hackers used to rely on the victim’s actions, gaining access when they clicked on a link, filled out a form, or engaged in some way. But new attacks like zero-click and “man-in-the-middle” require no action by a .

2FA authentication attacks are not new, but the methodology is. New attacks are becoming extremely sophisticated, effective, and dangerous. Facial recognition, biometrics, rotating keys, and -less s are trying to replace 2FA, and one of the biggest problems with two-factor systems is that many s don't even bother to set them up.

Related: How To Set Up Two-Factor Authentication On Snapchat

Researchers from the cybersecurity firm Palo Alto Networks and Stony Brook University have hackers are using this method to steal data while “mirroring” an online site that exchanges cookies with the victim. They concluded their security tool is 99.9 percent accurate. Surprisingly, they have captured data on 1,220 man-in-the-middle phishing websites.

Hackers Bying Phishing Blocklists

Catching Transparent Phish
Photo via Catching Transparent Phish

Researchers found that MITM phishing toolkits have managed to escape phishing blocklists. Only 43.7 percent of the domains and 18.9 percent of IP addresses they discovered are on blocklists. The team showed how average s, who are not experts, are vulnerable to these attacks. The hack can go on for months without the ever noticing it because it happens while the navigates to usual websites.

The detection program the team developed can outsmart the camouflage mechanisms that hackers are using in these new methods. Their tool can also be used to stop attacks as they happen. “MITM phishing toolkits are the state of the art in phishing attacks today,” the team says. The “no-action-required-to-be-hacked” trend continues to grow with new methods. MITM attacks can by JavaScript defenses and don’t go after s but after authentication cookies.

Which 2FA Method Is The Most Secure?

Microsoft Authenticator

Two-factor authentication requires another level of authentication apart from a 's . This is usually in the form of a unique code that is sent to the , which they need to enter to gain access to a website or service. One way to get a secure code is through a text message sent to the 's primary phone number.

The more secure way is to use an authentication app. There are quite a few on the market, but the most popular ones include Microsoft Authenticator, Google Authenticator, and Authy. s can use any authentication app of their choice, and will need to link it to different s, such as Facebook, Instagram, Twitter, etc. When logging in to these apps, s will need to open the authenticator app which will display a code that's valid only for about 30 seconds. Both these methods require a to have a phone with them, which can be inconvenient. While using two-factor authentication isn't a foolproof way to prevent hackers from accessing s, it's far safer than not enabling it in the first place.

Next: End-To-End Encryption: What It Means & Why It's Important

Source: Catching Transparent Phish