Two-factor authentication (2FA) broken by new & simple attack

Two-factor authentication (2FA) broken by new & simple attack2FA, or Two-Factor Authentication, is regarded alongside biometrics as one of the strongest methods of protecting user data online. A new attack devised by two researchers at a university in Amsterdam shows that weak spots exist in this authentication scheme that open users to attack.

The two, Radhesh Krishnan Konoth and Victor van der Even, said they've discovered the flaw back in 2014, alerted Google and other online services, and even presented their findings to a series of banks, but to no avail.

As the researchers explained, because they haven't gone public until now, many have said that the vulnerability was never dangerous enough to warrant the attention. The two think differently.

As they explain, the attack does not leverage a software flaw, but a design issue with 2FA. Because of a concept called "anywhere computing," which refers to the ability to sync apps and content across devices, 2FA can be defeated if an attacker gains access to a victim's PC.

From here, design flaws in the 2FA mechanism of various services allows the crooks to use services such iTunes or the Google Play Store to push malicious apps to a user's phone without triggering the 2FA authentication system or even show an icon on his homescreen.

Of course, the attacker must also pass malware past Google and Apple and have it listed on their stores, but this has recently started to become a common occurrence.

But still, this also requires for attackers to have full access to your PC, either physically, or through malware that is controlling the device, or has stolen your credentials in order for the attackers to use.

Nevertheless, the risk still exists, and the researchers claim that services using 2FA should be very wary of implementing app syncing among different devices.

Asked how they see 2FA services fixing this issue, and especially with Google, where this scheme is used, the researchers said that the best decision is to "move the app installation process (where the user is prompted to accept the app's permissions) to the mobile device instead of handling it in the browser."

For more details, you can check out the video below, the BAndroid website, and take a look at the researchers' paper called How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication.

Source: Softpedia

Tags: security

Comments
Add comment

Your name:
Sign in with:
or
Your comment:


Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party


Last news

 
The NVIDIA GeForce GTX 1180 will be Turing-based with a 12nm FinFET die shrink
 
This only works on posts made by profiles that are public
 
 
The device will be standalone and based on a Qualcomm chipset
 
Apple plans on offering a cheaper smart speaker that will be priced at $199
 
Chrome will adopt a new approach to indicating site security
 
Data shows they are leading smartphone sale worldwide
 
Is this an error or it is really happening?
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 /
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /
 
 

News Archive

 
 
SuMoTuWeThFrSa
  12345
6789101112
13141516171819
20212223242526
2728293031  




Poll

Do you use microSD card with your phone?
or leave your own version in comments (10)