How hackers can use mirroring apps to see your texts — and bypass two-factor authentication security

Two-Factor Authentication (2FA) has been recommended by cybersecurity experts as a line-of-defence to prevent incidents such as identity theft.

However, recent research by TNK2 External Advisor & Principal Researcher, Dr. Jay Jeong shows that hackers are able to bypass 2FA to gain access to a user’s device by using mirroring apps on the Android Play Store.

Read more about the vulnerability in the Conversation and the ABC.

The human factors

Password Managers

According to the article, one of the key requirements is a compromised Google account. This example highlights the use of a password manager which is able to limit the extent of the compromise. One of TNK2’s key human factor challenges that we are addressing through our cybersecurity training and awareness solutions such as CyEd and Upling is the lack of adoption of password managers. Using a password manager is able to secure your online accounts by generating unique and strong passwords for each account. Therefore, a breach of one service (such as your Microsoft) will not compromise another (such as your Google account) due to reused passwords.

Multi-Factor Authentication (MFA) and Organisational Change

Another factor at play is the widespread prevalence of SMS based 2FA which hasn’t been addressed at the organisational levels. While there have been many far secure MFA solutions available such as Google Authenticator or Duo or even physical keys such as Yubico, many organisations and online services (such as mygov.org.au) have provided SMS as the default and ‘only’ 2FA option for end-users.

In order to mitigate such vulnerabilities, organisations will need to support to provide these secure alternatives for both employees and end-users rather than using legacy systems such as SMS for authentication.

Social Engineering

The last crucial factor is – social engineering which we have been tackling at TNK2.

More importantly, this attack doesn’t need high-end technical capabilities. It simply requires insight into how these specific apps work and how to intelligently use them (along with social engineering) to target a victim.

The Conversation

Targeted training such as CyEd and Upling help individuals who are specifically vulnerable to become aware of social engineering attempts and help create line-of-defence against such incidents.

The takeaway here is that both individuals & organisations need to take a proactive stance towards their authentication measures. This includes shifting the attitudes & awareness of employees in organisations to adopt recommended changes to reduce the risks of such examples of vulnerabilities.

Our recommendations to staying safe

(a) Ensure your first line of defence (username/passwords) are secure. Using password managers such as LastPass may help you ease the cognitive load associated with remembering complex passwords.

(b) If you have the option to do so, use an alternative #MFA method such as a physical device (e.g. Yubico).

(c) Make sure your organisation and staff are up-to-date with emerging threats that can be mitigated by addressing human errors through services like TNK2.

You can learn more about how TNK2 addresses the human factors in cybersecurity by getting in touch with us.