+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

Hackers have figured out a way to defeat a key protection on online accounts

Jan 18, 2016, 15:38 IST

Tumblr

Two-factor authentication is an important way to help keep your online accounts safe - but it's not perfect.

Advertisement

It requires an extra layer of proof before anyone trying to log in gets access to an account.

After the password is entered correctly, a temporary code known as a one-time password (OTP) is sent to the account owner's smartphone. The code is then entered to complete the login process.

That way, even if the user's password is guessed, stolen, or cracked, the attacker can't get into the account without physical access to the paired phone.

But if the attacker is able to smuggle rogue software onto a user's smartphone, they can defeat two-factor. Researchers at cybersecurity firm Symantec have discovered malware that can steal OTP codes and use this to hijack a user's accounts. (The malware was previously reported on by The Register.)

Advertisement

The malware is for Android smartphones, and is called Android.Bankosy. It specifically targets two-factor authentication codes delivered by automated phone call. Normally, after entering their password, the user will receive an automatic call from the company, which will tell them the OTP code to enter to gain access to their account.

But Android.Bankosy redirects the user's phone calls to the phone of the attacker, letting them steal the OTP code and access the account. Two-factor is often used to protect bank accounts - meaning that bypassing it can be highly lucrative for hackers.

Some two-factor systems use text messages rather than phone calls to deliver codes, and Symantec says it has seen malware capable of stealing these too.

Of course, for this exploit to work, the attacker has to be able to get the malware onto the smartphone in the first place. They might do this by exploiting another security hole, or smuggle it using an app installed from outside of the Google Play Store.

Similarly, they also need the user's original password. This might be stolen via a "man-in-the-middle" attack when the user is browsing on an insecure network, or via keylogging malware.

Advertisement

NOW WATCH: 7 ways the Samsung Galaxy S6 is better than the iPhone 6s

Please enable Javascript to watch this video
You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article