In 1928, Alexander Fleming serendipitously discovered penicillin, laying the foundation for the antibiotic era. Antibiotics revolutionized medicine, dramatically reducing mortality rates, improving surgical outcomes, and controlling infectious disease outbreaks. Life expectancy soared as antibiotics became widely available, but the overuse and misuse of these drugs have led to the emergence of antibiotic-resistant bacteria, presenting a significant challenge to modern healthcare.
Similarly, text-based two-factor authentication (2FA) emerged to combat attacks on passwords, such as brute-force attacks, phishing and password staffing. Text-based 2FA, which is also known as One-Time-Password (OTP), typically involves sending a one-time code via SMS to a user's mobile device, which they must then enter along with their password to access their account. Since the introduction of text-based SMS in the early 2000s, it has become widely used to authenticate users – and when employed, it is often considered secure. While text-based 2FA is simple and widely accessible, its power and effectiveness show signs of wearing off. Like antibiotics, the wide use of text-based 2FA created a deep dependency on this method, providing a false sense of security.
The first signs of text-based 2FA “resistance” appeared when hackers managed to trick the authentication using a method nicknamed “SIM swap.” A SIM swap attack is a form of identity theft where a cybercriminal convinces a mobile carrier to transfer a victim's phone number to a SIM card under the attacker's control. This is typically done by tricking customer service representatives into believing that the attacker is the legitimate owner of the phone number. Once the attacker gains control of the victim's phone number, they can intercept incoming SMS messages, including those containing one-time codes used for 2FA.
While SIM swapping is highly effective in hijacking victims’ accounts, the attack is quite complicated and requires lots of resources of the hackers. In order to perform it, an attacker first needs to obtain personal information of the victim. Armed with this information, the attacker needs to use social engineering skills and convince the victim’s mobile service operator to route calls and text to the attacker’s phone instead of the victim’s phone. In addition, the attacker needs to know the victim’s password.
For the attacker, a SIM swap attack is not scalable, as the “return on investment” for the attacker is limited. Or, in other words, sometimes it is too much work for the amount of money the attacker can gain. Lately a new kind of “antibiotic-resistant bacteria” emerged: the display overlay attack.” A display overlay attack takes place when a phishing window over a targeted app is displayed, and the victim does not recognize it. The victim believes they are interacting with their legitimate app, but they’re not.
Unlike SIM swap, this attack does not require the attacker to have any information surrounding the victim. They also don’t need to interact with a mobile operator customer service and there is no need for prior knowledge of the victim’s password. This translates into a highly scalable type of attack, and it doesn’t require the attacker to interact with customer service and risk exposure. Moreover, unlike SIM swap, this attack is silent, which means that both the victim and the service provider do not have any indications an attack occurs until it is too late. Even after a successful attack, the chances of the user and service provider figuring out that a display overlay attack took place are slim.
In January 2022, Crypto.com, one of the biggest and best known cryptocurrency exchanges in the world, announced that 483 of its users were hit in a hack, leading to unauthorized withdrawals of cryptocurrency worth $35 million. A Crypto.com statement indicated that “transactions were being approved without the 2FA authentication control being inputted by the user.” Since Crypto.com didn’t share more information on the nature of the attack, we can only speculate that their users might have been a victim of a display-in-the-middle attack.
As the medical community is grateful for antibiotics but are deeply concerned about new antibiotic-resistant bacteria, the cybersecurity community appreciates the additional security text-based 2FA brings but knows that it loses its effectives as attackers find new ways to overcome it. The wide use and deep reliance on text-based 2FA security is a concern that must be addressed without delay because we know that replacing a widely adopted solution takes years, and the writing is already on the wall.
