Modlishka: A Tool That Could Bypass Two-Factor Authentication

Internet data security. Two factor authentication. Digital safety. Man entering his online banking password
Polish researcher Piotr Duszyński published a new tool, “Modlishka,” capable of bypassing two-factor authentication used for critical transactions.

The whole cybersecurity establishment and the stakeholders like banks and credit card companies have been saying for years that two-factor authentication (or 2FA) is the “be all and end all” solution for secure online transactions, especially when combined with standard security practices.

But this theory has been challenged by a researcher Piotr Duszyński from Poland, as he has created a tool “Modlishka” that can bypass 2FA with ease.

Tool Posted with Comments in the Public Domain

Duszyński posted the tool, dubbed Modlishka, publicly on GitHub.

In a blog post accompanying the release, Duszyński says his justification for publishing the proof-of-concept is that in the absence of his action, the credible threat to bypassing two-factor authentication might only be perceived theoretical, and not critical.

If Duszyński’s intentions were not genuine, he could have silently sold his program to some unscrupulous entity for a large sum of money.

The fact that he chose to put it out there can be construed as a genuine action to warn the powers that this needs fixing.

Two-Factor Authentication Is Still Considered Safe

In the conventional method of doing financial transactions, you would log into your bank account on your computer or mobile phone.

You would have to use your login ID and password to access your account. This would be the first stage the bank’s server will authenticate that it is you.

In the next stage, the moment you input the details of who you want to pay the money to and you use a transaction password that you have, you were allowed to make the transfer.

This was considered insecure since the passwords remained stored on another system which, therefore, could be hacked into and stolen and misused.

Then a improvement was suggested that for each transaction, the bank or the credit card company will send out a unique passcode to your mobile number or email, and it will be kept valid for a few minutes only.

Without entering this code, the transaction could not be completed. This is considered the safest way, at least until Duszyński discovered and published his “Modlishka” tool to bypass 2FA.

How Does ‘Modlishka’ Work?

The method demonstrated by Duszyński to create the Modlishka tool is described as reverse proxy. This gives the tool the capability to precipitate phishing attacks without any hassle.

The details he has posted shows how any hacker can bypass 2FA and do whatever they want to do with the targeted system.

If you are a cybersecurity professional offering service to a financial institution, you would want to go by the instructions of Duszyński and test your client’s system.

If what he claims is true, you may be shocked to realize that the secure transaction package you created for your client has been rendered useless.

So, What’s the Way Forward?

System Security Specialist Working at System Control Center. Room is Full of Screens Displaying Various Information.
If you are a cybersecurity professional offering service to a financial institution, you would want to go by the instructions of Duszyński and test your client’s system.

The only way this situation is rectified is to build more firewalls so that the Modlishka tool or other renderings like it will not succeed and customers at large can continue to use two-factor authentication without worrying about being hacked.

These shocks are administered as part of a wake-up call. Even under normal circumstances, organizations conduct mock drills to check if their systems are secure and if there are any vulnerabilities in them.

Technologically speaking, a hacker will first have to establish a phishing site so that the victim can land on that page to do any transaction instead of in the original intended destination.

But the next difficult task would be to obtain a TLC certificate for that URL; that is the only tricky point that works in favor of the users.

A good browser will be able to detect the fake webpage and warn the user of the risk involved in visiting that page.

This brings you back to the above advice that the cybersecurity expert does a check to make sure the clients’ sites are not compromised in any manner and, where necessary, strengthen the firewalls.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.