When two-factor isn’t enough.

There has been a massive push to encourage users to enable two-factor authentication on their accounts. From in-game rewards to membership discounts two-factor has been strongly encouraged by a number of companies to provide greater security to users, but could this lull users into a false sense of security?

As two-factor usage has grown more of its shortcomings have been pointed out; from the ability of SMS-based codes to be intercepted, to the ability to brute force the codes. An extremely sophisticated method that has grown in use is to use a reverse proxy while phishing.

A recent report by Amnesty International outlined an increase in the sophistication of phishing attacks targeting people around the world, particularly people based in states in the Middle East. Amnesty noted that the attacks frequently involved “secure email” providers such as Tutanota and ProtonMail, but did also involve well-used email providers such as Yahoo! and Google.

The method these attacks used in order to more effectively clone the providers website was a method called a reverse proxy. A reverse proxy server sits between the client and the server the client wishes to access. The reverse proxy has the ability to then manipulate and feed the data to the client. One of the defining features of a reverse proxy is that the client doesn’t have to know it’s part of a proxy network, whereas with the more common forward proxy the client is aware of being part of a proxy network.

Phishing reverse proxies pull the data from the website it wants to masquerade as (Google, Yahoo!, ProtonMail e.t.c) and presents it to the users. Using a reverse proxy the site it presents to the user can look indiscernible from the real website. A lot of these attacks have also used a domain name so close to the real thing that a user could easily be fooled by an attack (Amnesty gives one example of protonemail.ch in comparison to protonmail.ch). As the attacks are also able to pull the sites almost identically, they can also show the two-factor authentication pages for a site, intercept the two factor code, and gain access using this code if they are quick enough.

Tools Available

Two tools to setup your own phishing reverse proxy server are Modlishka and evilginx2. Both of these tools are intended as a demonstration rather than to setup your own phishing operation, only use it with permission from the parties to be phished. I had intended to do a full write of my experiences with Modlishka, but despite installing it on both macOS and Kali I’ve only managed to capture the password and not the username and session ID. If I get it working fully I’ll likely do a write-up later.

Screenshot of Modlishka running on Kali Linux

Is Two-Factor Pointless?

Upon first reading it can look as though perhaps it was wrong to place so much stock in two-factor authentication, but the reality is, as usual, more nuanced than simply that two-factor needs to be replaced. For example some of the conclusions on the accompanying blog post for Modlishka are that for the best security a U2F hardware token should be used and that password managers should be used as they will verify the domain the login information is being entered into. A password manager is definitely a good tool to use as when attempting to use Modlishka on my own machine it wouldn’t show my phishing account as available to enter on my fake Google login page. Hardware tokens are an invaluable step for highly sensitive systems, but for the average user they are probably an extreme step; accessing sensitive systems should use a hardware token as a requirement, but do you need one to access your H&M account?

The last conclusion that the blog post comes to is that user awareness should constantly be raised and this I think is why the answer to the question of is two-factor pointless is no. Two-factor is now available on nearly every major website I use yet the only system in common use that I’ve seen a high number of users use two-factor is their Apple ID (I think a massive factor in its high take-up is that Apple has pushed it in the setup process of iOS and within OS updates). The top 25 passwords of 2018 are worryingly insecure and this list will likely stay unchanged at the end of 2019. If most users haven’t yet updated their passwords to something more secure let alone enabled two-factor, they are already operating with a level of security nowhere near two-factor.

My personal conclusion is that awareness, as ever, should be continued to be increased (I haven’t attended school for some years, but would hope most curriculums include staying secure online), but perhaps companies should perhaps be more forceful in at least ensuring users have a secure password. My personal opinion is that we’re still so far away from the broad adoption of two-factor that the people there may be an excessive knee jerk reaction that two-factor is insecure. We know there are faults with two-factor and that any faults should be resolved or mitigated against, but my personal experience is that there are a still a lot of users who haven’t protected themselves against simpler attacks than this. An example of this is in a Jimmy Kimmel video where people are tricked into saying their password on camera, and I’ve lost count of the number of people that carry their passwords around with them in a book.