My 11 ways to hack 2FA column a few weeks ago continues to be a popular discussion topic with readers. Most people are shocked about how easy it is to hack around two-factor (2FA) and multi-factor authentication (MFA). It isn’t hard. Sometimes it’s as easy as a regular phishing email.
The number one resulting question is how 2FA users can better protect themselves. It, of course, depends on the strengths and weaknesses of the 2FA method used in the particular deployment scenario. All it takes in many of the hacking scenarios is to use and require two-way, mutual authentication in a linked one-to-one relationship where both the client and the server authenticate each other before transacting business.
Unfortunately, the digital world, and the real world, are full of one-way authentication, where either the server authenticates itself to the user or users authenticate themselves to the server. The video demo by Kevin Mitnick that I referenced in the hacking 2FA column is a great example of how easy it is to hack one-way authentication.
In Kevin’s demo, the user is authenticating to the service using a 2FA logon, but the server isn’t authenticating itself to the user. Because the user doesn’t notice that their logon link isn’t HTTPS encrypted to the legitimate site, they are fooled into allowing a man-in-the-middle proxy to capture their typed in logon responses and valid session cookie. A two-way, mutual authentication solution, like the FIDO Alliance’s Universal Second Factor (U2F), would prevent that type of attack.
The lack of required, consistent, linked, one-to-one, mutual authentication is the cause of many authentication attack scenarios. The problem isn’t just digital. It’s increasingly becoming a real-world problem, too, and one that all vendors need to address. Here are some examples of the one-way authentication problem.
Social media technical support scam
Fake offers of technical support over social media is a growing problem. I don’t mean when someone calls your phone and claims you have a virus that they will help you remove. That’s old school. I’m talking about a new school tactic where you have almost no idea that you’re being scammed.
It usually starts when someone posts a negative review about a product or service to Facebook or some other social media service. It’s often to the vendor’s legitimate social media site. Then someone claiming to represent the company reaches out, usually starting on social media, and says they will help you. All you need to do is provide your relevant account information and they would be glad to give you a refund or a replacement.
Of course, what really happens is that they rob you blind. People’s normal skeptical defenses are down, because the scammer didn’t just contact them out of the blue making a claim that the user wasn’t aware of. Pass this warning around because this type of scam is just taking off in popularity.
Banking Trojans
Here’s another similar example. Some banking trojans, after they install themselves on your computer, watch everything you type. When you type the word “bank” in a browser URL, they wake up and start interfering with your online banking experience. They usually make the browser seem to go super slow or stop.
Then the trojan pops up a window pretending to be a bank customer service representative. They are sorry for their web site and the issues it is having. They want to help you complete your online transaction, and all you have to do is provide your account number and other relevant information. How nice.
Fake customer support and other calls
Fake calls have been growing in popularity for a decade. I just got multiple, repeated robo calls from “the police,” claiming that I had four serious charges pending against me and I need to call ASAP to take care of the matter. Last week, I had a call from the “IRS” asking me to go to the local Walmart to get some “green dot” money cards to pay down my “very large and substantial” penalty for fraudulently filing my taxes.
I’m so skeptical of any unilateral-authenticated transaction that I refuse to do business with any online or real-world vendor without first getting strong evidence I am dealing with a real vendor with real transaction details.
Recently, my phone rang and the person on the other end said they were with my local cable company. They had a new deal where I could get faster internet speed, more premium channels, and pay less per month. It was a “special deal for our most valuable customers.” Who wouldn’t want better things for less? I said, sure, I’ll take it. Then they asked me for my account password or PIN so they could complete the transaction.
I immediately became skeptical, because I had zero way of knowing if this telemarketer worked for my local cable company or not. I got zero real authentication from them. I asked them to tell me what my account number was, what my PIN was, or anything about my account beyond my home address, which anyone could look up, before I would give them my PIN.
They replied that they could not access any of my personal information until I gave them my PIN…that requesting my PIN was how they protected my personal information. I refused to give it directly, and at a stalemate, I told them that I would hang up, call the main cable company number, transfer to sales, and try to get the deal that way instead.
I’m not giving up my personally identifiable information to anyone without absolutely verifying their legitimacy first, and neither should you. If you decide that you’re being overly skeptical and you need to trust more, know that sometimes you can lose a lot of money.
Wire transfer scams
I recently closed on a new house. At the end of every house purchase in the U.S., the buyers must wire money to the sellers, or their representatives (or escrow companies). Wire transfer fraud has been rampant in the housing selling and mortgage industry for a decade. My bank representative told me story after story about customers he had worked with that had been scammed out of tens to hundreds of thousands of dollars of their hard-earned cash, and most never recovered it.
The scam usually goes something like this. The scammer breaks into one of the companies involved in selling the house, often the title agency company that is collecting the payment from the buyer to distribute to all the people (e.g., real estate agents) that get their cut of the proceeds. The scammer then finds out all the information they can about all pending deals, and then sends those buyers an email that appears to be from the title company asking for the wire transfer to be sent to a new bank.
The buyer has no way of knowing that the email is fake. It’s coming from a company they have been doing business with and often from the same person they have been working with. They wire the money to a new bank. The title company doesn’t know this has happened, and when everyone shows up at closing, the buyer is asked for the final money amount, only to learn that they have been scammed. This scenario literally happens every day.
When I got my “wiring instructions” in email, I called my title agency using their publicly listed phone number (and not the one listed on the wiring transfer instructions). I then asked for the manager and confirmed the employee listed on the instructions was valid, and then asked to speak to the employee. I asked the employee to verify the details of the wiring transaction, which she did. Then I did something she said she had never been asked before.
I asked her to describe the physical location of her company’s second office in the same town — was it stand-alone or with other stores, and so on. She accurately described the second location. She asked me why, and I replied that it is unlikely that scammers would know what her company’s physical location looked like (unless they had prepared ahead of time), but even less likely to know about some secondary location.
I could have asked any irrelevant fact that the legitimate agent and I knew, such as the agent’s car color or name of the pizzeria next to her primary business location. Anything that a legitimate person could verify and that a scammer wouldn’t likely know was enough to give me the extra confidence to transfer my hard-earned cash over.
This may seem extra paranoid, but if you talk to the people who have been scammed by fraudulent wire transfers, they wished they had used this hint.
What every vendor needs to do
The problem is that we need mutual, two-way, verified authentication from both the customer and the vendor before the customer provides personally identifiable information (PII). Not doing so leads to fraudulent, expensive scams. Customers need to start asking their vendors to prove their identity to them before they ask for PII, and vendors need to implement processes so that customers can be assured that the vendor is who they say they are.
My wiring instructions came with a message that I needed to be aware of wiring fraud and gave me a number to call to verify that my wiring instructions were real. You can’t trust that information. That’s why I called the company’s main published number to start the process. That’s anti-scam 101.
Vendors need to verifiably authenticate themselves to their customers more often in both the digital and real worlds, because as you can see from the examples above, all these transactions involved both real and digital resources. Few real-world-only transactions are left. Most real-world transactions involve digital payment, information collection, or authentication about something.
The consequences of the vendors not providing or requiring mutual authentication, for both the client and the server, for all transactions personally involving the customers are substantial. Scammed customers, and there are more and more of them, will be less likely to do business with companies that don’t provide better mutual authentication. They are just going to delete the emails.
Vendors need to build more customer trust fostering processes into their every day transactions, both online and in the real-world. It works in making two-factor authentication scenarios more secure, and it can work in the real-world, too.