Two-factor authentication not secure, say researchers

Social engineering can be easily used to trick users into confirming authentication codes, says a computer science professor at NYU.

Generally thought to be secure, the process whereby a verification code, usually delivered by e-mail or text, is sent to a user who’s lost their password, can in fact be hacked.

And the way it’s done? Just ask the user for the officially-sent verification code, says Nasir Memon, professor of Computer Science and Engineering at the New York University Tandon School of Engineering.

A second, bogus text or e-mail simply asks the user to forward the original, legitimate verification text. And people do it, no questions asked, Memon reckons.

The kind of two-factor authentication Memon is talking about is used throughout the Internet. It verifies the user should that user lose his or her password.

We’ve all taken advantage of the tool. It functions by sending a verification code that must be entered correctly on the host website in order to reset the password. The code is often embedded into an e-mailed hyperlink.

It’s called ‘two-factor’ or ‘2FA’ because two elements are used to make the verification—the private e-mail account, or smartphone with number, and secretly generated code.

+ ALSO ON NETWORK WORLD Social Engineering: 6 commonly targeted data points that are poorly protected +

Where the problem arises is that users can be “lured” into forwarding the verification code, says Hossein Siadati, Toan Nguyen, and Nasir Memon in their paper, published on the engineering department’s website. It’s particularly a problem with SMS.

The group experimented with 20 mobile phone users and found that a quarter of them simply forwarded the verification e-mail when asked, thus giving it to the hacker.

They were tricked. “There’s trust by association,” Memon says in a press release on the university’s website. The fact that the two texts came around the same time performed the magic.

The second message requesting the code appears to come “from an email provider or another trusted site,” as does the first, he explains.

In other words, it works just like any other phishing attack. Unless the user is experienced in the nuances of the legitimate communication, he or she wouldn’t know it was a bad one.

With e-mail it becomes easier over time to spot those nuances, with SMS it’s harder—there’s no unprofessional-appearing pixelated graphics to give it away, for example.

With SMS “it’s not like email, in which you can carefully examine an address to see if it is real,” Memon says.

The whole issue is magnified by the fact that the text “appears to come out of nowhere.”

The first text does come from the legitimate online company — it’s triggered by the hacker requesting the password reset. The second is from the hacker directly, though.

Memon, and his team, think that the first message gets ignored when the legitimate user hasn’t requested it. But the fact that the second e-mail comes along shortly afterwards requesting that the user forwards the first one creates a sense of legitimacy — it isn’t a mistake, the user might think.

The second one “requests that the user forward the verification code to confirm that the phone is linked to the online account,” the NYU press release explains.

In interviews, the targets didn’t notice that the two SMS messages came from different sources, the researchers say.

[ MORE: Top two-factor authentication tools ]

“Because this kind of attack doesn’t require victims to click phishing links or enter sensitive information, like an account or Social Security number, it’s easy to understand how it could be very effective,” Memon says.