: SIM Swapping is a form of account takeover specifically targeting a mobile phone carrier. Impersonating or purporting to be the account holder or owner of a given phone number, the scammer claims they have a new mobile device, connecting the victims mobile number to a SIM card in their possession. Since many consumers use text message based one-time passcodes (OTPs) for 2FA, this is a very troublesome attack. The fraudster who likely already knows the victims account passwords now also receives the OTPs intended for the true accountholder.
Recent example: A hacker took over the U.S. Securities and Exchange Commission’s (SEC’s) X account and posted that the SEC had approved the first Bitcoin spot ETF before the SEC officially made this announcement. This manipulated the price of Bitcoin and was an embarrassment for the SEC. The person who wrote the post was able to do so by taking over the SEC’s X social media account, which they did by changing the password to the account and pulling off a SIM swap attack against the phone number associated with this account.
Web Session / Cookie Hijacking
What it is and how it used to beat 2FA:Infostealer malware is able obtain session cookies and take control of a user session. This may allow the hacker to circumvent login completely, or it may enable them to appear to be on a known or trusted device and bypass 2FA.
Recent example:In June 2024, a crypto trader lost $1 million after hackers were able to bypass the password and 2FA protecting the victim’s Binance account. This was possible due to cookie hijacking from malware contained within a Google Chrome plugin call Aggr.
Overlay Attacks
What it is and how it used to beat 2FA: Display or Screen Overlay Attacks target mobile devices with malware that covers an application screen with a fake and malicious screen, thus tricking the user into interacting with it to provide information or grant the malware app device permissions. The overlaid screen is very convincing, often mimicking a screen the user expects to interact with nearly verbatim. This can lead to mobile app permission abuse, such as tricking the user into allowing the malware app access to read all text messages. This is of course a major security risk if the malware now has access to read all incoming SMS messages that include OTPs or 2FA codes.
Recent example: Nearly 500 Crypto.com users experienced ATO and unauthorized withdrawals totaling $35 million in 2022. The statement from Crypto.com implied an overlay attack was likely to blame, stating that the “transactions were being approved without the 2FA authentication control being inputte by the user.”
Although it is well understood that passwords alone are not enough to secure user accounts, organizations and consumers often have a false sense of security around the level of protection provided by SMS-based 2FA. While this is more secure than a password alone, it is by no means a silver bullet.
For more information:
Comments