Stolen Data Gives Attackers Advantage Against Text-Based 2FA

Companies that rely on texts for a second factor of authentication are putting about 20% of their customers at risk because the information necessary to attack the system is available in compromised databases for sale on the Dark Web.

About 1 billion records synthesized from online databases — representing about one in every five mobile phone users in the world — contain users’ names, email addresses, passwords, and phone numbers. This gives attackers everything they need to conduct SMS-based phishing attacks, also known as smishing, says Thomas Olofsson, CTO of cybersecurity firm FYEO. 

Cybersecurity experts have long known that the addition of an SMS one-time password is a weak form of two-factor authentication and the simplest form of two-factor authentication for attackers to compromise. However, combining such attacks with the readily available information on users produces a “perfect storm” for attacking accounts, he says.

At Black Hat USA, Olofsson plans to go over findings from research into the problem during a session on Wednesday, Aug. 10, called “Smishmash — Text-Based 2FA Spoofing Using OSINT, Phishing Techniques, and a Burner Phone.”

“The research that we have done is two parts: How do you bypass 2FA, and how many phone numbers can we tie to an email address and a password,” he tells Dark Reading. “So, for about one in five — a billion — people, we can connect your email address to your phone number, and that is really bad.”

The analysis found that by collecting information from known databases of compromised usernames and passwords, researchers could create a database of 22 billion credentials. Linking those credentials to a phone number reduced the exposure to a bit more than 1 billion records, of which about half have been verified.

To make use of those records, attackers can conduct an adversary-in-the-middle attack, where the smishing attack goes to a proxy. When a targeted user opens a link in a malicious SMS message on a mobile device, browsers on iOS and Android rarely show any security information, such as a the URL, since screen real estate is so small. Because of that, few — if any — signs of the attack are presented to the user,…