Bypassing Two-Factor Authentication
Yet another way two-factor authentication has been bypassed:
For a user to fall prey to Eurograbber, he or she must first be using a computer infected with the trojan. This was typically done by luring the user onto a malicious web page via a round of unfortunate web surfing or email phishing attempts. Once infected, the trojan would monitor that computer’s web browser for banking sessions. When a user visited a banking site, Eurograbber would inject JavaScript and HTML markup into their browser, prompting the user for their phone number under the guise of a “banking software security upgrade”. This is also the key to Eurograbber’s ability to bypass two-factor authentication.
It’s amazing that I wrote about this almost eight years ago. Here’s another example of the same sort of failure.
Nick • December 10, 2012 1:22 PM
This would also be a good way to grab phone access even in the absence of two-factor authentication, for some other purpose.