Note: Before starting this article we couldn’t miss the opportunity to recommend people to this web page should you need help setting up two factor on your accounts – https://twofactorauth.org/
Google’s announcement that 10% of users use 2-factor authentication has been mentioned quite a bit recently – If you’re new around here, that’s the feature where you add a secondary piece of information when you log in, like a one time passcode or code in an sms.
This news is great for the end user markets, it shows a growing trend of use and Google efforts in this space should be commended, not knocked, the figure is quite low but they are trying. I expect it would only be a little higher in the corporate world too!
But this post isn’t going to focus on that. It’s about adding a second form of auth to your auth… it’s about putting locks on locked doors… securing the already secured, you get the picture. I am a big advocate of two factor authentication, it makes phishing a lot harder – it works. But by no means is it infallible.
All too often in our line of work we have to find novel ways to deactivate secondary authentication. Nothing mid assessment is more annoying then a staff member with a well secured account. We get all excited when we phish them with some snazzy phishing email and they supply credentials, we gleefully waltz to the computer to reuse these credentials as we sit down to login with a song on our mind we type in the username and password and bash return. Seeing that ‘Insert your code’ screen really does bring us down, from that point on we know it will be harder. But thats the scenario, harder – not impossible.
Security has many layers, all too often an attacker will try to circumvent many of these layers using lesser known techniques, here in this space is where most of the impactful attacks occur.
So lets talk through a few scenarios, hopefully we can help explain these attack vectors and then you can take the steps needed to add these extra layers of security.
Banking Two Factor
So banks led the way in two factor auth, for years they have provided one time passcode devices for customers to safely log on. So lets look how these accounts are under attack.
SMS – Most banks place an importance on the mobile phone number of the customer. They send text messages to confirm transactions and an incoming call to their customer services from the number can add a layer of realism to an attack. So this pushes criminals to target the mobile device linked using SIM Swap Fraud techniques.
OTP Login Devices – Most major banks have had these systems attacked for several years now, by use of phishing customers are asked to ‘recalibrate’ their devices. What this does however is supplies them the OTP passcode the attackers need. Amongst the clever phishing attempts malicious OTP devices have also compromised in several clever ways.
Once a victim machine is infected with a remote access tool or malware designed to steal banking details, the secondary form of authentication is key to securing your money, if you don’t use it or you fall victim to a scam like the above two, often nothing stops an attacker stealing everything you own.
Sim Swap Fraud – If we look at the recent hack on the crazed John McAfee, attackers took control of his mobile phone number in the attempt to gain further access to his online accounts. They did this by compromising his mobile phone account – not the phone itself. Once they stole his number it was trivial to reset his Twitter accounts and embarrass the security pro.
SMShing – If your email account password is compromised and someone attempts a login, but fails, that’s not the end. We see clever SMShing messages to the tune of “Your account has been blocked, please reply with a Google 2-factor code to re-enable”. This is quite a basic scenario but mixing this with caller ID spoofing and some clever timing can be quite successful. These attacks have been common place for at least 5 years!
Domain Hijacking – So you want to protect your company email accounts and you’ve enabled two factor – brilliant. But following the nature of this blog, you guessed it – you’re going to need some more steps to make it safe. Let’s focus on companies using Google G-Suite and Microsoft 365…
Often a business will follow the steps in setup and a savvy IT manager will also make it compulsory for employees to use one time passcodes when they login. But what if some nefarious 15 year old were to take control of that domain by targeting the domain registrar. In information security he who controls a domain or at least the name servers is king. We have seen this in multinational clients we’ve worked with, we found this with Tesla… It’s simply not in a hackers mentality to stop when something says no and we are seeing an increase in sophisticated, higher level attacks aimed at registrars. Once they have access to the registrar or name servers it is then relatively easy to gain access, as an administrator to most G-Suite, 365 type cloud platforms. We might of only wanted one account! but after a few calls and a clever email we often find ourselves temporarily in charge of a companies online estate…
What can we do better?
This blog isn’t meant to pick holes in what we are currently doing but by making some adaptations we can improve security – especially against the sneakier social engineering attacks. So for a start:
- Try and move away from SMS based authentication, it’s easy to setup and use but often quite easy to bypass. If the service you use integrates with Google’s Authenticator – use that! If it doesn’t and only provides SMS based auth, keep it activated but have a whinge to them.
- Install Google Authenticator and see how many of your accounts can utilise this amazing security feature. There is a helpful website here (twofactorauth.org).
- Think of the higher levels of your operation, if your concerned about email security, consider the importance of domain hijacking.
- Enable added security on mobile phone accounts. Contact your operator! can you place notes on the account? Can you set a passcode?
- Can we take a few minutes and mention to Google and Microsoft that placing a warning, informing their users about domain hijacking preventions when activating corporate two factor would be amazing.
Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer Limited, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.