Email Security Blog

How SMS 2FA Might Leave You Vulnerable to Email Account Takeover

Markus Jakobsson February 15, 2018 How Email Works
2 factor authentication

One of the biggest challenges for a security strategy is making it accessible and understandable for end-users. Thanks to this, one of the most widely used identity verification measures is the straight-forward two-factor authentication (2FA) approach, where the user is sent a unique code to prove who they are. 2FA has been especially popular via SMS text message, as even the oldest, clunkiest phone can receive a text message, and even the most dedicated luddite can open and read one.

However, SMS 2FA also comes with major weaknesses that leaves organizations and users at risk. The biggest problem is that 2FA doesn’t verify the user’s identity, only that they have access. Anyone with direct access to the device can pass through 2FA security measures as they can send themselves the code – including a criminal.

SMS Phishing

The real threat however comes from SMS phishing. The same deceptive email tactics that trick people into giving up information can be used over SMS to acquire the 2FA reset codes. One particularly powerful technique is the Verification Code Forwarding Attack, or VCFA. Here, the criminal accesses a service provider and requests an SMS code to reset their password for a particular user. Immediately afterwards, they send a fake text message to the same user, pretending to be the service provider and asking for the code “as an additional verification measure”.

In a research experiment I conducted with colleagues at New York University, we discovered that the VCFA technique can be incredibly effective, with success rates as high as 50 per cent. By comparison, success for a non-targeted email phishing attack is around one or two percent at best.

Email Account Compromise

Having a criminal gain access to any kind of system is never going to be good, but email is one of the most damaging accounts that can be hijacked. Email Account Compromise (EAC) creates a variety of security risks, most of them severe. The attacker can immediately access everything in the inbox, harvesting any confidential information that has been sent or received, from intellectual property to customer databases.

This also exposes all the user’s contacts. The attacker can look for particularly valuable individuals to target with social engineering attacks, and potentially launch these from the corrupted account itself. Malicious emails sent from a legitimate account are by far one of the most dangerous and difficult to detect forms of cyber-attack, as very few security systems are designed to detect emails from real accounts. EAC can also be used to cover for malicious emails sent from other accounts by sending a message saying something like “hey, I just sent you an attachment, but it may have been sent to spam, can you check?”

Because they lack potential “tells” such as mismatched sender IDs, EAC emails are much more difficult to detect than normal malicious email. However, while certainly a scary proposition, the good news is that EAC can still be stopped. By investigating even further, we can find more subtle elements tied to the identity of the legitimate user that are usually overlooked. For example, it is possible to detect details about the device the email was sent from, such as the operating system and screen resolution. Taken together with other signs such as the IP address, these signs can identify a potential fraudulent email even when the account itself is genuine.

Once flagged, the suspicious message can then be examined further to confirm if a fraudster really has hijacked the account, or if the mismatch is benign – say the CEO spilt coffee on their laptop at home and is using a spouse’s.

While we can still potentially spot even an advanced attack from a legitimate account, EAC still poses an extremely serious threat. Considering the level of risk involved, I implore any enterprise still using SMS-based 2FA for its users or customers to move on as soon as possible – particularly if its tied directly to their email account. Organizations should be exploring other 2FA methods such as app-based verification if they are to keep their users safe.

Agari Blog Image

October 22, 2019 Crane Hassold

The Threat Taxonomy: A Working Framework to Describe Cyber Attacks

Imagine going to the doctor and only being able to say “pain” or “sick”. You…

Agari Blog Image

February 20, 2018 Jacob Rideout

Strengthen DKIM Signatures with DCRUP

In this final post of the DMARC series we’ll discuss the latest crypto updates to…

Agari Blog Image

February 13, 2018 Jacob Rideout

The Arrival of ARC

As we mentioned in the first post of this series, with the arrival of ARC,…

Agari Blog Image

September 28, 2016 Gabriel Ortiz

Software Ate My Infrastructure: 2 Years on AWS with Ansible, Terraform and Packer - Part 2

Agari has made significant investment into infrastructure as code. Almost two years into this project,…

Agari Blog Image

August 31, 2016 Gabriel Ortiz

Software Ate My Infrastructure: 2 Years on AWS with Ansible, Terraform and Packer - Part 1

Agari has made significant investment into infrastructure as code. Almost two years into this project,…

mobile image