Email validation articles from Email Hippo

How fraudsters get around authentication checks

Written by Lisa | Jun 11, 2021 9:50:53 AM

Two-factor authentication is one of the most effective ways to add an extra layer of security to your company’s personal data. Unfortunately, there are some tactics hackers can use to bypass authentication and access that data. 

In this blog post, we’ll explain how hackers are able to do this, and why it’s important to be extra vigilant when it comes to online security. 

 

What is two-factor authentication?

Used on top of a user’s password when they log into an account, two-factor authentication is a subset of multi-factor authentication. The first layer is the password itself, and the second could either be a code provided via text, authenticator application or voice message, or a fingerprint or facial recognition. The user is therefore providing an additional form of proof that they own the account before being able to access it. 

It is highly recommended for businesses to use two-factor authentication for all essential accounts in order to keep their data secure. 

How do hackers manage to get around two-factor authentication?

In order to bypass authentication checks, hackers would need to gain access to the second form of identification to perform a data breach. This is very difficult to do and is why two-factor authentication is strongly recommended, however, fraudsters have found some ways to get around the checks to access users’ accounts. These include:

 

Conventional sessions management 

This method involves using the password reset function, but only works if the two-factor authentication isn’t implemented on the login page after the password has been changed. 

To do this, the hacker would request the password reset function to change the user’s password and then log into the system or application using the new login details. 

This enables them to bypass the authentication check, but only on platforms where the architecture of the website allows it. To avoid this happening to your business, it is important to make sure that the two-factor authentication is implemented on the login page even for newly reset passwords. 

 

Social engineering

This type of attack can only take place if the hacker has access to the user’s login details (username and password). If the verification code has been sent to your mobile number, the fraudster could email you with a false excuse in order to get the code from you and access the account. 

However, the attackers could still bypass the authentication check even without having the correct username and password. This could be done by sending the user an email containing a phishing link to a fake site mimicking a real one, such as PayPal.

If the user clicks on the link and provides their details on the phishing page, the hacker can steal these credentials and use them to log into their account. The user will then receive a code which, once entered into the website, will become available to the hacker as well. This will enable them to conduct a data breach. 

 

Authorisation tokens

There are some integrations that allow users to log into their accounts using another, third-party account, such as signing into an application using a Google username and password rather than their email address and password. 

In order to hack an account using authorisation tokens, the hacker would need to have access to the third-party account credentials. 

 

How to be vigilant when using two-factor authentication for your business 

Although the methods outlined in this blog are worrying, two-factor authentication is still one of the most secure ways to protect your business accounts online. To ensure your data stays safe whilst using two-factor authentication, employ authenticator apps rather than text message codes, and use password generators to create difficult passwords. It’s also important that your employees never use the same password twice, or on different accounts.  

 

Prevent fake sign ups: download our ebook

Download our guide to find out why fake sign ups are problematic and why email address intelligence should be your first line of defence against them.