When it comes to protecting user data online, 2FA (Two-Factor Authentication) is one of the strongest methods used. However, it is apparently not that strong, as two researchers from an Amsterdam university have found some weak spots in the authentication method that can leave users vulnerable to attacks.
Victor van der Even and Radhesh Krishnan Konoth are the two researchers who said that they had discovered the flaw in 2014 itself. They had even alerted many online services including Google and had even presented their discoveries for some banks, but no one heard their words of caution. The researchers said that it’s incorrect to think that the flaw is not dangerous enough to be considered.
Explaining about the loopholes in 2FA that are present in the form of a design issue, the attack actually doesn’t leverage any software flaw. Attackers can defeat 2FA if they gain access to the PC of the victim, and they can go in through the “anywhere computing” feature that refers to the syncing of content and apps across various devices.
After the attacker is inside a system, the 2FA mechanism’s design flaws can help the crooks use Google Play Store, iTunes, or other services to push install malware apps to the phone of the victim without triggering the 2FA security or even displaying any icon on the Home screen. The malware should be passed across Apple and Google to be listed on their stores, but recent occurrences of the same have proved that it’s not difficult.
But then again, the attackers are required to have full access to the victim PC either through malware that can control the device or by accessing the device physically. So the risk actually exists, and 2FA has been cracked.
The two researchers did explain how the various online services can tackle this exploit. They can “move the app installation process (where the user is prompted to accept the app’s permissions) to the mobile device instead of handling it in the browser.”
You can learn more by reading How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication or by watching the video below.