One of the main objectives of hackers is to gain financial information.  Bank account and credit card details are a particular target. Once they have it, it can be sold on, usually anonymously via the dark web, or used by the hackers themselves.

Online Security is, therefore, a major issue in the minds of consumers and security specialists alike. A development in Online Security has been to introduce two-factor authentication.  In this scenario, the consumer nominates a second authentication method, usually SMS or email.  The host sends an authentication code that the consumer is required to enter before access is granted.

There are, however, some concerns that two-step authentication (“2FA”) is not secure and Online Security specialists have been working hard to identify and plug the holes.

Two-factor authentication can be  bypassed as follows:

1. Compromised Communication

   

   2FA depends on secure communications between the consumer and the financial organisation, typically a bank or online retailer. This means that information passes over third party networks, reducing their security.  The consumer has no control over this.

   If you do use public WiFi, for instance in a mall, shop or restaurant, then you must use an encrypted VPN connection to your Internet service provider.  If you don’t, your comms could be intercepted in clear and your credentials and  2FA codes stolen.

2. Compromised Carriers and Service Providers

   

   Some 60% of all online transaction now come from a smart device, such as a tablet or smartphone. The 2FA process ties your mobile smart device to the service supplier via the cell service provider by using your SIM card.  However, your cell isn’t as secure as you think. Cell Swaps are becoming very common and allow a hacker to transfer your phone number to a different smart device. They then receive your SMS with the authentication code and use it to confirm the login to your bank app or confirm your purchase.

   ID Theft also allows a hacker to do this, by pretending to be you and call your service provider to change authentication details, for example, the SMS number or email address used in 2FA.  They can even switch off 2FA.

   A hacker doesn’t even need to have your full phone number. Many people don’t change the default password on voicemail, and voice mail can be accessed using standard USSD codes. If the hacker calls the cell service provider at 3am, when the operator is probably tired and bored, it is easy to persuade them to provide the necessary information if you provide enough to convince them you are who you are pretending to be.

   How to stop it – be vigilant, and if you suddenly stop receiving your 2FA messages, immediately contact your provider. Another way is to use an authentication app.

3. Phishing or Man-in-the-Middle

   

   The most common way to start the hacking process is via a phishing email.  You log on to a spoof website, and the fake website records your login credentials. The fake website uses these credentials to log into the real website later on and make fraudulent transactions.

   2FA is supposed to prevent this, but it can be bypassed.  The fake website presents the screen to receive the 2FA code you have received.  When you enter it, it passes it to the real website and logs in.  There are automated apps to do this.

   How to avoid it, simply put, don’t respond to phishing emails.  They are becoming more and more sophisticated and you need to be very vigilant.

4. Compromised Security Questions

   

   Many services allow you to remove or bypass two-factor authentication. You have perhaps lost the password and need to log in.  In many cases, these are entirely online.

   A common technique is the use of security questions, the answers to which are supposedly known only to the consumer. The big problem is that as the questions are usually fixed, and the answers are obvious, or can be easily found using Google.

   How to get around it?  Don’t use obvious answers to the questions.

2FA is a valuable tool in the Online Security arsenal, but it cannot be relied on to provide 100% security.  It is part of a comprehensive anti-malware and security environment.