By Steve Endow
January 2019 Update: A security researcher has developed a tool that can intercept logins and 2FA codes through a man-in-the-middle attack.
https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/
This type of attack can apparently defeat most, if not all code based 2FA systems.
I have a separate blog post discussing YubiKeys / U2F tokens, which are touted as being more secure than code-based 2FA authentication schemes.
The article mentions that the tool "is inefficient against U2F-based schemes that rely on hardware security keys." I am not sure if author did mean inefficient, or if he meant ineffective, but I don't think U2F tokens would prevent the browser from authenticating with a YubiKey with the MITM in place.
If anyone has information indicating that U2F validates the URL and / or can prevent this type of MITM proxy attack, I would love to read about it.
The other day I received a Skype message from a friend. It was an abbreviated URL using the Google URL shortener.
It looked something like this:
https://goo.gl/zADTrqeUItixixqazsva&34525?id=username
Since it was from a friend I knew well, I was about to click on it.
Then I paused.
The URL format seemed a bit odd. After a moment of reflection, I realized it looked suspicious. Then I realized that the message appeared in Skype. And this friend doesn't message me on Skype. And I vaguely recall receiving a similar message on Skype from a customer a few years ago.
I messaged my friend through another app and let him know that his Skype account had been compromised.
He was able to login to his Skype account and confirm it had been compromised. He was able to see several logins from other countries.
He let me know that he reset his password, and considered the problem resolved.
I then recommended enabling two factor authentication on the account.
His response: "I don't regularly use the account, so I don't want to deal with the potential hassle of 2FA".
I propose looking at 2FA differently.