User Passwords, 2FA & MFA are all Vulnerable to Phishing and Pharming attacks.
How can you be sure that you’re providing your password, SMS code, OTP code, Fingerprint or IRIS scan to a legitimate online service?
Do you have any evidence before you connect to the servicer, that you’re actually connecting to a genuine online service? Traditionally, user authentication methods work under the condition that users are always connected to a genuine and authentic service, however, there are now more fake online services than ever before that pose as legitimate websites to try and steal your information.
Password HijackingIf a user types their static user password into a terminal manually, but the terminal has already been compromised, then the password will be handed over to the hacker automatically without the user knowing. Static user passwords are no longer safe or convenient to use .
ARS HijackingSimilar to SMS hijacking, once a hacker has successfully installed malware on to a targeted users device, ARS based user authentication could be compromised without the users mobile device ringing at all.
SMS HijackingIf a hacker compromises a user’s mobile device by installing malware, they can then forward all of the user's SMS codes to their own device without the user knowing anything. In 2019, SMS should not be used as 2FA to protect online services. Here’s why NIST recommend to stop using SMS 2FA authentication.
OTP HijackingIf a user inserts their OTP code into an online service without checking the authenticity of the online service first, then the user could easily become a victim of a hacking attack.
Mobile Push Notification HijackingAll mobile push based authenticators start with user’s inputting their user ID. However, once a user inputs their ID into a fake online service first, without knowing if the service is authentic, then a hacker can reuse the user’s ID to gain access to the genuine online service and fully impersonate the user. Also, if the user were to receive a push notification that’s been generated by a hacker, then the user might approve it, assuming that’s its a genuine access request, without knowing what connection they’ve really just approved.