Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
FLOODING & OFFTOPIC
Two-factor authentication and possible ways to bypass it
Message
<blockquote data-quote="Carders" data-source="post: 650" data-attributes="member: 17"><p><strong>1. Bypass 2FA using social engineering</strong></p><p>Social engineering is a non-technical attack in which an attacker tricks the victim into unknowingly providing important information about a secret code. Already having a username and password to enter, the attacker calls or sends the victim a message with a convincing narrative, urging them to transfer the 2FA code.</p><p></p><p>In other cases, the attacker already has enough basic information about the victim to call the target service's support service on their behalf. A criminal can impersonate a user and say that their account is blocked, or there are some problems with the authenticator application. If successful, the hacker will get at least one-time access to the victim's account, and if they are lucky, they will reset and change the user password altogether.</p><p></p><p><strong>2. Bypass 2FA with open authorization (OAuth)</strong></p><p>OAuth is an open authorization protocol that provides applications and services with limited access to user data without disclosing the password. For example, to log in to the app, you need to grant partial access to your VK or Facebook account. In this way, the selected application gets part of the account's permissions, but does not store data related to the user's passwords in its databases.</p><p></p><p>In so-called "consent phishing," the attacker pretends to be a legitimate application with OAuth authorization and sends a message to the victim asking for access. If the victim grants this access, the attacker can do whatever they want within the requested access. Consent phishing allows an attacker to ignore credentials and bypass any configured two-factor authentication.</p><p></p><p><strong>3. Bypass 2FA with Brute-Force</strong></p><p>Sometimes attackers choose the brute-force "brute-force" method, especially if outdated or poorly protected equipment is used. For example, some old TOTP keychains have a code length of only four digits. Hence, they are much easier to crack.</p><p></p><p>An obstacle for hackers is that the one-time codes generated by such keyfobs are only valid for a short time (30/60 seconds). Thus, attackers have a limited number of codes that can be sorted out before they change. And if two-factor authentication is configured correctly, then it will be impossible to implement this type of attack in principle — the user will be blocked after several incorrectly entered OTP codes.</p><p></p><p><strong>4. Bypassing 2FA with previously generated tokens</strong></p><p>Some platforms allow users to generate 2FA codes in advance. For example, in the security settings of your Google account, you can download a document with a certain number of backup codes that can be used in the future to bypass 2FA. This is usually necessary in case of loss of the device used for authentication. But if such a document or at least one of the backup codes falls into the hands of an attacker, they will easily gain access to the account, regardless of the configured two-factor authentication.</p><p></p><p><strong>5. Bypass 2FA usingSession Cookies</strong></p><p>Cookie theft, also known as session hijacking, allows attackers to gain access to an account without knowing any passwords or 2FA codes at all.</p><p></p><p>When users log in to the site, they don't need to enter a password every time, because the browser stores a special session cookie. It contains information about the user, supports their authentication in the system, and tracks session activity. Session cookies remain in the browser until the user logs out manually. Thus, an attacker can use cookies to their advantage to access the user's account.</p><p></p><p>Cybercriminals know many methods of account hijacking, such as session hijacking and locking, cross-site scripting, and the use of malware. In addition, attackers often use the Evilginx framework for man-in-the-middle attacks. Using Evilginx, the hacker sends the user a phishing link that redirects them to the login page of a real legitimate site, but through a special malicious proxy. When a user logs in to their account using 2FA, Evilginx captures their login credentials, as well as the authentication code.</p><p></p><p>Since one-time codes have a limited validity period, and you can't use one code twice, it's much easier for hackers to use the cookie capture method to log in and bypass two-factor authentication.</p><p></p><p><strong>6. Bypass 2 FA with SIM-jacking</strong></p><p>A SIM-jacking attack involves an attacker gaining full control over the victim's phone number. Criminals, for example, can get a number of basic data about a user in advance, and then" pretend " to be this very user in the cabin of a mobile operator in order to issue a new SIM card. SIM-jacking is also possible through malicious apps installed on the victim's smartphone.</p><p></p><p>Control over the user's phone number means that a hacker can intercept one-time codes sent via 2FA via SMS. And since this is the most popular two-factor authentication method, an attacker can break into all the key victim accounts one by one and get full access to the necessary data.</p><p></p><p><strong>How can 2 FA be made even safer?</strong></p><p>Despite the vulnerabilities discovered by hackers, two-factor authentication is still the recommended way to protect online accounts. Here are some tips for using 2FA effectively:</p><ul> <li data-xf-list-type="ul">if possible, use authenticator apps instead of simple SMS authentication, as apps are much more secure, and a one-time code can't be spied on without full access to your smartphone.;</li> <li data-xf-list-type="ul">never share one-time or backup security codes with anyone;</li> <li data-xf-list-type="ul">use long security codes that contain more than six characters (if the service allows such settings);</li> <li data-xf-list-type="ul">do not use simple passwords to protect your account. It is better to generate a password in the generator and use it in conjunction with the password manager;</li> <li data-xf-list-type="ul">don't use the same password on critical accounts;</li> <li data-xf-list-type="ul">use physical security keys as an alternative form of authentication;</li> <li data-xf-list-type="ul">check out popular social engineering tactics to avoid becoming a victim of fraud.;</li> <li data-xf-list-type="ul">if we are talking about a company with a certain staff, it is not superfluous to use the services of a private security consultant.</li> </ul><p></p><p><strong>Conclusion</strong></p><p>Despite the disadvantages and workarounds listed in this article, two-factor authentication is still one of the best ways to protect your accounts. It is enough to follow the recommendations above in order not to leave attackers the slightest chance of compromising your account. We hope that your accounts will never fall into the clutches of scammers, and any confidential data will remain completely safe.</p><p></p><p>(c) <a href="https://www.securitylab.ru/analytics/537030.php" target="_blank">https://www.securitylab.ru/analytics/537030.php</a></p></blockquote><p></p>
[QUOTE="Carders, post: 650, member: 17"] [B]1. Bypass 2FA using social engineering[/B] Social engineering is a non-technical attack in which an attacker tricks the victim into unknowingly providing important information about a secret code. Already having a username and password to enter, the attacker calls or sends the victim a message with a convincing narrative, urging them to transfer the 2FA code. In other cases, the attacker already has enough basic information about the victim to call the target service's support service on their behalf. A criminal can impersonate a user and say that their account is blocked, or there are some problems with the authenticator application. If successful, the hacker will get at least one-time access to the victim's account, and if they are lucky, they will reset and change the user password altogether. [B]2. Bypass 2FA with open authorization (OAuth)[/B] OAuth is an open authorization protocol that provides applications and services with limited access to user data without disclosing the password. For example, to log in to the app, you need to grant partial access to your VK or Facebook account. In this way, the selected application gets part of the account's permissions, but does not store data related to the user's passwords in its databases. In so-called "consent phishing," the attacker pretends to be a legitimate application with OAuth authorization and sends a message to the victim asking for access. If the victim grants this access, the attacker can do whatever they want within the requested access. Consent phishing allows an attacker to ignore credentials and bypass any configured two-factor authentication. [B]3. Bypass 2FA with Brute-Force[/B] Sometimes attackers choose the brute-force "brute-force" method, especially if outdated or poorly protected equipment is used. For example, some old TOTP keychains have a code length of only four digits. Hence, they are much easier to crack. An obstacle for hackers is that the one-time codes generated by such keyfobs are only valid for a short time (30/60 seconds). Thus, attackers have a limited number of codes that can be sorted out before they change. And if two-factor authentication is configured correctly, then it will be impossible to implement this type of attack in principle — the user will be blocked after several incorrectly entered OTP codes. [B]4. Bypassing 2FA with previously generated tokens[/B] Some platforms allow users to generate 2FA codes in advance. For example, in the security settings of your Google account, you can download a document with a certain number of backup codes that can be used in the future to bypass 2FA. This is usually necessary in case of loss of the device used for authentication. But if such a document or at least one of the backup codes falls into the hands of an attacker, they will easily gain access to the account, regardless of the configured two-factor authentication. [B]5. Bypass 2FA usingSession Cookies[/B] Cookie theft, also known as session hijacking, allows attackers to gain access to an account without knowing any passwords or 2FA codes at all. When users log in to the site, they don't need to enter a password every time, because the browser stores a special session cookie. It contains information about the user, supports their authentication in the system, and tracks session activity. Session cookies remain in the browser until the user logs out manually. Thus, an attacker can use cookies to their advantage to access the user's account. Cybercriminals know many methods of account hijacking, such as session hijacking and locking, cross-site scripting, and the use of malware. In addition, attackers often use the Evilginx framework for man-in-the-middle attacks. Using Evilginx, the hacker sends the user a phishing link that redirects them to the login page of a real legitimate site, but through a special malicious proxy. When a user logs in to their account using 2FA, Evilginx captures their login credentials, as well as the authentication code. Since one-time codes have a limited validity period, and you can't use one code twice, it's much easier for hackers to use the cookie capture method to log in and bypass two-factor authentication. [B]6. Bypass 2 FA with SIM-jacking[/B] A SIM-jacking attack involves an attacker gaining full control over the victim's phone number. Criminals, for example, can get a number of basic data about a user in advance, and then" pretend " to be this very user in the cabin of a mobile operator in order to issue a new SIM card. SIM-jacking is also possible through malicious apps installed on the victim's smartphone. Control over the user's phone number means that a hacker can intercept one-time codes sent via 2FA via SMS. And since this is the most popular two-factor authentication method, an attacker can break into all the key victim accounts one by one and get full access to the necessary data. [B]How can 2 FA be made even safer?[/B] Despite the vulnerabilities discovered by hackers, two-factor authentication is still the recommended way to protect online accounts. Here are some tips for using 2FA effectively: [LIST] [*]if possible, use authenticator apps instead of simple SMS authentication, as apps are much more secure, and a one-time code can't be spied on without full access to your smartphone.; [*]never share one-time or backup security codes with anyone; [*]use long security codes that contain more than six characters (if the service allows such settings); [*]do not use simple passwords to protect your account. It is better to generate a password in the generator and use it in conjunction with the password manager; [*]don't use the same password on critical accounts; [*]use physical security keys as an alternative form of authentication; [*]check out popular social engineering tactics to avoid becoming a victim of fraud.; [*]if we are talking about a company with a certain staff, it is not superfluous to use the services of a private security consultant. [/LIST] [B]Conclusion[/B] Despite the disadvantages and workarounds listed in this article, two-factor authentication is still one of the best ways to protect your accounts. It is enough to follow the recommendations above in order not to leave attackers the slightest chance of compromising your account. We hope that your accounts will never fall into the clutches of scammers, and any confidential data will remain completely safe. (c) [URL]https://www.securitylab.ru/analytics/537030.php[/URL] [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
FLOODING & OFFTOPIC
Two-factor authentication and possible ways to bypass it
Top