In recent times, many developers and publishers ranging from online service providers to even gaming studios have started offering two-factor authentication. And what they all stated and everyone is led to believe is that it makes one’s account, system, smartphone, etc, more secure. However, it seems like that is not the case.
According to a new report, a Chinese hacker group called APT20 has managed to bypass the commonly used security methods without settings off any alarms. In other words, the group has circumvented the means for two-factor authentication which makes the security method vulnerable.
Reportedly, APT20 used what Fox-IT has labeled “Operation Wocao” to achieve this feat. Previously, the group managed to hack web servers but have now shifted focus. APT20 used an RSA SecurID software which was stolen from a hacked account to circumvent through the two-factor verification methods. In simpler terms, the group used a stolen and modified key from a hacked account to make their hack seem valid to the security systems.
Through this method, APT20 also managed to fool other systems to show valid results. Since two-factor authentication relies on different systems, it means that if the group manages to hack one side, then they can manage to make the other system agree to its modified key as well. Thus, allowing them to either steal or not need a key in the first place.
As of right now, no solution for the latest exploit is currently available. But, it does not mean that the system is completely flawed and insecure. The report also details various methods through which the dual verification process can be made more independent and less reliant on one another.
Notably, Chinese citizens are at higher risks apparently due to the group being allegedly linked to the Chinese Government. It seems more plausible now as the group is actively targetting VPN systems. A VPN is basically used to access outside data or websites that the nation censors or doesn’t allow its people to access freely.
This content was originally published here.