What if two-factor authentication isn’t as secure as we think? Until yesterday the possibility of using another pin, a second password, received via app or text message seemed to us the best way to protect the digital treasure of our onlife life, but now our certainties are wavering: three Italian researchers have shown that this too second level of security can be neutralized and, for a malicious hacker, relatively easily.
Digital warfare
From Anonymus to the military, which are the hacker groups active in the Russia-Ukraine conflict
by Andrea Daniele Signorelli
Franco Tommasiassociate professor of Information Processing at the Department of Innovation Engineering of the University of Salento, co-author of an Internet standard, together with Christian Catalano e Ivan Taurino, have developed a type of cyber attack that allows you to bypass two-factor authentication (2FA). And it is news that now worries even cybersecurity experts outside the Academy. Faced with the massive emergence of cybercrime that largely exploits credential theft and weak passwords to enter the lives of target victims, the 2FA it represented a big step forward from the point of view of security by limiting the risks being able to stem even the so-called “brute force” attacks, but the research produced by the three scientists explains how its effectiveness is drastically reduced for less savvy users.
The point is that despite the communication given by the researchers to Mozilla, Google and Apple, the exploitable method for the attack still works almost a year after its scientific demonstration.
hacker
Lapsus $ stole Cortana and Bing from Microsoft
by Arturo Di Corinto
How the attack works
The description of the practical effects of the attack is relatively simple. The attack is initiated with the technique of phishing but, unlike what usually happens for this type of attack, the user is not redirected to a bogus site that appears to him as the one he thought he was visiting, thus allowing attackers to steal the credentials (which is useless if the two-factor authentication), but is actually led to visit the authentic site. And for this reason scholars have called it “Browser-in-the-Middle (BitM) attack”. The researchers have in fact demonstrated how they can place themselves between the user and the site and, without him noticing it, making him view in his browser another browser that acts as an intermediary, perfectly identical or with modifications. And then that’s it.
Hacker
Who is Arion, the sixteen year old who hacked Microsoft, Vodafone and Nvidia
by Arturo Di Corinto
Let’s take a practical example: a user receives a message inviting him to view a communication from his bank. If he clicks on the link provided, he will visit an attacker’s site which in turn will go to the bank’s site. The victim will introduce the credentials, which the attacker will read, because in reality he has given them to him, and will use them to enter the authentic site. The authentic site will send the request for confirmation to the victim’s mobile phone (i.e. two-factor authentication, with password, fingerprint, facial recognition) which of course the victim will provide. At this point the site will show the attacker what he should have shown the victim and the attacker will report it back to him exactly. If at this point the victim wants to start operations, for example a bank transfer, the attacker can intercept the recipient’s IBan and modify it, together with the amount to be paid, by sending the payment to another recipient.
“The method is based on the same protocol used to control the screen of a remote computer – explains Professor Tommasi -. In our case, the victim views the attacker’s screen, a full-screen web browser that is actually ‘visiting’ the authentic site. The victim thus interacts with the attacker’s computer without realizing it, believing he is visiting the authentic site “.
Hacker
What are the cyberthreats that put the metaverse at risk
by Andrea Daniele Signorelli
Plagiarism
The article describing the method was published online by an international journal, theInternational Journal of Information Security April 17, 2021. Even before proceeding with the publication, as a precaution, the researchers had warned some of the major web browser developers (Google, Apple) by limiting the publicity of the attack, aware of its deadly effectiveness and received evident manifestations of interest as we can read from the reply emails that we have been able to read.
“To our surprise, however, in February 2022 we realized, by visiting some sites dedicated to security, that an anonymous hacker, mr.d0x, exposed our method, proclaiming himself the author. We politely tried to point out his mistake via Twitter (apparently the only way to communicate with this stranger) but he responded by blocking our account ”.
In addition to the damage, the insult, in short. Unfortunately, what happens frequently on the web happened, where everyone takes possession of everything. The world of security that rarely frequents academic journals has given great resonance to the hacker’s claim and only a few have recognized in the Italian researchers, albeit belatedly, the true inventors of the attack. “Of course we regretted this not a little, even if we are sure that, as they say, time is an honest man”, the professor told us to whom we asked if he had taken action to protect the intellectual property of his team’s work. “It is not easy to take legal action against a stranger whose country of residence is not even known. Furthermore, it is not something that has immediate commercial value, but we intend to do so ”.
The trouble is that the same mr.d0x tested the attack on February 23, 2022, proving that it still worked, 11 months after the communications of the researchers to the vendors and the publication of the paper, while Tommasi, Catalano and Taurino were able to demonstrate his effective with Google’s Chrome browser until a few days ago. “Unfortunately this is an attack that is difficult to block and the only effective countermeasure is to prevent phishing but – continues Professor Tommasi -“ no matter how hard you try, there will always be someone who falls for it ”.