2FA - Smartphone
Limitazioni
OTP Phishing
How Hackers Bypass Gmail 2FA at ScaleA new Amnesty International report goes into some of the technical details around how hackers can automatically phish two-factor authentication tokens sent to phones.
https://www.vice.com/en_us/article/bje3kw/how-hackers-bypass-gmail-two-factor-authentication-2fa-yahoo
The Return of The Charming Kitten
A review of the latest wave of organized phishing attacks by Iranian state-backed hackers
https://blog.certfa.com/posts/the-return-of-the-charming-kitten/
Real-time phishing tool:
Modlishka is a powerful and flexible HTTP reverse proxy....can be currently used to...Support ethical phishing penetration tests with a transparent and automated reverse proxy component that has a universal 2FA “bypass” support.
https://github.com/drk1wi/Modlishka
OTP SMS interception
New Android trojan targeting over 60 banks and social appshttps://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html
Thieves drain 2fa-protected bank accounts by abusing SS7 routing protocol https://arstechnica.com/information-technology/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/
Russian Telegram Accounts Hacked by Intercepting One Time Password (OTP)
https://www.ehackingnews.com/2019/12/russian-telegram-accounts-hacked-by.html
OTP SMS Interception with "SIM swap"
The SIM HijackersMeet the hackers who flip seized Instagram handles and cryptocurrency in a shady, buzzing underground market for stolen accounts and usernames. Their victims' weakness? Phone numbers.
https://www.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin
Busting SIM Swappers and SIM Swap Myths
...accounts from a recent victim who lost more than $100,000 after his mobile phone number was hijacked
https://krebsonsecurity.com/2018/11/busting-sim-swappers-and-sim-swap-myths/
Phone number abuse (targeted advertising)
Never Trust a Platform to Put Privacy Ahead of ProfitTwitter used phone numbers provided for two-factor authentication to target ads—just like Facebook did before.
https://www.wired.com/story/twitter-two-factor-advertising/