Two-factor authentication, or 2FA, has been sold to web users as one of the most important and trustworthy tools for securing your digital life. You probably know how it works: By supplying an account with not just your password but also a secondary piece of information (typically an automated code texted to your phone or device of choice), companies can verify that whoever signs into your account is definitely you and not just some goon who’s managed to get their hands on your personal information.
However, according to new research, said goons have unfortunately found a number of effective ways to get around your 2FA protections—and they’re using these methods more and more.
The study, put out by academic researchers with Stony Brook University and cybersecurity firm Palo Alto Networks, shows the recent discovery of phishing toolkits that are being used to sneak past authentication protections. Toolkits are malicious software programs that are designed to aid in cyberattacks. They are engineered by criminals and typically sold and distributed on dark web forums, where any digital malcontent can buy and use them. The Stony Brook study, which was originally reported on by The Record, shows that these malicious programs are being used to phish and steal 2FA login data from users of major online websites. They’re also exploding in use—with researchers finding a total of at least 1,200 different toolkits floating around in the digital netherworld.
Granted, cyberattacks that can defeat 2FA are not new, but the distribution of these malicious programs shows that they are becoming both more sophisticated and more widely used.
The toolkits defeat 2FA by stealing something arguably more valuable than your password: your 2FA authentication cookies, which are files that are saved on your web browser when the authentication process takes place.
According to the study, said cookies can be stolen one of two ways: A hacker can infect a victim’s computer with data-stealing malware, or, they can steal the cookies in-transit—along with your password—before they ever reach the site that is trying to authenticate you. This is done by phishing the victim and capturing their web traffic through a Man-in-the-Middle style attack that redirects the traffic to a phishing site and associated reverse proxy server. In this way, the attacker is able to get in-between you and the website you’re trying to log into—thus capturing all of the information passing between the two of you.
After a hacker silently hijacks your traffic and grabs those cookies, they can enjoy access to your account as long as the cookie lasts. In some cases—such as social media accounts—this could be quite a long time, The Record notes.
It’s all a bit of a bummer, because in recent years, 2FA has been widely viewed as an effective method of identity verification and account security. Then again, recent studies have also shown that a lot of people don’t even bother with enacting 2FA in the first place, which, if true, means we probably have bigger fish to fry in the web security department.