Two-factor authentication is an important way to help keep your online accounts safe — but it’s not perfect.
It requires an extra layer of proof before anyone trying to log in gets access to an account.
After the password is entered correctly, a temporary code known as a one-time password (OTP) is sent to the account owner’s smartphone. The code is then entered to complete the login process.
That way, even if the user’s password is guessed, stolen, or cracked, the attacker can’t get into the account without physical access to the paired phone.
But if the attacker is able to smuggle rogue software onto a user’s smartphone, they can defeat two-factor. Researchers at cybersecurity firm Symantec have discovered malware that can steal OTP codes and use this to hijack a user’s accounts. (The malware was previously reported on by The Register.)
The malware is for Android smartphones, and is called Android.Bankosy. It specifically targets two-factor authentication codes delivered by automated phone call. Normally, after entering their password, the user will receive an automatic call from the company, which will tell them the OTP code to enter to gain access to their account.
But Android.Bankosy redirects the user’s phone calls to the phone of the attacker, letting them steal the OTP code and access the account. Two-factor is often used to protect bank accounts — meaning that bypassing it can be highly lucrative for hackers.
Some two-factor systems use text messages rather than phone calls to deliver codes, and Symantec says it has seen malware capable of stealing these too.
Of course, for this exploit to work, the attacker has to be able to get the malware onto the smartphone in the first place. They might do this by exploiting another security hole, or smuggle it using an app installed from outside of the Google Play Store.
Similarly, they also need the user’s original password. This might be stolen via a “man-in-the-middle” attack when the user is browsing on an insecure network, or via keylogging malware.