Has two-factor authentication reached its limit? In any case, this is the question posed by a recent study carried out by researchers at Stony Brook University. They have discovered no less than 1,200 free access hacking kits on the Internet, making it possible to bypass this security measure, which was once considered unstoppable.
When it came to the general public, two-factor authentication was touted as the solution to – almost – all problems from the web. With the help of a simple text message sent to the user’s phone or a code to their email address, the device has put a huge blow in the hackers’ wheels. Gone are the days when it was enough to recover a password to access an account. It is now also necessary to obtain this precious sesame which, very often, manages to remain confidential.
Over time, methods of getting around this imposing obstacle have obviously emerged. This year, a dangerous banking malware capable of spying on the text messages of its victims, to name but one, has made cybersecurity researchers tremble. But until now, these techniques have remained relatively confidential. Until now. Indeed, a study by Stony Brook University, in partnership with Palo Alto Networks, shows that these tools are increasingly democratizing.
Double authentication soon to be useless?
Thus, it is much less difficult than before to get your hands on a hacking kit, most often offered for sale by malicious individuals. Where it used to be explore the dark web to find such tools, they are now exposed without embarrassment on the Internet. These kits allow, with little or no effort, to steal the authentication cookie created by the security device and saved by the browser.
On the same topic: Apple wants to make two-factor authentication more secure with domain-linked SMS
There are two ways to achieve this feat. The pirate can choose to infiltrate the victim’s device with malware capable of stealing the desired data, or launching a man-in-the-middle attack to intercept information before it arrives at the site concerned. According to the researchers, these kits are effective on most of the larger sites and applications. They counted not less than 1200 during their study.
As said earlier, hackers have been able to bypass two-factor authentication for several years. On the other hand, such a distribution of hacking kits, which is more with such simplicity of obtaining, is cause for concern for researchers. Like Instagram, which recently activated the device, the next sites and applications joining the movement could well do so with a certain delay.