London Escorts sunderland escorts asyabahis.org dumanbet.live pinbahiscasino.com sekabet.net www.olabahisgir.com maltcasino.net faffbet-giris.com asyabahisgo1.com www.dumanbetyenigiris.com pinbahisgo1.com sekabet-giris2.com www.olabahisgo.com maltcasino-giris.com faffbet.net betforward1.org www.betforward.mobi 1xbet-adres.com 1xbet4iran.com romabet1.com www.yasbet2.net www.1xirani.com www.romabet.top www.3btforward1.com 1xbet https://1xbet-farsi4.com بهترین سایت شرط بندی betforward
spot_img

How can Hackers Bypass Google’s 2FA Security?

Two-factor authentication, or simply 2FA, is often hailed as the best security against scammers who want to get your login credentials. But is it all that cracked up to be, or is there a way for a hacker to bypass Google’s two-factor authentication? 

If you thought your usernames and passwords were 100% safe because you are using 2FA, I’ll have to disappoint you there.

Unfortunately, there is a way to bypass 2FA and hack a protected Google account. It’s been done already.

In this article, we are going to talk about:

  • What is 2FA?
  • Its strengths
  • Its weaknesses
  • How can it be bypassed?
  • Why is having an anonymous email a good idea?

What is 2FA?

As so many aspects of our lives are today tied to the digital, the risk of getting hacked and our data stolen is ever-present.  Hackers have become incredibly sophisticated in their field of work and can easily get around outdated security systems based on just usernames and passwords for protecting user accounts.

Hundreds of data breaches occur yearly, most of which we don’t even hear about. Those that do make it to the news are usually global corporations losing hundreds of millions of user records and often suffering irreparable financial damages.

Just last year (2019), 885 million records (login credentials, social security numbers, bank transactions, etc.) of the First American Financial Corp. were exposed online.

And that’s just one example of a data breach that shows the ever-increasing need for tighter online security. 

Passwords alone are just not enough.

So, knowing that IT security experts have added an extra layer of security called “two-factor authentication” or 2FA to ensure that people who try to access online accounts are really who they say they are.

What 2FA does, in essence, is add an extra security factor before allowing you to access your online account (for instance, Gmail). This is usually:

  • Something you know, like a PIN, a secret question, a screen pattern, etc.
  • Something you have, like another device (smartphone or tablet) or a hardware token.
  • Something you are like a voice, iris scan, or a fingerprint.

Without this factor, it’s impossible to verify the identity of the person trying to unlock the account, and it will stay locked even if they have the correct password.

Well, unfortunately, it’s not entirely impossible to bypass 2FA.

How Hackers Were Able to Bypass 2FA Security in Gmail, Yahoo, ProtonMail in 2018

How Hackers Were Able to Bypass 2FA Security in Gmail Yahoo ProtonMail in 2018

It was already done. 

In 2018, hackers were able to bypass 2FA security in Gmail and Yahoo and those same hackers were likely responsible for creating phishing sites for secure email services like ProtonMail and Tutanota as well.

How did they do it?

According to an Amnesty International report, the victims first received a fake Gmail security alert about their compromised accounts and having to change their passwords.

Next, they were sent to a fake Google or Yahoo site where they had to enter their login credentials. From this page, the targets were redirected to another page telling them they’d been sent a fake Google verification code via SMS.

Upon entering the code, the victims would then be presented with a password reset form, which, if they did, would give the hackers full access to their account.

And, since the Google spoof email looked like a legitimate email from Google, few who got it looked at it twice.

4 Methods of Bypassing 2FA

2FA provides a strong extra layer of security, but it is not bulletproof and has flaws in implementation and design, as this Medium post by Shakmeer Amir shows.

There are 4 methods to bypass a 2FA mechanism, according to that article:

  1. Using conventional session management using the password reset function. 

This is what the hackers did in the example above. They sent a fake Gmail security alert, phished an SMS token, and finally had their victims reset their passwords. 

  1. Using an OAuth mechanism.
4 Methods of Bypassing 2FA

Another 2FA bypassing method uses a 3rd party login mechanism called OAuth. If you’re not familiar with OAuth, this is when you use Google or Facebook to log in to another account. 

Although this is a convenient way to log in to a website, and Google or Facebook should be safe, it’s also a way for the hacker to bypass 2FA. Instead, they can log in without the username and password using OAuth integration.

  1. Using race conditions.

 A “race condition” is the repeated usage of a previously known value, such as the app’s ability to use used or unused tokens later. For this, the hacker would first need access to those previous values, which they can get by intercepting a previous code.

  1. Via brute force.

Finally, if there is no rate limitation in the input fields, an attacker can attempt to brute force 2FA code, especially if it’s number-based. As the normal length of a code is 4-6 numbers, that’s “only” 151,800 possibilities. You don’t need a supercomputer to crack that.

Protect Yourself Using a Secure Anonymous Email Service

As you can see, bypassing Google’s two-factor authentication is possible with a simple phishing attack. This is why you need a secure email provider with a phishing protection mechanism and zero-knowledge password protection. 

With Sympa, you can set a phrase to show in your account. You’ll be alerted to a phishing attempt whenever this phrase is used.

Also, Sympa employs Zero-Knowledge Password Protection, meaning that even we don’t know your private key protection and are thus not able to access your encrypted data.

What do you think about 2FA? Do you think it’s enough to protect your online accounts? Or do you need to add an extra layer of security like a secure email provider such as Sympa?

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox