Two-factor authentication, or 2FA, has been sold to web users as one of the most important and trustworthy tools for securing your digital life. You probably know how it works: By supplying an account with not just your password but also a secondary piece of information (typically an automated code texted to your phone or device of choice), companies can verify that whoever signs into your account is definitely you and not just some goon who’s managed to get their hands on your personal information.
However, according to new research, said goons have unfortunately found a number of effective ways to get around your 2FA protections — and they’re using these methods more and more.
The study, put out by academic researchers with Stony Brook University and cybersecurity firm Palo Alto Networks, shows the recent discovery of phishing toolkits that are being used to sneak past authentication protections. Toolkits are malicious software programs that are designed to aid in cyberattacks. They are engineered by criminals and typically sold and distributed on dark web forums, where any digital malcontent can buy and use them. The Stony Brook study, which was originally reported on by The Record, shows that these malicious programs are being used to phish and steal 2FA login data from users of major online websites. They’re also exploding in use — with researchers finding a total of at least 1,200 different toolkits floating around in the digital netherworld.
Granted, cyberattacks that can defeat 2FA are not new, but the distribution of these malicious programs shows that they are becoming both more sophisticated and more widely used.
The toolkits defeat 2FA by stealing something arguably more valuable than your password: your 2FA authentication cookies, which are files that are saved on your web browser when the authentication process takes place.
According to the study, said cookies can be stolen one of two ways: A hacker can infect a victim’s computer with data-stealing malware, or, they can steal the cookies in-transit — along with your password — before they ever reach the site that is trying to authenticate you. This is done by phishing the victim and capturing…