Vulnerability Of Two-Step Authentication Revealed

Logging in on tablet

Two-step, or two-factor authentication is a generally trusted way to secure online accounts to ensure that only the account holder can access them. A recent hack on Blizzard’s World of Warcraft online game has exposed a vulnerability many had previously overlooked, however. Antone Gonsalves at Network World details how the attack took place and how it can be prevented in the future.

Two-step authentication requires a user to log-in to their account with their username and password. Then, a second passcode or PIN is supplied to users via text message, email or other means. That second code must also be input to give users access to their accounts. This two-step method is used to verify users anytime they use a new device to log-in.

It seems like a foolproof method for keeping hackers out of accounts that don’t belong to them, but the recent World of Warcraft hack demonstrated how a ‘man-in-the-middle’ attack provides a way around two-step authentication.

First, a trojan infected users on a popular online forum related to World of Warcraft. That trojan allowed for a man-in-the-middle attack, which allows criminals to intercept data and information a user believes they’re entering into a website. In this case, users attempted to log into their accounts using two-step authentication, but were really only giving hackers the information they needed to break into the accounts themselves. This also locked the actual users out of their own accounts.

Similar attacks have been observed on banking sites, where two-step authentication is also commonly used. Experts say these attacks highlight the weakness of most two-step authentication methods, which is the use of in-band authentication or using the same channel to input all information.

Because users are asked to enter their username, password and original generated code at the same time, over the same channel, it makes man-in-the-middle attacks extremely effective. Instead, experts suggest sites use two separate channels. For example, log-in to your account online with your usual information, then users would be prompted to enter a one-time PIN into a mobile app on their smartphone. Another suggested method is to send automated text alerts to users when someone tries to log-in using their information. If the IP address or geographic location doesn’t match their own, users would be able to reject the log-in attempt.

The lesson for users and businesses alike is that even two-step authentication doesn’t keep accounts completely secure. Hackers are getting more intelligent in their attacks all the time and technology that was once thought unbreakable now has vulnerabilities.

If your computer is infected with malware, or you’d like to investigate better security methods for home or business, call Geek Rescue at 918-369-4335.

January 9th, 2014