Bypassing Multi-factor authentification - How to

All digital giants and banks are using multi-factor authentification nowadays, to make sure, that the data of the users are “safe”.

(THIS TUTORIAL IS FOR EDUCATIONAL PURPOSES ONLY)

So, how do i bypass the multi-factor authentification on my targets?

However you created your pishing site, either through tools or self-built, you have to add some other functions to it. It depends on your target.

How do i specify, what extra function i need?

That’s really straightforward - Just check the 2 factor authentification of the targets site.
(1) All social media sites: PINs
(2) All Banks: TANs

(1) How do i bypass the MFA on social media sites like Youtube, Facebook, Twitter …?

Simply add to the standard Login and Password form another one which looks completely the same.
But the new PIN form shows up after they clicked the Login Button.
Immediately after that you receive the Login Data.
You login. Now they get the PIN on their phone. They enter the code in the form. But the form is actually just for show. it does nothing. Just manipulation. They think, the code is for them. Haha. There you go.

(2) How do i bypass the MFA on Banks?

It’s literally the same procedure as above. Because banks don’t use usual PINs, they use TANs, which are always attached to a Mobile Banking App.
This App uses a User ID and a Password for the Login. You first have to get those.
So, easily use a User ID and Password Login form. But, there’s something missing, right? Ah yeah, almost forgot it… Just add another TAN form too. Now you got the User ID, Password and TAN form set. But unlike the other method, you immediately show the User ID and Password forms instead of letting them pop up out of nowhere. The TAN form then pops up out of nowhere, which creates the illusion of being real. It isn’t.

You would say now, why do we even include the TAN in this method… The simple answer is: Manipulation.
Every Bank user knows, what a TAN is used for. Mobile Banking. Thats why the thought, which would come up, by seeing that they have to enter the Mobile Banking Data’s is going to vanish, because we include TAN.

Those new 3 added forms use the same code like the Online Banking ID and than the password, which is sent to you automatically. When your target is entering all the 4 forms, you are ready.

Fire up the Mobile Banking App of the specific bank, and enter the gathered data.

Now you can login in the Online Banking and withdraw as much money as you want. Logically, we gathered the MBA details, to receive the TAN we have to verify after every single transaction.

Banks and social media definitly have to step up their game.

Feel free to share your thoughts below :slight_smile:

4 Likes

I’m not trying to belittle your paper, but the attack described above is nothing less than a classical social engineering attack. In any way this method can be considered as a MFA bypass.

It may however makes sense if combined with an open redirect or XSS vulnerability that could allow redirecting users towards your malicious website. Below are links to a well-known tools that can help people to conduct such an attack:

3 Likes

Im going to have to agree with Nitrax, seems like a short paper about where to look (social engineering wise) for someones information. I think we all know where to look for 2fa. How about spending more time on it and implementing something web side or app side on the phone, otherwise, it does seem kinda pointless to post this.

3 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.