How attackers bypass Two-Factor Authentication with Phishing

by Tanya Gupta Digital Strategist

Online businesses are opting for two-factor authentication (2FA) techniques to maintain the data privacy and to protect personally identifiable information (PII) of their customers. They often implement 2FA to strengthen the login security of the various forms that are present on their web portal/s. While two-factor authentication (2FA) is designed to ensure security – because the right to access information does not depend just on the strength of the set password, it requires another authentication factor to claim the identity of a genuine user.

Although two-factor authentication is inexpensive, easy to implement and considered user-friendly, it is vulnerable to numerous attacks such as “Phishing”.

Today’s attackers are grubbing out many different ways to bypass the Two-factor authentication (2FA) security by targeting online businesses using various phishing techniques. The attackers perform phishing to steal the private information of a user and make use of it for their benefits.

In a Phishing attack, the attacker pretends himself as a trusted entity and traps the victim through a malicious email, instant message or text message. If a victim clicks on the malicious link/resource sent by an attacker, it may result in the installation of malware on his system or the attacker can get an access to the private information of a victim such as user ids, passwords, etc.

How attackers bypass 2FA with Phishing:

1. To bypass two-factor authentication with a phishing attack, firstly, the attacker generates a phishing link pointing to its server.
2. The victim then receives attacker’s phishing link through a communication channel such as email or messenger and click on it, assuming the link is real and gets landed to the fake sign-in page.
3. On sign-in page, the victim enters his/ her valid account details, bypassing through two-factor authentication, the victim then gets redirected to fake URL.
4. This way, the attacker gets all the access to victim’s email, password and session cookies. And this information can be imported into attacker’s browser to take full control of the victim’s logged in session by successfully bypassing the enabled two-factor authentication protection on a victim’s account.

How can these attacks be prevented?

These attacks can be prevented by simply taking care of the following:
1. Avoid opening emails or links from unknown senders or sources, they might be malicious.
2. It is advisable not to share your account details through email or phone.
3. Beware of pop-ups as they can also be a source of a malicious redirection.
4. It is advisable for online businesses to keep their login form protected by using a web application firewall (WAF)