Is a phishing attack possible with 2FA

Forums › IT Pro and developers › Is a phishing attack possible with 2FA

Foiler

220 posts

Master Geek

#242550 3-Nov-2018 09:21

Two factor authentication is meant to keep the bad guys out .. but does it?

Take a G-Suite login process for example .. what if:

Google user enters Gmail-username gullible and password 1234 into the bad-guy website
bad-guy uses these credentials to log into Google, gets prompted for text code, and passes this request on to gullible
gullible enters text code onto bad-guy website
bad-guy completes Google login and immediately changes account setup to lock out gullible

Any thoughts?

Brumfondl

1186 posts

Uber Geek

Trusted

#2118867 3-Nov-2018 09:27

Called a man in the middle attack https://en.wikipedia.org/wiki/Man-in-the-middle_attack

AliExpress

Shop now on AliExpress (affiliate link).

gbwelly

1238 posts

Uber Geek

#2118869 3-Nov-2018 09:29

This is a man in the middle attack (mitm). It is difficult to protect against technically because it relies on the end user to be vigilant, which is often not the case.

This is why to turn of MFA, most systems require further challenges to the end user to complete the configuration change.

freitasm

BDFL - Memuneh
79133 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2118876 3-Nov-2018 09:48

Yes and no. If you use an authenticator app then the code changes every 30 seconds, making it harder to time the attack - repeated requests sent to Gullible would raise suspicions.

A SMS attack is easier because it's also easier to use social engineering (or Bad Telco Employee) to get a SIM Card and transfer the number to that SIM (this happened before, in the USA).

The one you show would need Gullible to enter the code on a site that 1) is not the domain used for login and 2) is asking for a code for a login Gullible did not initiate.

Yes, some gullible people will be gullible but these attacks require a certain degree of sophistication and some targeting.