Two-Factor Authentication (2FA)

[Carding]

What Is Two-Factor Authentication (2FA)?
Two-factor authentication (2FA) is a security system that requires two distinct forms of identification in order to access something.

Two-factor authentication can be used to strengthen the security of an online account, a smartphone, or even a door. 2FA does this by requiring two types of information from the user—a password or personal identification number (PIN), a code sent to the user's smartphone, or a fingerprint—before whatever is being secured can be accessed.

KEY TAKEAWAYS

• Two-factor authentication (2FA) is a security system that requires two separate, distinct forms of identification in order to access something.
• The first factor is a password and the second commonly includes a text with a code sent to your smartphone, or biometrics using your fingerprint, face, or retina.
• While 2FA does improve security, it is not foolproof.

Understanding Two-Factor Authentication (2FA)
Two-factor authentication is designed to prevent unauthorized users from gaining access to an account with nothing more than a stolen password. Users may be at greater risk of compromised passwords than they realize, particularly if they use the same password on more than one website. Downloading software and clicking on links in emails can also expose an individual to password theft.

Two-factor authentication is a combination of two of the following:

• Something you know (your password)
• Something you have (such as a text with a code sent to your smartphone or other device, or a smartphone authenticator app)
• Something you are (biometrics using your fingerprint, face, or retina)

2FA is not just applied to online contexts. It is also at work when a consumer is required to enter their zip code before using their credit card at a gas pump or when a user is required to enter an authentication code from an RSA SecurID key fob to log in remotely to an employer’s system.

Important: Despite the slight inconvenience of a longer log-in process, security experts recommend enabling 2FA wherever possible: email accounts, password managers, social media applications, cloud storage services, financial services, and more.

Example of Two-Factor Authentication (2FA)
Apple account holders can use 2FA to ensure that accounts can only be accessed from trusted devices. If a user tries to log in to their iCloud account from a different computer, the user will need the password, but also a multi-digit code that Apple will send to one of the user's devices, such as their iPhone.

Special Considerations
While 2FA does improve security, it is not foolproof. Hackers who acquire the authentication factors can still gain unauthorized access to accounts. Common ways to do so include phishing attacks, account recovery procedures, and malware.

Hackers can also intercept text messages used in 2FA. Critics argue that text messages are not a true form of 2FA since they are not something the user already has but rather something the user is sent, and the sending process is vulnerable. Instead, the critics argue that this process should be called two-step verification. Some companies, such as Google, use this term.

Still, even two-step verification is more secure than password protection alone. Even stronger is multi-factor authentication, which requires more than two factors before account access will be granted.

(c) https://www.investopedia.com/terms/t/twofactor-authentication-2fa.asp

 

[BadB]

6 main methods of hacking two-factor authentication
Two-factor authentication (2FA) has long been known for the security it can bring to organizations and their customers. The combination of what you know, what you have, and what you are is the heart and soul of 2FA and helps explain ITS relative reliability.

Even so, attackers are known to have several ways to successfully attack 2FA, and it's your job as an ethical hacker to understand these potential attacks. This article will describe in detail the six main methods of attacking two-factor authentication and give you a complete picture of the types of two-factor authentication attackers that you may encounter while working as an ethical hacker.

What is two-factor authentication?
2FA is an authentication method that adds extra security. Rather than relying solely on the traditional username and password combination, 2FA schemes require users to enter passwords as follows:

• Something you know: password, PIN, etc.
• Anything you have: a smart card, a USB token, etc.
• What you are on your own: voice, iris, fingerprints, etc.

There are two authentication methods:

• One-way: this is the most common type of authentication. This is a server-only/client-only method, and server-only authentication is most commonly used.
• Two-way (mutual authentication): both the client and server must authenticate using this method. It's not as common as one-way authentication, but it's more secure

1. Social engineering
Without a doubt, the best way to attack 2FA is through social engineering. 2FA relies heavily on knowledge that is known only to the user, and when a website or service that uses 2FA doesn't seem to work, users naturally turn to technical support. Attackers start communicating on behalf of technical support to force the user to reset their password or give them confidential information related to their 2FA.

This is a natural vulnerability point for 2FA, since any interaction with the technical support team will make the possibility of disclosing confidential user information almost inevitable, and only a few questions are asked (or none at all if the user voluntarily provides this information).

2. Hacking the cookie session.
Cookie session capture has been around since the advent of networked computers. It was said that there are hundreds of ways to capture a cookie session, even if 2FA is used for authentication.

A recently unveiled method for performing this technique was demonstrated by hacking expert Kevin Mitnick using a man-in-the-middle attack framework called evilginx. This method involved tricking the victim into visiting a domain with a typo and providing the user with a proxy login page; user interaction allowed evilginx to capture the user's credentials and authentication code, which are then transmitted to the legitimate site. The end result was a recorded session cookie that can be used indefinitely.

3. Duplicate code generator.
Depending on how your organization has implemented 2FA, code or number generators can be used to create "something you know" (see Google Authenticator).

"Random" number generators usually start with an initial value that is randomly generated, which in turn is used to generate the first number in the code. This first value is used by the algorithm to generate subsequent code values. If attackers learn the algorithm and seed, they can use this information to create a duplicate code generator that is identical to the compromised user's code generator.

4. Two-factor authentication "not required"
Some websites and services that allow users to use 2FA may not require this, which means that the user does not have a real 2FA. In contrast, access to 1FA will still be available to both the user and attackers, which means that attackers can use 1FA to access the site or service.

The worrying thing is that many widely used websites, including Facebook, LinkedIn, and Twitter, do not require two-factor authentication, even if they do offer it. In such cases, attackers can bypass two-factor authentication by providing answers to password reset questions that are much less secure.

5. BruteForce
What would authentication attacks be like without typical brute-force attacks? Even though 2FA offers better security than 1FA, brute force can help attackers get around this.

Brute-force attacks are possible if the 2FA authentication screen does not lock the account for a pre-determined number of failed attempts. This works like this: the attacker sends a password reset message to the compromised user's email address. The attacker can then go to that password reset email and set a new password, and then just pick up the user's 2FA code.

6. Two-factor authentication error.
Mistakes are still a fact of life in the modern world, and this extends to the 2FA world as well. Over the past year or so, there have been several examples of how this has affected widely used websites and services, including Uber.

The danger of a 2fa buggy is the sheer number of cars it can affect. For example, in 2017, The return of Coppersmith's Attack (ROCA) vulnerability was found to affect all 2FA products, including smart cards and TPM chips that use Infineon Technologies-generated RSA keys with a key length of 2048 or less (most of them). To this day, hundreds of millions of devices are affected.

Conclusion
Two-factor authentication was supposed to be a major security update for many websites and services, and in fact it is. In doing so, attackers exploited inherent flaws in the technology and its implementation to attack 2FA and eventually gain access to the website, service, and even the system.

Ethical hackers should be aware of these different 2FA attack methods. This is because there is a chance that at least one of these methods will be used against their organization at some point.

Thanks for your attention!

 

[Obito]

Thank you for this valuable informations

 

[Carding 4 Carders]

Testing 2FA and possible workarounds
2FA is a confirmation of an action by entering a generated code to increase security and throwing sticks in the wheels of conditional hackers while driving or before it starts.

The verification system using a code is very common, it is used everywhere on various sites and can be connected for both primary and secondary logins. But the application is not limited to this - the developers attach a confirmation to the password recovery functionality, confirmation of registration / subscription, additional confirmation of financial transactions, changing passwords, changing personal data. Also, occasionally 2FA is used as a wall after logout, and not a password or other confirmation method.

In this article, we will look at ways to test 2FA for vulnerabilities, their exploitation, as well as possible options for bypassing existing protection against certain types of attacks. Let's take a look at the list of vulnerability checks that apply to 2FA:

1. No Rate Limit
The Rate Limiting algorithm is used to test the ability of a user session (or IP address) to be limited in attempts or speed, and under what circumstances this happens. If the user has made too many requests within a certain period of time, the web application can respond with 429 code (many requests) or apply the Rate limit without showing any errors. The absence of a rate-limit assumes that during a normal search there are no restrictions on the number of attempts and / or speed - it is allowed to iterate over codes an arbitrary number of times (at any speed) within the session / token validity period.

Quite often you come across a "silent" rate-limit - if you see that there are no errors and the HTTP body / code does not change in subsequent requests, it's too early to rejoice, and first you need to check the final result of the attack by applying a valid code.

2. Rate limit exists, but it can be bypassed
Cases that you had to meet before:

1) Limiting the flow rate with no blocking after reaching a certain speed
Often, security researchers try to guess code using 5 or more threads in order to execute an attack faster (Burp Intruder has 5 threads by default without delay). But sometimes a brute force safety system or a regular Load Balancer can only respond to this single factor. If you are trying to brute force with 5 threads, it is worth reducing the number to 1, and then to 1 with a delay of one second. Previously, I was lucky enough to observe such behavior, and it was with the help of such manipulations that the code was successfully selected, which led to the Account Takeover. If the 2FA code does not have a specific expiration date, then we have a lot of time to brute force. If the expiration date is present, then the success of the attack is reduced, but the potential danger of the vulnerability is still present,

2) The generated OTP code does not change.
This does not apply to constantly changing codes like in Google Authenticator, but only static ones that come in SMS, email or personal messages in the messenger.

The essence of this bypass is that constantly or for some time, for example, 5 minutes, the same OTP code is sent to the SMS, which is valid during all this time. It is also worth making sure that the silent rate-limit does not occur.

Sample report: hackerone.com/reports/420163

Let's say the application generates a random code from 001 to 999 and sends it to the phone, within 10 minutes when the “resend” functionality is activated, we receive the same code. But a rate-limit is attached to the request, which limits the number of attempts per request token. We can constantly request new code, generate a new request token, apply it to the subsequent request (using the grep-match in the burp suite or using our own script) and brute force the range of numbers from 001 to 999. Thus, constantly using the new request token we will successfully select the correct code, since it does not change and is static in a certain period of time. The limitation of this attack is a long number or mixing letters with numbers as a confirmation code.

This situation should not be discouraged, you should try to iterate over at least part of our list, because there is a possibility that the generated code will end up in this part of the list, since it is generated randomly. When iterating over, you need to rely on randomness, but still there is a chance of hitting the right combination, which proves a vulnerability that definitely needs to be fixed.

3) Reset rate-limit-a when updating the code
In the request for checking the code, the rate-limit is present, but after activating the functionality of resending the code, it is reset and allows you to continue the brute-force code.

Examples of reports:
hackerone.com/reports/149598 - theory;
hackerone.com/reports/205000 - practical exploit based on a previous report.

4) Bypassing the rate-limit by changing the IP address
A lot of blocking is based on limiting the reception of requests from an IP that has reached a threshold of a certain number of attempts while executing a request. If you change the IP address, it is possible to bypass this limitation. In order to check this method, just change your IP using a Proxy server / VPN and see if the blocking depends on the IP.

IP change methods:

• Proxies can be used in an attack using the IP Rotator add-on for the Burp Suite github.com/RhinoSecurityLabs/IPRotate_Burp_Extension. In my opinion, this is the best choice because it gives us ~ unlimited brute force attempts and IP addresses that allow us to perform a brute-force attack without 42x errors and interruptions.
• A python script with a proxy requests module may be a good option, but first you need to get a large number of valid proxies somewhere.

Since the IP rotate tool sends requests using AWS IP addresses, all requests will be blocked if the web application is behind a CloudFlare firewall. In this case, you need to additionally find the IP of the original web server or find a method that does not concern AWS IP addresses.

5) The site includes support for X-Forwarded-For. The built-in header X-Forwarded-For can be used to change IP. If your application has built-in handling of this header, simply send X-Forwarded-For: desired_IP to spoof the IP to bypass the restriction without using additional proxies. Every time a request is sent with X-Forwarded-For, the web server will think that our IP address matches the value passed through the header. Materials on this topic: hackerone.com/reports/225897

medium.com/@arbazhussain/bypassing-rate-limit-protection-by-spoofing-originating-ip-ff06adf34157

3. Bypass 2fa by substituting part of the request from the session of another account.
If a parameter with a specific value is sent in the request to verify the code, try sending the value from the request of another account.

For example, when sending an OTP code, the form ID, user ID, or cookie associated with the sending of the code is checked. If we apply the data from the parameters of the account on which you need to bypass the code-verification (Account 1), to the session of a completely different account (Account 2), we receive the code and enter it on the second account, then we can bypass the protection on the first account. After reloading the page, the 2FA should be gone.

4. Bypassing 2FA using the "memorization functionality"
Many sites that support 2FA authorization have a "remember me" functionality. It is useful in the case when the user does not want to enter the 2FA code on subsequent logins to the account. It is important to identify the way in which 2FA is "remembered". This can be a cookie, a value in session / local storage, or simply attaching 2FA to an IP address.

1) If 2FA binding occurs by setting a cookie, then the cookie value must be unguessable
That is, if a cookie consists of a set of numbers that increase for each account, then a brute-force attack can be applied to the cookie value and bypass 2FA. Developers should provide the cookie (along with the session key cookie and CSRF token) with the HttpOnly attribute so that it cannot be stolen using XSS and used to bypass 2FA.

2) If 2FA is attached to an IP address, then you can try to spoof it
To identify this method, log into your account using the 2FA remember function, then switch to another browser or incognito mode of the current browser and try to log in again. If 2FA is not requested at all, then 2FA has been attached to the IP address.

To spoof the IP address, you can use the X-Forwarded-For header at the stage of entering the login and password, if the web application supports it.

Using this header, you can also bypass the "IP address white-list" function, if such is present in the account settings. It can be used in conjunction with 2FA as additional account protection, or 2FA may not even be requested if the IP address matches the white-list (with the user's consent). Thus, even without attaching 2FA to an IP address, in some cases 2FA can be bypassed by bypassing the associated security methods.

In general, attaching 2FA to an IP address is not a completely secure method of protection, since while being on the same network, when connecting to the same VPN / Internet provider with a static IP address, 2FA can be bypassed.

The safest way to protect yourself is not to memorize 2FA at all, to the detriment of usability.

5. Improper access control bug on 2FA entry page
Sometimes the dialog page for entering 2FA is presented as a URL with parameters. Access to such a page with parameters in the URL with cookies that do not match those used when generating the page or without cookies at all is not safe. But if the developers decide to accept the risks, then you need to go through several important points:

1. Does the link for 2FA input expire;
2. Whether the link is indexed in search engines.

If the link has a long lifetime and / or there are working links in search engines for entering 2FA / links can be indexed (there are no rules in robots.txt / meta tags), then there is a possibility of a bypass of the 2FA mechanism on the 2FA input page, in which it will be possible completely bypass the login and password entry, and gain access to someone else's account.

6. Insufficient censorship of personal data on the 2FA page
When sending an OTP code, the page uses censorship to protect personal data such as email, phone number, nickname, etc. But this data can be fully disclosed in API endpoints and other requests for which we have sufficient rights at the 2FA stage. If initially these data were not known, for example, we entered only a login without knowing the phone number, then this is considered a "Information Disclosure" vulnerability. Knowing the phone number / email can be used for subsequent phishing and brute force attacks.

An example of exploiting a vulnerability using Credentials Stuffing. Let's say there is a publicly available database with logins and passwords for site A. Attackers can use data from this database on site B:

First, they check if the user exists in Site B's database using the Accounts Enumeration bug in registration / password recovery. Usually, many sites do not consider this a vulnerability and accept the risks. "Vulnerability" lies in the presence of an error about the fact of the user's registration on the site. Ideally, a secure message on the password recovery page looks like this:

To be continued...

 

[Lord777]

🛡Two-factor authentication (2FA) what is it and why is it needed​

Have you ever received a notification from your bank, email, or social media account that someone tried to log in to your account from an unknown device? The idea that someone might have gotten hold of your personal information can be quite frightening. But don't worry!

There is a simple but effective way to protect your online accounts. It is called two-factor authentication, or 2FA for short. In this article, we'll take a closer look at what 2FA is, how it works, and most importantly, why it's necessary in today's world of endless data leaks and hacking attempts. So, sit back and let's understand the intricacies of 2FA!

What is two-factor authentication (2FA)?​

2FA is a security measure that requires users to provide two forms of identification before gaining access to their account. The first factor is usually the password that the user knows. The second factor is a verification code, such as a code generated by an app or sent via SMS to your phone.

The idea behind 2FA is that even if a hacker manages to get hold of a user's password, they won't be able to access the account without a verification code. In other words, 2FA adds an additional layer of security to protect users ' confidential information.

There are several types of 2FA:

1. 2FA based on SMS: This is the most common type of 2FA, which involves sending a verification code via SMS to the user's phone number. However, this method is criticized for being vulnerable to SIM spoofing attacks.
2. Application-based 2FA: This type of 2FA involves using an authentication application, such as Google Authenticator or Authy. The app generates a code that users enter when they log in to their accounts.
3. Hardware-based 2FA: This type of 2FA involves using a physical device, such as a security key or USB token. The user inserts the device into the computer or attaches it to the phone to verify their identity.

Dolphin{anty} uses app-based 2FA.

Why do I need 2FA?​

You may be wondering: "Why do I need 2FA? I already have a strong password!" Imagine: you have a strong and unique password for your online bank account. You feel safe, right? But one day you get a notification that someone tried to log in to your account from an unknown device. You panic and wonder, " How did they find out my password?" This scenario is becoming increasingly common. Hackers use a variety of tactics to obtain passwords, including phishing scams, social engineering, and data breaches. Once they get your password, they can gain access to your account and steal your important personal and financial information. So what can you do to prevent this from happening? As you may have guessed, enable two-factor authentication.

2FA adds an additional layer of security by requiring the user to provide two forms of identification before accessing their account. This means that even if your password can be hacked, attackers will still not get access to your account.

You might be thinking ,"But 2FA is a hassle! I have to go through an extra step every time I log in!". While this may seem inconvenient at first, consider it a small price to pay for the security of your confidential information. Believe me, it's worth it.

By the way, we wrote about the importance of strong passwords in the last article.

How to set up 2FA in Dolphin{anty}​

You can set up 2FA in Dolphin{anty} in your merchant profile on the site. To do this, log in and click"Enable" next to the "Double Authentication" field.

Next, you need to download one of the authentication apps to your phone or tablet:

• Google Authenticator (Android, iOS);
• Duo Mobile (Android, iOS);
• Microsoft Authenticator (Android, iOS).

After that, you need to scan the QR code that will appear in your Dolphin{anty} merchant profile and enter the code generated by your app.

That's all. Now you have two-factor authentication installed on your account, which will increase the security of your personal data.

What should I do if I lose my authentication device?​

If you lose your authentication device, you can use a backup code to log in to your account.

A list of backup codes can be found in your merchant profile on the Dolphin{anty} website. Each code can be used once. Keep them in a safe place and don't show them to anyone.

Let's sum up the results​

2FA is a necessary security measure in the modern world. Passwords alone are no longer enough to protect your accounts. By enabling 2FA, you can ensure security and protect your confidential information.

We strongly recommend using 2FA for Dolphin{anty} accounts. Setting up double authentication will take you a couple of minutes, and you will always have peace of mind for your data!