In my last blog, I posted about the value of implementing two-factor authentication (2FA) as a significant enhancement to the security of the traditional username/password authentication method. The availability of free authentication applications like Google Authenticator, Authy, and FreeOTP (there are many more), and the ever growing list of public websites that now support these applications has changed 2FA from the exception to the rule for secured access.
Recently, I was contacted for some technical advice by an executive (we will call him RW) after his personal email account had been compromised. Ultimately, RW suffered a direct loss of about $30,000.00 that was stolen from an investment account, untold hours on the phone with multiple vendors trying to clean up the mess, and personal information that was completely compromised. Unfortunately, this type of attack has become much more common in the past 2 years, as targeted email phishing has overwhelmingly become the preferred method used by hackers for acquiring valid authentication credentials and or delivering malware.
After understanding the details of the hack, I quickly realized that there were really two important steps performed by the hacker that facilitated the theft. The first was the malware infection that was initially installed on RW’s computer was only designed to gather information and capture keyboard strokes. The hacker was able to trap the correct username and password for RW’s Microsoft OneDrive account where RW had stored all of his personal information (including scanned copies of passports), financial account URL’s, and access credentials. This was a powerful first step for the hacker, as it provided an immediate roadmap of the financial websites to access, the credentials + security questions and additional PIN codes required to gain access to those sites, and any other email addresses that may have been used as a backup verification method. It’s interesting to note that this first step by itself doesn’t get the hacker very far, as they would have no facility to generate the 2FA code required to complete the login on the websites that have 2FA enabled. You might be asking yourself (I certainly did) how the hacker got around this problem, which brings me to the all-important second step. Armed with all the personal information from the target, the hacker was able to successfully transfer the target’s T-Mobile cell phone service to a new phone in the hacker’s possession. It isn’t clear whether the T-Mobile customer representative got duped, or whether the hacker produced whatever information was requested, but it’s why the old text message 2FA method has been replaced with applications like google authenticator. Regardless, even transferring the phone still didn’t get the hacker all the way there. However, many websites have a backup feature enabled so that if you lose your authenticator, you can reset access on the account using a standard text message. With the cell service transferred to a phone in the hacker’s possession, those sites would be easily accessible. In the case of google authenticator, if the hacker gains access to the google email account tied to the authenticator, the authenticator key pairs can be moved to a new device, which for those of you who enjoy chess analogies, is checkmate (Hacker wins).
There are lots of things to learn from this case, but here are at least the top three. First, if you are going to store your personal information online, make sure that 2FA is enabled to access it. This won’t necessarily prevent a hacker from gaining access to it through your device, i.e. your PC, tablet, or MAC, but if 2FA is turned on, they can’t access it remotely which will slow them down a lot. Second, make sure you have 2FA turned on to access the online account tied to your authenticator application, since transferring the key pairs to another device is game over for you. Third, talk to your carrier about hardening your wireless account to prevent anyone from transferring your cell service to a new cell phone. AT&T has an enhanced security feature that requires a PIN CODE to be provided online, in their retail stores, and over the phone to change anything on the wireless service for a phone. I do have this enabled on my phone, and I don’t have that pin code documented anywhere online. I suspect the other carriers have something similar.
These recommendations are not guaranteed to prevent a hacker from succeeding, but often, the goal is just to slow them down long enough for your detection tools to set off an alarm.