New Tool Gets Around Security Verification

Email phishing has long been the hacker’s gold-card of success. One important part of keeping secure is taking additional steps to verify your identity when shopping or banking online, or simply logging in to any online account. One of the most useful tools for an identity check is using 2-Factor Verification (2FA). It provides added steps to verify your identity as part of logging in to an account. It’s been around a while and is a simple and direct way of taking an additional security precaution–until now. Security researches recently discovered a way hackers can get to your 2FA steps in a way that gives them access to your accounts, without you even knowing they were there.

Training and cybersecurity education have helped reduce email phishing attacks, but this latest hack tricks users into providing their passwords by pretending to be that extra 2FA step you count on for online security. Through its trickery, socially engineered phishing campaigns are now more successful than ever. Hackers present a web site designed to be the spitting image of the login page you expect to see for your account. But rather than just crafting the website to look like your legitimate site, a bypass tool being called Modlishka actually pulls the real content from the actual website so that it’s identical to what you expect. That’s the scary part. Then, through a series of bogus transactions designed to fool you, your 2FA is compromised without your knowledge. Once the hackers get what they want, they pass you on to your intended website.

Although 2FA doesn’t guarantee safety from phishing hacks, as this instance demonstrates, it still gives a second layer of comfort toward that end. It should always be used when it’s provided as an option for your online accounts.

To counteract 2FA compromise, there’s a more secure version

Multi-Factor Authentication (MFA), the latest and greatest log in security tool. Especially important for high-security logins (think nuclear power plants and government accounts), MFA combines three or more ways to verify your identity. According to Techopedia, MFA uses three foolproof means of identification as follows:

1. Something to confirm the user’s physical security, such as an employee ID card;
   2. Something to confirm the user’s knowledge of the account, such as a PIN or password;
   3. Something to verify the user’s biometric identity, using fingerprints, eye retina, or voice acknowledgement.

For those of us without high security jobs, start with the basics like strong passwords that are regularly changed. And always keep a sharp eye out for attempted phishing attacks. Though they are now finding their way into your accounts in sneakier ways, there still are ways to identify them and as with Modlishka, they start with a phishing email that appear to be from someone you know, such as your financial institution:

• If you are not expecting links or attachments in an email or text, don’t click them.
• If you notice typos, misspellings, or incorrect grammar, be very suspicious.
• If the email states something that tries to “scare” you into taking quick action, immediately stop and think first. Then, contact the sender independently before clicking. The financial institution or retailer will appreciate being alerted to nefarious activity involving them. If it is legitimate, they will let you know that too.
• Do a quick check of the URLs for important websites before entering personal information. Be 100% certain it’s where you want to be.
• Before clicking anything you’re not certain about, do an independent verification by calling the sender before clicking. Be sure to use a number from a website you know is the right one or that you already have saved. Don’t use information sent in the email.

If any website offers 2FA or MFA, don’t hesitate to use it. Although they may not be the absolute security guarantee you hope for, any additional verification steps are always recommended.

Stickley on Security
Published March 11, 2019