Our Financial Accounts Just Became Less Safe…
Two Factor Authentication (2FA) has been widely considered the gold standard for protecting your online accounts. With 2FA, to sign into your account you first provide a password. Then the website texts a single-use security code to your mobile phone. Only after you correctly enter the code are you admitted to the account.
Unfortunately, two factor authentication just became a lot less secure! In May 2019 in Amsterdam, a presentation at the Hack in the Box Security Conference showed how hackers could mount mass attacks to defeat two factor signin protections. The presentation authors are Michele Orru and Giuseppe Trotta. A Fortune magazine article summarizes this new threat, backed up by a forty-one minute technical presentation on YouTube.
In the past, only sophisticated hackers have been able to defeat 2FA. Here’s what’s new: there are now tools available that allow a hacker with only modest skills to attack many two factor authentication accounts simultaneously.
Each of us has online accounts that are particularly important to protect. Accounts that we hold with banks, credit card companies and investment firms certainly need high security. Some people may want comparable protection for their social media accounts, medical records and cloud storage.
Here’s the key point: Whatever accounts you consider critical, simple password sign-on is simply not enough security. You should add two factor authentication for additional protection. And now you must also know: even 2FA may not be enough!
This blog covers the following topics:
- How the Two Factor Authentication Hack Works
- How To Protect Ourselves From the Two Factor Authentication Hack
- Recommendations
How the Two Factor Authentication Hack Works
To understand how to protect ourselves, we need to understand how the hacker is able to defeat two factor authentication. We will look at the example of a customer trying to access his account at Big Bank. Basically, the hacker inserts himself between the customer and the bank. This is called a “man in the middle” attack.
Here are two ways the hacker can put himself in the middle:
1. Hacker Controls the Wi-Fi Network
Hacker controls wi-fi network to defeat two factor authentication
In this case, the customer is using a public wi-fi service that is not secure. The hacker has compromised the network so that he can control its traffic.
The customer requests a connection to his bank’s website, bigbank.com. Since the hacker controls the network, the hacker can redirect the customer’s request to a spoofed webpage that resembles the bank’s sign-in page. Here, the fake page has the address bigbanky.com.
Now, the customer fills in his userID and password on the spoofed webpage. The hacker opens a connection to the bank’s website, and transfers the customer’s information to that page. The hacker is serving as a proxy, representing the customer to the bank.
The bank sees the valid userID and password, and sends a security code to the customer’s phone. The customer enters the security code on the false webpage and the hacker forwards it to the bank. At this point the bank opens the customer’s account.
Once the account connection is open, the hacker can simply wait until the customer finishes his business. The customer clicks the sign-out button and the hacker presents the customer with a fake page confirming log-out. However, the hacker does not forward the log-out command to the bank. Instead, the hacker keeps the account active to do whatever he wishes with its assets and its settings.
Basically, the two factor authentication has failed, because the hacker has access to both the password and the security code.
2. Hacker Controls a Fake Website
Hacker controls fake website to defeat two factor authentication
This is another way for the hacker to become the “man in the middle.” Once again, the hacker creates a fake website that copies the bank’s website, with a slightly different web address: bigbanky.com instead of bigbank.com.
If the hacker can persuade the customer to visit the fake website, the hacker can act as the customer’s proxy in contacting his bank. The hacker might do this by sending the customer an email supposedly from his bank. The email would contain links that appear to go to Big Bank, but which actually go to the fake website bigbanky.com.
From that point, the sequence of events is much as described above. The result is that the customer gives the hacker both his password and his security code. When the customer signs off, the hacker is left in place, signed into the customer’s account.
How To Protect Ourselves From the Two Factor Authentication Hack
There are fundamentally three ways to avoid being the victim of this hack, which we can now discuss.
1. Do Not Bank Over Public Wi-Fi Networks
The first way to protect yourself is not to do banking or other critical activities over public networks.
The word “public” here is deliberately vague. If you use a wi-fi network that does not require a password, you know already that it’s not a secure network. However, even if it requires a password, that does not assure you that the network protects your data.
For example: What if the network tech is also a hacker? Or what if a previous employee might have hacked the network? What if the network passwords are so trivial that an outsider was able to take over the network? In any of these cases, the network you are using may have a “back door” that allows a hacker to control the connections.
There are many dangers when using a public wi-fi network. The particular risk that counts here is that your internet requests may be redirected to a dangerous website.
Here Are Some Alternatives
Instead of using a public network, here are some safe ways for you to bank over the internet:
- Connect through your home internet service, assuming that it has strong passwords and has not been breached.
- It’s best not to bank using a mobile device. But if you really insist on doing that, then turn off your wi-fi setting and connect via the cellular phone network.
- Always verify that your browser address line shows a padlock and/or “https://” followed by your bank’s exact domain address.
In general, don’t use a wi-fi network to do any banking transactions unless you know that the network is secure. If you follow these guidelines, then you are not vulnerable to the first risk discussed, “1. Hacker Controls the Wi-Fi Network.”
Yes, it’s possible to use a virtual private network (VPN) to safely access your accounts, even over an unsecure network. However, not every VPN is itself secure! Even if you purchase VPN service from a trustworthy vendor, you may still be vulnerable.
2. Always Type In Your Bank’s Website Address
The second way to protect yourself from the 2FA hack is to type the address into your browser. Don’t ever click on a link in an email or on a webpage to go to your bank’s website. Hopefully, you learned this from the previous blog, 9 Dangerous Emails.
The only way you can be sure not to end up on a spoofed website is to type the bank’s domain address yourself. If you always use this method to reach your bank account, then you are protected from the second risk discussed, “2. Hacker Controls a Fake Website.”
3. Register Your Accounts Using a Universal Second Factor (U2F) Hardware Token
Both of the preceding methods require you to keep your wits about you. Wouldn’t it be nicer to have a foolproof means that will protect us even if we are not on the top of our game?
In fact, that safer approach does exist. It’s a hardware token known as Universal Second Factor (U2F). It confirms both your identity and the website address you are hoping to connect to.
Here is the problem that U2F solves: Ordinary two factor authentication can be hacked because you submit both your password and your security code through the website with which you are connected. There’s no good way for your bank to know whether it’s you talking to them, or a hacker using a proxy to pretend to be you. And if the hacker is in the middle, he has both your password and your security code.
The U2F hardware token is a device with a USB connection. It’s so small that you can put it on your keychain, or just leave it plugged into your computer. If you use U2F to protect your bank account, you first have to register your device with your bank over a secure internet connection:
Customer registers U2F hardware token with bank account
During registration, the U2F device generates a password that incorporates both the bank’s web address and a secret code. The device sends this password to your bank using public key encryption. Your bank registers that password to identify you.
Whenever you sign into your bank account, the bank will ask you to send a password by pressing a button on the U2F. If you are contacting the bank through another website (such as a spoofed web page), the U2F will generate a different password, which your bank will reject.
Pros and Cons of the U2F Hardware Token
Like just about everything, U2F has its advantages and disadvantages. One advantage is that your account is protected, even if you accidentally try to sign into it via a phishing website.
Another advantage is that U2F tokens are relatively inexpensive, between $12 and $60; once you buy a token, there’s no additional cost to you.
Existing U2F tokens have only a USB connector, which is not generally present on mobile devices. However, Yubico is now introducing a token with both USB and lightning connectors, making it compatible with smartphones and tablets.
However, there are downsides:
- The hardware token is a physical item that you have to keep track of and not lose. Because of the risk of token loss, U2F accounts give you an alternate means of signing in. If that alternate means is 2FA, you are still vulnerable to a hack!
- Your browser needs to handle the communications between your U2F and your bank, and not every browser is able to do this.
- Worst of all, many company log-ins are not compatible with U2F.
Where Can You Use U2F Protection?
You would think that such an elegant high-tech security solution would attract many users. However, that is not yet the case.
Consider Yubikey, one of the best known U2F hardware tokens. Their list of compatible websites contains some familiar names: Blogger, DocuSign, Dropbox, Facebook, GitHub, Google, IBM, Instagram, MailChimp, Microsoft, Nintendo, Reddit, Twitter, WordPress and YouTube. However, you will search in vain for the name of your bank, investment company or favorite retailer.
Investment Accounts
Logic suggests that the most critical accounts to protect are investment accounts. After all, those may contain most of our liquid assets and savings.
I decided to look at all the US brokerage firms that have $1 trillion or more in assets. There are four such companies: Fidelity, Schwab, TD Ameritrade and Vanguard. I performed site-specific Google searches and also contacted the companies for more information. Here’s what I found:
- Fidelity.com supports Yubikey U2F tokens.
- Schwab.com supports two factor authentication but not U2F technology.
- TD Ameritrade supports two factor authentication but not U2F technology.
- Vanguard.com supports several different Yubikey U2F tokens.
Thus only two of the four biggest investment firms are yet on board!
Moreover, I must offer a caution. Fidelity’s and Vanguard’s online documentation says that they support Yubikey tokens. However, when I tried to confirm that they understand the 2FA hack and are defending against it, I could not find anyone at the company who could intelligently answer the question! I contacted account reps, media reps and security staff. So yes, these companies may be protecting from the 2FA hack, but they have not yet educated their staff on it.
Compared with investment firms, banks are even farther behind in technology. Many of them accept two factor authentication. However, I have not found any that use U2F for increased security.
Recommendations
Computer security is a continual game of cat and mouse. Two factor authentication was a big step forward for safe account access. However, now we learn that 2FA is not always safe, and we would rather be using U2F. And by the time U2F becomes well-known, something else may be the application of choice.
For now, my recommendations are:
- Follow the “prophylaxis” guidelines in 9 Dangerous Emails.
- Use at least two factor login on our most important online accounts. Try U2F if we’re willing to put up with its disadvantages. However, follow the cautions given above so that we don’t become victims of 2FA hacking.
- And take note when we hear of changes in computer security technology, in case those changes apply to us.
Two factor authentication is powerful, and we should use it when we can. But we can make it safer with the advice given above. Comments are welcome!
Image Credits
– Anonymous hacker by mohamed_hassan on pixabay.
– Drawings by Art Chester using Microsoft PowerPoint.
Another reason not to use the internet for banking. The telephone login is much more secure.
You are right, George. Any time we use the internet, whatever we do could be hacked or imitated by a bot. Using the phone requires time commitment by a human being. Although a hacker might be able to impersonate you on a phone call, that’s not efficient use of his time. Unless you’re a zillionaire I don’t think he would take the time to research you and then place that call.