Why Two-Factor Authentication Won’t Stop The Hacking Crisis

Posted on May 8, 2013 by Shailendra Nair

As high profile hacks continue to make news, “two-factor authentication” is becoming a household term. This year alone, Apple, Microsoft, and Evernote have rolled it out to users, and two weeks ago Wired reported that Twitter is developing a two-factor option of its own. Google and Facebook have had it since early 2011.

It’s usually described in the media as a sort of silver bullet: Damaging Twitter hacks, the thinking goes, will cease as soon as two-factor authentication becomes available.

Now, security experts are questioning its limits. As cyber attacks grow more sophisticated, hackers are zeroing in on mobile devices with the express intention of circumventing two-factor auth — an integral part of the two-factor process, which requires users to interact with their phones, either through text message or app, to log in. “In underground communities we’re seeing a lot of chatter focusing around mobile, specifically with phones,” Daniel Cohen, Head of Online Threats Managed Services at RSA tells BuzzFeed. Cohen notes that RSA has seen 350 percent growth in Android malware between 2011 and 2012, from 1000 samples to 350,000.

“We’re seeing apps that will steal your contacts off your phonebook as well as applications that are programmed to steal SMS messages. These programs hide the messages from the users, so you’ll never even know you received the SMS,” Cohen said.

This kind of mobile malware — which can find its way onto your phone through a corrupted site or a compromised app — successfully grabbed private SMS data in Europe as part of a dramatic online heist. A December 2012 study by Versafe and Checkpoint Software Technologies details a Trojan virus called the “Eurograbber,” which stole over 36 million Euros from bank customers masking itself as a bank’s mobile encryption software. A passage from the report chillingly explains how the virus works:

The bank’s SMS containing the Transaction Authorization Number (TAN) is the key element of the bank’s two factor-authorization. The Eurograbber Trojan on the customer’s mobile device intercepts the SMS and uses the TAN to complete its own transaction to silently transfer money out of the bank customer’s account. The Eurograbber attack occurs entirely in the background. Once the “security upgrade” is completed, the bank customer is monitored and controlled by Eurograbber attackers and the customer’s online banking sessions give no evidence of the illicit activity.

An Italian version of the Eurograbber Trojan.

Though the two-factor breaches have, so far, been mostly relegated to the banking industry, they pose a real threat to social and personal accounts, especially as more platforms adopt two-factor security solutions and phishing scams become more personalized. Spear-phishing isn’t just for organizations — scammers use it to target individuals, too.

“It’s not that the tech or that the method is corrupted, it’s that we as humans “fail” with regard to being vigilant and aware of the attacks,” Cohen added. “That said, social engineering today is done with such high quality that it can deceive even a well trained eye.”

For security experts like Cohen, these hacks are part of a never-ending cat and mouse game, where hackers are often a step ahead. Two-factor authentication is important, but in no way a panacea for online security — for hackers, it’s a hurdle, not a roadblock.

As companies like RSA continue to develop more advanced methods of protection — currently, RSA is trying to build a profile of the “legitimate user” to make it easier to see abnormal behavior across the web and identify hacks — threat managers like Cohen suggest not only dual authentication, but extreme vigilance.

“The web has definitelly become more dangerous in recent years and malware much more malicious in its nature,” Cohen cautions. “The security industry understands that this is a fact of life now. We have to accept that our computers can be breached and then work to find the solutions to help protect us.”

Article as published on http://www.buzzfeed.com/charliewarzel/why-two-factor-authentication-wont-stop-our-security-nightma

Unknown's avatar

About Shailendra Nair

AI Generalist & Executive Tech Leader in Insurance & Benefits Tech. Driving growth, trust, and resilience from AIG to Marsh McLennan. I am an AI Generalist and Executive Technology Leader with a career dedicated to reimagining how insurance and benefits ecosystems work in a digital first world. My expertise spans Insurance & Benefits Tech, digital transformation, and cybersecurity, with a proven ability to turn technology into both a growth engine and a resilience enabler. I have worked with global leaders such as PepsiCo, Allianz, AIG, and Marsh McLennan, experiences that gave me a rare mix of perspectives across insurance carriers, broking, and benefits advisory. This combination allows me to design solutions that balance global standards, local compliance, and client expectations while driving measurable business value. My strength lies in full stack insurance technology leadership, covering Property & Casualty, Life, and Benefits. I bring hands-on expertise in infrastructure, cloud, security, and enterprise architecture, combined with data platforms, AI automation, and digital ecosystems. Having led across this spectrum, I can translate complex technology into practical outcomes that deliver trust, scale, and innovation. As an AI Generalist, I focus on impact: • Building automation first operations that scale efficiently. • Designing chatbots and intelligent assistants to empower employees and clients. • Deploying AI-driven QA frameworks to improve speed and accuracy. • Exploring agentic AI roles to support compliance and transformation. My philosophy is simple: technology should reduce friction, inspire confidence, and accelerate growth. I design platforms that enhance sales, revenue, and client stickiness, proving that tech can directly enable business outcomes. At the same time, I remain deeply client centric a solution enabler who thinks out of the box to solve real challenges and deliver measurable ROI. 🌍 What excites me most is reimagining benefits ecosystems for the future of work. Employees demand seamless digital first experiences, organizations need efficiency, and regulators require trust and security. My mission is to build ecosystems that are secure, resilient, innovative, and human focused.
This entry was posted in Technology and tagged , , . Bookmark the permalink.

Kindly leave your feedback or suggestions