Hackers have created a way to bypass the security of two-step authentication

Two-factor or two-factor authentication is one of the most popular protections today to prevent your online account access credentials from being exposed to cybercriminals.

Although these mechanisms were able to block about 99.99 percent of automated attacks on activated accounts, cyber criminals And Panda warned in a statement that they have already found ways to circumvent them.

Although it is not an easy task, some hackers do this by intercepting the one-time codes which are sent in the form of SMS to the user’s smartphone. For example, SIM swap scams have been found to bypass two-step verification.

This method involves the attacker convincing the mobile phone service provider that he is the victim and then asking to change the owner’s phone number to a device of his choice.

This is not the only way to breach two-factor authentication, as cybercriminals have devised methods such as reverse proxy tools or attacks via the Google Play Store.

One-time-use codes can be hacked via SMS through reverse proxy tools, such as Modlishka. A reverse proxy is a type of server that retrieves resources on behalf of the client from one or more servers. These resources are then returned to the client as if they originated from that web server.

But some hackers modify them to redirect traffic to login pages and “phishing” processes. In those cases, the hacker It intercepts communication between a bona fide service and the victim, and tracks (and records) the victims’ interactions with the service, including login credentials.

Cybercriminals have also devised other ways to circumvent binary protection with new SMS-based attacks, such as those that use the Google Play feature to automatically install web applications on Android mobiles.

This way, the attacker can access the credentials for logging into the Google Play account on a laptop (although in theory the user should receive a warning on their smartphone), and then launch any app they want on the phone.

A similar variant involves using a specialized app to sync user notifications across different devices. This allows attackers to install a message mirroring app, and once installed, they can try to convince the user to enable the necessary permissions for the app to function properly.

Although many conditions must be met for the above attacks to work, they do show weaknesses in two-step identification methods based on short messageIn addition, these attacks do not require high-level technical capabilities, as Panda warned.