Researchers Successfully Bypass SMS-Based 2FA Protections

It has been suggested that using a 2FA system will help protect users against hackers. To a certain extent that is true because 2FA systems add an additional level of security with a one-time generated code that would be impossible to guess. However it seems that researchers working on behalf of the Iranian government might have found a way around it.

In a report from Certfa Lab (via ArsTechnica), the researchers were successful in bypassing SMS-based 2FA systems used by the likes of Yahoo Mail and Gmail. How this worked was the researchers used a phishing attack that first attempted to elicit the passwod of the user. In the event that the user had a 2FA system in place, they were redirected to a new page where the one-time generated password would be entered.

However that website is merely a front and that information is being stolen by the hacker in real-time, allowing them to quickly enter the password into the actual login page. Given that 2FA passwords expire after a set amount of time, this hack needs to be done in real-time in order for it to work.

That being said, this seems to only affect SMS-based 2FA systems and that 2FA apps don’t seem to be affected yet. According to a Certfa representative, “We’ve seen [it] tried to bypass 2fa for Google Authenticator, but we are not sure they’ve managed to do such a thing or not. For sure, we know hackers have bypassed 2fa via SMS.”

Tyler Lee
Categories: General
Tags: Hack, Security