Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

"Bypassing two factor authentication", Shahmeer Amir


Published on

This research provides an insight to bypassing two factor authentication mechanisms in multiple ways. The goal is to demonstrate theoretically as to how common two factor authentication protected systems can be bypassed using simple techniques. This has been done by examining many systems and a practical approach has been utilized in order to dig out realistic methodologies which can be used to bypass two factor authentication systems in web based systems. By proving that the author aims to provide a basis of research to future researchers for bypassing 2fa in other such techniques.

Published in: Technology
  • Be the first to comment

"Bypassing two factor authentication", Shahmeer Amir

  1. 1. ШАХМЕЕР АМИР Shahmeer Amir Обход двухфакторной аутентификации с использованием наиболее простых методов. CEO @ Veiliux Bypassing Multi Factor Authentication
  2. 2. WHO AM I? • Penetration Tester and Founder @ Veiliux • Cyber Security researcher • Leisurely Bug Bounty Hunter • M.Sc Security Science • Pursuing Ph.D in Information Security
  3. 3. AGENDA • What is 2fa • Conventional 2fa implementations in Web applications • Methods of Bypassing 2fa in Web apps • Methods of bypassing MFA in mobile phones • Foreword about FaceID
  4. 4. 2FA, WHAT IS IT? Two factor authentication is a method of utilizing a handheld device as an authenticator for online portals.
  5. 5. IS 2FA SECURE? While most organizations consider it a secure means of authenticating their users into their portals, there are methods using which two factor authentication can be bypassed.
  7. 7. 2FA WORKFLOW
  8. 8. TYPES OF 2FA TOKENS There are three different OATH OTP types that are the most widely used: • Event based Tokens • Time-Based Token • Challenge-Based Token
  9. 9. An OTP system generates event-based tokens on demand using a combination of a static random key value. EVENT BASED TOKEN
  10. 10. An OTP system generates time-based tokens automatically every so often based on a static random key value and a dynamic time value TIME BASED TOKEN
  11. 11. An OTP system generates challenge-based tokens on demand using a random challenge key that is provided by the authentication server at each unique user log-in CHALLENGE BASED TOKEN
  12. 12. BYPASSING 2FA IN WEB APPS • Bypassing 2fa in Mapbox (Session Management) • Bypassing 2fa in an E-Wallet (Response Manipulation) • Bypassing 2fa in Paypal (Try another way) • Bypassing 2fa in Recurly (Universal Oauth bug) • Bypassing 2fa via exploiting voicemail
  13. 13. RECURLY 2FA BYPASS Cause of vulnerability: Automatic login of users after password change
  14. 14. User requires a password change User requests a password reset token User changes password via the token Application lets user log automatically after change RECURLY 2FA BYPASS (Cont.d) Process Flow:
  15. 15. Attacker has victim’s credentials Attacker logs in and is faced with the a 2fa page Attacker requests password reset token Attacker changes the password and is logged in RECURLY 2FA BYPASS (Cont.d) Abusive Scenario
  16. 16. RECURLY 2FA BYPASS (Cont.d)
  17. 17. E-WALLET 2FA BYPASS Cause of vulnerability: No Verification of response on client end
  18. 18. E-WALLET 2FA BYPASS Complete takeover of an accounts using response manipulation
  19. 19. Attacker logs into account Attacker puts incorrect response code Attacker intercepts response with Burp suite Proxy Attacker changes response code and corresponding data to 200 OK E-WALLET 2FA BYPASS Abusive Scenario:
  20. 20. • Cause of Vulnerability: Secret question request manipulation PAYPAL 2FA BYPASS
  21. 21. Paypal 2FA BYPASS Process Flow:
  22. 22. Attacker logs into account Attacker selects alternative option to login Attacker enters incorrect answers Attacker intercepts request with Burp Suite Attacker removes “challenge” and “response” fields Attacker is granted access Paypal 2FA BYPASS Abusive Scenario:
  23. 23. • Cause of Vulnerability: Oauth manipulation RELATEIQ 2FA BYPASS
  24. 24. RELATEIQ 2FA BYPASS Bypassing 2fa via Oauth
  25. 25. Attacker compromises user’s facebook account Attacker clicks on “Login via Facebook” Attacker is granted access to the victim’s account RELATEIQ 2FA BYPASS Abusive Scenario:
  26. 26. BYPASSING 2FA VIA VOICEMAIL Cause of Vulnerability: Exploiting Voicemail
  27. 27. BYPASSING 2FA VIA VOICEMAIL User logs in User requests 2fa code via call User gets a call from someone else at the same time User’s 2fa code is sent to voice mail Process Flow:
  28. 28. Attacker logs into the victims account Attacker engages a call with the victims phone number Attacker chooses the 2FA code via Phone Call option As the victim is engaged in the call by the attacker, the 2FA phone calling service will send the 2FA code to the victims voicemail, immediately. Abusive Scenario: BYPASSING 2FA VIA VOICEMAIL
  29. 29. EXPLOITING VOICEMAIL Obtain a ANI/Caller ID spoofing service (either via a VoIP provider) or via a dedicated spoofing provider. STEP 1:
  30. 30. EXPLOITING VOICEMAIL For all the services in the Australian region input the destination number as: +610411000321. STEP 2:
  31. 31. EXPLOITING VOICEMAIL Enter the "Caller ID to Display" as the victim's mobile number. STEP 3:
  32. 32. EXPLOITING VOICEMAIL If you're using SpoofCard, a number and access code is displayed. Call this number and input the access code. STEP 4:
  33. 33. EXPLOITING VOICEMAIL You will be connected to the victims voicemail service providers endpoint. In this, input the victims mobile number and press #. STEP 5:
  34. 34. EXPLANATION FOR USING VM NO. • All reseller's use the exact same main services as Optus does. • Primary number to call for Voicemail is "321" • When spoofing, we need the remote number to call as we are unable to reach "321" • Austrailian cellular providers provide a remote number to call, in case customers are overseas. This number is: +610411000321
  35. 35. 2FA BYPASS IN MOBILE PHONES • Bypassing pattern lock via ADB • Bypassing S8 Iris scanner
  36. 36. BYPASSING PATTERN LOCK USING ADB This option will work only when you have enabled USB Debugging previously on your device and your PC is allowed to connect via ADB. If you meet such requirements, it is ideal to use this method to unlock Samsung lock screen.
  37. 37. How to • Connect your device to the PC using USB cable and open Command prompt in ADB directory. Type the command "adb shell rm /data/system/gesture.key" and then Enter. BYPASSING PATTERN LOCK USING ADB
  38. 38. BYPASSING IRIS SCANNER in S8 Take a photo of the person’s eye Lens Specs: 200 mm Distance: 15 mm Print: High Quality Color Copy Use a Wet lens over it and it will be unlocked With a sufficient amount of time and complete access to the phone, you could theoretically unlock any Galaxy S8 with iris scanning enabled.
  40. 40. FACE ID, Lets talk
  41. 41. SO, HOW CAN IT BE HACKED? The Secure Enclave Processor The images captured by Face ID are kept in the encrypted memory of Apple’s special coprocessor, which is called Secure Enclave Processor
  42. 42. SEP, What is it Security circuit designed to perform secure services for the rest of the SOC SEP has its own set of peripherals accessible by memory-mapped IO Dedicated IO lines Runs its own operating system (SEPOS)
  43. 43. The Future of FaceID is based on SEP • SEP(OS) lacks basic exploit Protections E.g. no memory layout randomization • Shared PMGR and PLL are open attack to attacks • Inclusion of the fuse source pin should be re- evaluated • The demotion functionality appears rather dangerous
  44. 44. QUESTIONS?