When 2-Factor Stops Being 2-Factor – Part 2

This is a continuation of my previous post on the failure of two-factor authentication. Let’s look at some case studies:

In late 2012, a version of the Zeuz in the mobile Trojan named “Eurograbber” stole over $46 million from European customers by bypassing the SMS based 2-factor authentication [1].

The way that it works is simple:

  • The attackers successfully execute a phishing or clickjacking attack on the victim and lure them to log into their banking site.
  • The attackers inject javascript that prompts the user to enter their mobile phone number.
  • Victim is sent an SMS message telling them to download a mobile app for security but in reality it is malicious.
  • The malicious app intercepts incoming SMS messages such as the 2-factor security code a bank sends when accessing an account.
  • The attackers intercept the SMS message and gain access to the user’s bank account and withdraw all the funds.

This is another instance of 2-Factor authentication failing and it’s proof that we cannot rely on a mobile operating system that is susceptible to malware and Trojans to act as our second or third factor for authentication. In theory, 2-factor solutions such as Google Authenticator or Authy could also be spoofed by screen grabbing TOTP tokens.

The second case study was just brought to light about a week ago. It is a variation of the ZeusVM and is called Chthonic (try pronouncing that). In true ZeuS fashion, the Trojan uses tried and true web injection methods to trick victims into providing sensitive banking information and then cleaning out their accounts. Over 150 banks have been targeted and I’m sure there’s many more to come [2].

The vast majority of attacks target the everyman. Who is the every man you may ask? In the Simpsons, the Everyman is a “dumpy, unappealing loser” [3] and in literature, the everyman is an “ordinary individual, with whom the audience or reader is supposed to be able to identify easily”. In books and films, the everyman is often put into extraordinary circumstances and often triumphs. However, when he is a target of a cyber attack in the real world, he simply does not have the knowledge or the experience to protect themselves from sophisticated attacks.


So why does this happen? First, passwords were shown to be insecure because people make them insecure and can’t remember them. Second, 2-factor authentication has been proven insecure because of how 2-factor authentication is implemented (mobile devices, phones, RSA tokens). Traditional 2-Factor solutions either fall victim to malware or can get lost/stolen.

It seems that our only hope of truly securing the Everyman is 3-Factor authentication. And I don’t mean ridiculous solutions like voice or face recognition that easily fall prey to the same attacks as 2-factor authentication. I’m talking about real biometrics such as fingerprints, hair follicle tests, and retinal scanners. You know, cool stuff from James Bond movies (By the way, Idris Elba should totally be the next Bond)!

The problem however, is that secure biometrics are really, really hard to pull off. They are often expensive both from a financial and computational standpoint. They are also very hard to deploy on a massive scale and I think that’s the main reason they haven’t taken off. Now that we are in 2015 and we are all supposed to have hover boards, I think we are finally at the point where we can realistically pull off a widely distributable 3-Factor authentication scheme.

It's 2015, get with the program folks!

Hell, as Oscar Goldman put it, “we have the technology”! In recent years, biometric fingerprint scanners have become affordable, chips that can process biometrics are small enough, and Bluetooth Low Energy can act as the transmission protocol to put it all together.


[1] Eurograbber, A Smart Trojan Attack

[2] Trojan programmed based on ZeuS targets 150 banks, can hijack webcams

[3] Everyman – Simpsons


Leave a Reply

Your email address will not be published. Required fields are marked *