• SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us

Call us today! 844-OCD-TECH

Find our Location
OCD TechOCD Tech
  • SecurePath for Auto Dealers
  • Services
    • SOC Reporting Services
      • SOC 2® Readiness Assessment
      • SOC 2® Reports
      • SOC 3® Reports
      • SOC for Cybersecurity® Reports
    • IT Advisory Services
      • IT Vulnerability Assessment
      • Network Penetration Testing
      • Privileged Access Management
      • Social Engineering Testing
      • Virtual CISO (vCISO)
      • Written Information Security Program (“WISP”)
      • IT General Controls Audit & Compliance
    • IT Government Compliance
      • CMMC Cybersecurity Services & Compliance
      • DFARS Compliance
      • FTC Safeguards Compliance
  • Industries
    • Financial Services
    • Government
    • Auto Dealerships
    • Enterprise
  • Blog
  • About Us
    • Meet The Team
    • Jobs
  • Contact Us
The best thing you can do is implement two-factor authentication: The worst thing you can do is rely on it

The best thing you can do is implement two-factor authentication: The worst thing you can do is rely on it

May 5, 2020 Posted by Jill Kamperides IT Security

Password authentication is inherently weak, even if you have the strongest password ever. Maybe your password is 25 characters and there is no way it could be cracked – if your account is compromised in a data breach, your password is suddenly meaningless. If you have shared that password between multiple accounts, you are in even more trouble. As penetration testers, it is one of the first things we check for, and the bad guys do, too. Two-factor authentication (2FA) was developed as a way to strengthen password-based login by adding a third layer, and it works really, really well, most of the time. However, during a recent penetration test, the OCD Tech team proved that even two-factor authentication is not the be-all and end-all of user security. It can be bypassed.

It started with the reconnaissance of our target, as most real-world attacks will. With the power of open-source intelligence-gathering tools, and with search engines at our disposal, we compiled a list of email addresses that would be the foundation of a phishing campaign against a client. A review of the in-scope IP addresses revealed a few different websites that were hosting login pages – we noted Citrix, Outlook, and some others that made potential targets for this campaign. We decided to start with their Outlook Web Application login portal.

Our client’s instance of Outlook Web App was not protected by 2FA, which made for an easier starting point. We crafted an email along the lines of, “We’ve had an update. Please login to your account via this link to validate your credentials.” It was prettier than that, of course, and there was some backend work involved, such as registering a convincing domain, standing up our fake OWA login portal, and making sure that our credential-harvesting webpage was functioning as expected. With those steps done, we fired off our phishing email to the list of addresses we had assembled during the recon stage. And then we waited. Ultimately, we received three sets of credentials. Most times, all you need is one.

As luck (and Active Directory) would have it, these credentials were also valid on the client’s Citrix web portal, with one caveat – Citrix was protected by two-factor authentication. More specifically, Citrix was protected by a Google One-Time Password (OTP). We decided to phish for it. We set up a new landing page, a clone of Citrix, that would accept a username, password, and 2FA code. We then emailed only the three users who responded to our first round of phishing, knowing they would be most susceptible to responding again. This method of picking and choosing targets, as opposed to addressing an entire mailing list, is known as spear phishing. Our email this time looked something like this: “Some users have reported issues accessing Citrix following our update. Please validate your Citrix credentials here to ensure your access is not affected. Remember, this must include your Google OTP.” And we waited.

There are a few problems when it comes to phishing for two-factor authentication:

Number 1— If the target’s 2FA service only generates a code when a real login attempt is made, this strategy will fail since the target is logging in to our fake page and will therefore not generate an alert. Google’s OTP, however, is a rolling code that automatically refreshes every 60 seconds. This code lives on the user’s device and is valid whether they are actively trying to login or not. All we needed was for one of the targeted users to enter their current code into our fake login page. With any other configuration, our attempt at bypassing 2FA would have been significantly more difficult, and likely less successful.

Number 2— The code is time-sensitive! If it is not entered within a very limited window of time, authentication will fail.

So, we watched our web server logs, which would provide a live feed of any phished credentials, and we didn’t dare step away from our screens until an hour or so later, after we had gotten three hits. Our hunch was right; the three users who were phished once, were all phished again. The usernames, passwords, and OTPs they provided were accepted by Citrix, and due to the poor security configuration of the Citrix server, we demonstrated for the client complete network compromise while being entirely remote.

How can you protect yourself from attacks like this?

The first step is realizing the root of the problem. Although two-factor authentication can leave a lot to be desired in the way of security, this is not the biggest issue. The problem lies with phishing, and your users’ susceptibility to fall for a phishing attack. Remember, all it takes is one unaware user to result in network compromise.

Phishing can be partially mitigated with a mail filter and robust spam settings, but if one email should slip through, your organization is still vulnerable if your users are not trained in security awareness. The best way to do this is to phish them yourself – familiarize your users with what phishing looks like, train them when they are fooled, and, in the future, they will know what to look for and will know not to click again.

Two-factor authentication, although flawed, is still extremely important. Passwords can be cracked, guessed, or stolen; it happens all the time. Two-factor helps to protect against this; it is one of the best defenses against an attacker trying to break into your account – but its flaws cannot be ignored. Like most things, two-factor authentication is imperfect, and it can be bypassed. This is why you should not rely solely on it to protect yourself. When you stack your defenses, not only with 2FA, but with a staff that will never fall for a phishing email, you stand a far greater chance of withstanding attacks.

Contact OCD Tech if you would like to learn about the security awareness training we offer to help keep your users safe from phishing attacks and check out our free external web breach assessment to understand what the biggest outside risks are to your organization.

Tags: credentialsdata breachpasswordtwo-factor authenticationunauthorized network access
Share
0

About Jill Kamperides

Joining the team in 2019, Jill is an IT Security Analyst focused on privately held companies and international banking clients. As part of the penetration testing team, she utilizes her deep knowledge of programming and automation through scripting and uses that knowledge to quickly discover misconfigurations in target systems. Jill is also responsible for the OCD Tech phishing platform and oversees the maintenance of weekly client employee security awareness campaigns.

You also might be interested in

Vulnerabilities in the Cloud: Whose Responsibility is it Anyways?

Vulnerabilities in the Cloud: Whose Responsibility is it Anyways?

Aug 23, 2018

Many organizations are rapidly moving to the cloud for hosting everything from their products and services to their corporate infrastructure.

Cybersecurity in 2024 & Beyond: Prepare for the Future

Cybersecurity in 2024 & Beyond: Prepare for the Future

Oct 22, 2024

As we approach 2024, cybersecurity has become one of the[...]

OCDTECH.BLOG.TRAININGPROGRAMFOREMPLOYEES

CYBERSECURITY TRAINING PROGRAM FOR EMPLOYEES

Feb 14, 2024

According to data from 2023, human error contributed to over[...]

Find us on

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Send Message
OCD Tech logo Audit. Security. Assurance.

IT Audit | Cybersecurity | IT Assurance | IT Security Consultants – OCD Tech is a technology consulting firm serving the IT security and consulting needs of businesses in Boston (MA), Braintree (MA) and across New England. We primarily serve Fortune 500 companies including auto dealers, financial institutions, higher education, government contractors, and not-for-profit organizations with SOC 2 reporting, CMMC readiness, IT Security Audits, Penetration Testing and Vulnerability Assessments. We also provide dark web monitoring, DFARS compliance, and IT general controls review.

Contact Info

  • OCD Tech
  • 25 BHOP, Suite 407, Braintree MA, 02184
  • 844-623-8324
  • https://ocd-tech.com

Follow Us

Videos

Check Out the Latest Videos From OCD Tech!

Services

SOC Reporting Services
– SOC 2 ® Readiness Assessment
– SOC 2 ®
– SOC 3 ®
– SOC for Cybersecurity ®

IT Advisory Services
– IT Vulnerability Assessment
– Penetration Testing
– Privileged Access Management
– Social Engineering
– WISP
– General IT Controls Review

IT Government Compliance Services
– CMMC
– DFARS Compliance
– FTC Safeguards vCISO

Industries

  • Financial Services
  • Government
  • Enterprise
  • Auto Dealerships

© 2025 — OCD Tech: IT Audit - Cybersecurity - IT Assurance

  • OCD Tech
  • About Us
  • Contact Us
Prev Next