Home Sms code How hackers use message mirroring app to view all text messages and bypass 2FA security

How hackers use message mirroring app to view all text messages and bypass 2FA security



It is now well known that usernames and passwords are not enough to securely access online services. A recent study found that over 80% of all hacking-related violations have occurred. Because credentials are in dangerIn 2016 alone, 3 billion username and password combinations were stolen.

Therefore, it is necessary to implement two-factor authentication (2FA). In general, 2FA aims to provide an additional layer of security for relatively vulnerable username / password systems.

It also works. Numbers are for users who have 2FA enabled 99.9% of automated attacks..

But like any good cybersecurity solution, an attacker can quickly find a way around it. You can bypass 2FA via a one-time code sent to the user’s smartphone as an SMS.

Still, many major online services in Australia use SMS-based one-time codes, including myGov and the Big 4 banks (ANZ, Commonwealth Bank, NAB, Westpac, etc.).

Read more:
The computer can deduce more than 100,000,000,000 passwords per second. Do you still think it’s safe?

So what’s the deal with SMS?

The main suppliers like Microsoft We urge users to ditch their 2FA solutions that leverage SMS and voice calls. This is because SMS is known for its security and is exposed to a variety of attacks.

for example, SIM card exchange Proven as a way to avoid 2FA. During the SIM card swap, an attacker persuades the victim’s mobile service provider to be the victim himself and demands that the victim’s phone number be switched to the device of their choice.

SMS-based one-time code has also been shown to be compromised by out-of-the-box tools such as: Modlishka Using a technology called Reverse proxy.. This facilitates communication between the victim and the disguised service.

Therefore, Modlishka intercepts communications between the real service and the victim and tracks and records the victim’s interactions with the service, including the login credentials that the victim can use.

In addition to these existing vulnerabilities, our team discovered an additional vulnerability in SMS-based 2FA. One of the specific attacks exploits the functionality provided by the Google Play Store to automatically install apps from the web on Android devices.

The sync service allows hackers to install the Message Mirroring app directly on their smartphones if they compromise Google’s login credentials on their device.

If an attacker can access your credentials and log into your Google Play account on your laptop (although you are prompted to do so), the attacker can automatically install the required applications on your smartphone.

Android attack

In our experiments, a malicious attacker used a popular application (name and type withheld for security reasons) designed to synchronize user notifications across different devices. It turns out that with little effort, users can remotely access their SMS-based 2FA.

Specifically, an attacker can use a compromised email and password combination logged into a Google account (such as [email protected]) to make it immediately available on the victim’s smartphone through Google Play. The message mirroring application can be installed illegally.

This is a realistic scenario because it is common for users to use the same credentials for different services. Password manager It is an effective way to secure the first line of authentication (login ID / password).

Once the application is installed, an attacker can apply simple social engineering techniques to persuade the user to activate the permissions required for the application to function properly.

For example, you can call a legitimate service provider and pretend to convince your users to turn on permissions. You can then remotely receive all communications sent to the victim’s phone, including the one-time code used for 2FA.

While the above attacks must meet several conditions for them to work, they still demonstrate the vulnerable nature of SMS-based 2FA methods.

More importantly, this attack does not require high end technical capabilities. We need to understand how these particular apps work and how to use them intelligently (along with social engineering) to target victims.

The threat becomes even more realistic if the attacker is a trusted person (such as a family member) who has access to the victim’s smartphone.

What are the alternatives ?

To stay protected online, you need to make sure that your first line of defense is secure. First, check your password to see if it has been compromised. Safety program This allows you to do so. Also make sure that you are using a well-designed password.

Additionally, if possible, we recommend that you limit the use of SMS as a 2FA method. Instead, you can use an app-based one-time code, for example through Google Authenticator. In this case, the code is not sent, but generated in the Google Authenticator app on the device itself.

However, this approach can also be compromised by some hackers using it. Sophisticated malware.. A better alternative is to use a dedicated hardware device such as: YubiKey..

First developed in 2008, YubiKey is an authentication device designed to support one-time passwords and 2FA protocols without relying on SMS-based 2FA.

These are small USB (or Near Field Communication) devices that provide a simplified way to enable 2FA between different services.

These physical devices must be connected or located near the connecting device as part of 2FA, thereby taking the risks associated with visible single-use codes such as codes sent by SMS. Reduce.

It should be emphasized that the underlying conditions of the 2FA alternatives require that the users themselves have a certain degree of active participation and responsibility.

At the same time, service providers, developers and researchers need to do more to develop more accessible and secure authentication methods.

Basically, these methods need to go beyond 2FA and evolve into a multi-factor authentication environment where multiple authentication methods are deployed at the same time and combined as needed.

Read more:
Can I hack even if 2FA is enabled?

How hackers use message mirroring app to view all text messages and bypass 2FA security

How hackers use message mirroring app to view all text messages and bypass 2FA security



Please enter your comment!
Please enter your name here