Text-based 2FA is Overprescribed

In 1928, Alexander Fleming accidentally discovered penicillin, an antibiotic that revolutionized the healthcare industry. This extremely affordable and accessible antibiotic drastically reduced mortality rates, improved surgical outcomes, and curbed infectious disease outbreaks, leading to longer life expectancy. However, over time, doctors became overly reliant on penicillin. The widespread misuse of this once-miraculous drug has now led to antibiotic-resistant bacteria, creating a severe challenge for modern healthcare.

SMS OTP is The Next Antibiotics

Similarly, text-based two-factor authentication (2FA), known as One-Time Password (OTP), emerged as a powerful defense against attacks such as brute force, phishing, and credential stuffing. Introduced in the early 2000s, this method sends a random, time-limited code via SMS or email that users must enter alongside their account password to access their accounts. It quickly gained popularity for simplicity and perceived security. However, much like antibiotics, the widespread reliance on text-based 2FA has led to diminishing returns. Its effectiveness is waning, creating a false sense of security and exposing users to new vulnerabilities.

First Resistance: SimSIM-Swap Attacks

The first cracks in text-based 2FA “resistance” appeared with the rise of SIM swap attacks. In this form of identity theft, cybercriminals convince mobile carriers to transfer a victim's phone number to a SIM card under the attacker's control. By manipulating customer service representatives, these attackers effectively hijack the victim's phone number. With the obtained control, they can intercept incoming SMS messages, including the one-time codes for 2FA. This allows them to input these codes on login pages or transaction confirmations, enabling unauthorized access to the victim's accounts and facilitating actions like making fund transfers or completing purchases.

While SIM swapping is a powerful method for hijacking accounts, it's not without challenges. This attack is complex and resource-intensive, requiring hackers to gather detailed personal information about their target. Equipped with this data, they must use social engineering to manipulate the victim's mobile service provider into rerouting calls and texts to the attacker's device. On top of that, the attacker still needs to know the victim's password to gain access to their accounts.

Second Resistance: AiTM (Adversary-in-the-Middle) Attacks

For attackers, SIM swap attacks aren't always scalable; the effort often outweighs the potential reward. These attacks require gathering detailed personal information, hiring manpower to manipulate mobile carriers, and convincing service providers to transfer phone numbers, a time-consuming process with relatively low yields. In simpler terms, it's sometimes too much work for too little gain, as only a limited number of attacks can be executed daily.

However, a new kind of "antibiotic-resistant bacteria" has emerged: Adversary-in-the-Middle (AiTM) attacks, which include MITM (Man-in-the-Middle) and phishing techniques. These attacks are far more scalable and effective than SIM-swapping. By leveraging automation, cybercriminals can launch large-scale AiTM phishing campaigns, targeting thousands of users simultaneously while bypassing traditional Multi-Factor Authentication (MFA) methods, like SMS OTP or OOB app-based authentication.

Microsoft's Findings: AiTM Attack Targeting 10,000 Organizations

In 2022, Microsoft uncovered a large-scale AiTM phishing campaign targeting over 10,000 organizations. This attack was designed to bypass MFA using HTTPS proxying techniques, where attackers acted as intermediaries, intercepting and hijacking the entire authentication process. The attackers aimed to initiate business email compromise (BEC) by gaining unauthorized access to Office 365 accounts. Once compromised, they used these accounts to execute fraudulent financial transactions or steal sensitive business information.

The attack started with rogue emails containing malicious HTML attachments, which redirected victims to phishing sites disguised as legitimate Office 365 login pages. These phishing pages acted as proxies, pulling content from the real Office 365 site and forwarding credentials and MFA tokens to the legitimate service in real-time. This allowed attackers to capture login credentials and session cookies, which websites issue once the authentication process is complete. These session cookies bypass MFA, giving attackers access to accounts without re-authenticating.

Why can't SMS OTP and Out-of-Band (OOB) Prevent the Attacks?

OOB authentication, known as push notifications, can still be phished. When the real user authenticates, the hacker, who initiated the request, gains access since the system can't verify whether the request came from the user or the attacker. AiTM phishing attacks thrive on this flaw, rendering traditional MFA methods nearly useless. Here's how:

• Session Hijacking: Even when a user completes authentication, the attacker who initiated the request can intercept and gain full access, bypassing MFA. The system cannot distinguish between legitimate users and attackers.

  
  

• Scalability: Unlike SIM-swap attacks, which require significant manual effort, AiTM attacks can be easily automated, allowing attackers to scale operations and target thousands of users simultaneously. Tools like Evilginx2 (since 2018), an open-source toolkit, allow attackers to execute these phishing attacks with minimal effort.

• Automated Attack Vectors: AiTM phishing sites can be built within hours and deployed instantly. Then, attackers will use automated bots to send phishing emails in bulk. In contrast to SIM-swapping, AiTM attacks can be completed much faster, with less effort (no training), and in higher volumes—making them more effective for mass-scale fraud and data breaches.

  
  

FIDO2: The Ultimate Defense Against AiTM

FIDO2 (Fast Identity Online 2) offers a robust solution to these advanced attacks by eliminating the need for traditional passwords and OTPs. Instead, FIDO2 uses public-key cryptography, ensuring that the private key never leaves the user's device, and no sensitive information is transmitted over the network. This makes FIDO2 resistant to AiTM attacks because:

• Public-Key Cryptography: Even if attackers intercept session cookies, they cannot use them to hijack authentication because the private key—stored securely on the user's device—is required to complete the login process.

• No Reusable Session: Unlike traditional MFA methods, FIDO2 ensures that session hijacking is ineffective. Since the private key never leaves the device, and the end-to-end encrypted challenge is unique to every session, the attacker cannot intercept and misuse authentication data.

• Local Authentication: FIDO2 employs local authentication via biometrics or hardware tokens. The authentication process occurs entirely on the user's device, so even if attackers try to intercept the challenge or response, they cannot replicate or misuse the private key since it remains secured on the device.

• Bluetooth-Linked QR Security: If using QR code-based authentication, FIDO2 requires Bluetooth proximity between devices, preventing attackers from accessing the authentication process remotely.

  
  

How HiTRUST Mitigates AiTM Attacks

HiTRUST, a member of the FIDO Alliance, integrates FIDO2 standards into its authentication solutions, offering businesses strong, passwordless security that protects against AiTM attacks. HiTRUST's FIDO2-based solutions ensure that authentication data cannot be reused or intercepted during attacks, as the cryptographic challenge-response system is resistant to session hijacking.

Additionally, HiTRUST's patented device fingerprinting technology further enhances security by collecting over 100 unique data points to distinguish between legitimate and fraudulent devices. This multi-layered defense ensures that only trusted devices can authenticate, adding an extra level of protection against AiTM attacks.

With 25 years of experience in securing online payments, HiTRUST offers seamless integration for passwordless authentication, 3-D Secure checkouts, and fund transfer authentication. By adopting FIDO2, businesses can protect themselves from AiTM phishing campaigns, ensuring strong security while maintaining a user-friendly experience. Book a call to talk with our experts here.