In this blog post, I'll tell you about how 2-factor authentication can be bypassed.
2-factor authentication or MultiFactor Authentication is a security feature that adds an extra layer of security to your account.
Take Facebook as an example, if you turn on 2-factor authentication on your Facebook account, you not only need the username & password to login to your account but you also need the code(OTP) that will be sent by the site (Facebook, in this case) to the registered mobile number.
So, there are three parameters- (1) Username, (2) Password & (3) Code (OTP).
This security feature verifies that it's none other than the original account holder who is logging in to the account. After reading this so far, you might be thinking that this security feature is nearly unbreakable, but you are wrong, even this 2-factor authentication can also be bypassed, let's see how ---
There are two ways to bypass this 2-factor authentication, in both these ways the hacker/attacker will have to use Social Engineering, firstly, the hacker/attacker can send trick the user to text him back the code(OTP) texted by the site & then the hacker will use that code to login & gain access to the victim's account or he can perform the SIM Swap method, in this method the hacker will have to trick the phone company as the originally registered mobile number holder, by using some social engineering because there's no way to hack a SIM Card because it contains cryptographic functions called KI, so it's nearly impossible to hack a SIM card, but this SIM Swap/SIM Clone method works perfectly.
The hacker can trick the victim by sending Spoofed/Bulk SMS to dial up a number which the service provider has made for SIM Swap, this will give service provider (SIM Card) authorised permission to do a SIM Swap, so the next time when the hacker will try to login into the victim's account the site will send the code & it'll be received by the hacker, because the victim has already given permission to the SIM service provider to do a SIM Swap & his SIM card is deactivated while the hacker's SIM card is activated & the OTP is now received by the hacker instead of the victim.
I did not go in detail, there are many ways by which 2-factor authentication can be bypassed, it can be bypassed by hacking sessions/stealing cookies etc.
For more details, you can watch our YouTube video, click here.
Thanks for reading this blog post, stay tuned for more interesting articles. Have a nice day!