Can ZeuS Malware Bypass Two Factor Authentication?

Multiple 2FA solutions are available today, e.g. SMS-based OTP, TOTP-based OTP, PUSH notifications, token generators, etc. Time-based One Time Password (TOTP) service is one of the strongest and most secure two-factor authentication solutions available. This authentication algorithm (TOTP) contrives providing absolute and impenetrable security to its users, to protect the integrity and privacy of their data. ZeuS malware, on the other hand, is a malware/trojan that is designed primarily to infiltrate or bypass a user’s security and steal their confidential data. There is continuous war for security between the 2FA solutions that use TOTP and ZeuS, and ZeuS has just won a battle, if not the war itself.

What is ZeuS malware?

ZeuS a.k.a. Zeus or Zbot is a Trojan horse malware, that was primarily designed to steal financial data from Windows-based systems. It was first identified in 2007 when used to steal information from United States Department of Transportation. Since then, it has compromised the accounts on websites of many companies, such as NASA, Oracle, Cisco, and Amazon, to name few. Even to date, it is very hard to detect because of its stealth techniques.

What does it do?

While ZeuS can already carry out a number of malicious activities on the infected systems, it can be tailored to perform some more, depending on how the owner of the malware wants it to function. It is mostly used as a financial services trojan to target the credentials from the machine it has infected. ZeuS hides itself in the user’s device and intercepts the transactions/activities that the user performs on the infected device. ZeuS malware creates a botnet, a network of malicious servers, that collect user-data and perform large scale attacks. Through activity monitoring and keylogging, it steals a user’s credentials and confidential data. It may also generate fraudulent notifications that redirect the user to a malicious command and control server controlled by the attacker and mislead them into providing confidential information.

How it affects SMS-based 2FA?

ZeuS malware can also infiltrate the security standards on a user’s mobile device and monitor the user’s activity, such as key presses, visited websites, and notifications. Till date, many users rely on SMS-based OTP for two-factor authentication. While monitoring the user’s mobile device, ZeuS steals the credentials entered by the user, such as login ID, password, and registered mobile number to send SMS-based OTP. SMS-based OTPs can be intercepted both on the user’s device and on the carrier signal. ZeuS malware sends these details to the attacker, who can bypass the security through the stolen credentials. The attacker can also request new SMS-based OTPs and use it to infiltrate the user’s data. ZeuS botnets have been able to bypass 2FA and attack banks and other financial institutions in the past.

How to protect against ZeuS?

The safety and security of the device on which the 2FA token is delivered or generated, comes first. The weakest link is the device and the human that uses it. Smartphone devices that use hardware level encryption, such as Apple, are nearly impossible to crack. Also, Apple devices can only install or run applications available on the App Store, which itself scans each app for the presence of malicious code and discards/blocks any app that fails the check. On the other hand, cheap devices may only have software level encryption that can be broken by attackers. Keep your device free from malware and do not run any app from unknown/insecure origins. Also, browse the Web safely, learn tips on how to avoid malicious links and websites.

While ZeuS malware may intercept the credentials and SMS-based OTPs on the user’s device, it is still difficult for ZeuS or any malware to break the encryption of many 2FA solutions, e.g. TOTP and token generating devices (disconnected or connected). It is hard to duplicate the disconnected token generating devices because they have no connection to a user’s device. Software tokens (e.g. TOTP) and connected token generating devices have a strong encryption that is nearly impossible to break in time constraint in which the token has to be inserted for verification. The easiest solution to safeguard your privacy and enforce security are tokens that use TOTP-based 2FA. Against malwares and spywares, such as ZeuS, 2FA still has the upper hand.

Give up SMS-based authentication, and update to the new standards of security. Use 2FA solutions such as Google Authenticator or REVE Secure that provide multi-level security in the app itself to safeguard the user’s private key used for time-based OTP generation. 2FA solutions remain one of the largest and most secure security solutions to safeguard privacy.

 

Shift to Adaptive Authentication

You must have heard the terms two-factor authentication and multi-factor authentication, used for improving security and protecting web logins and accounts from malicious attack and data breaches. However, organizations are seeking better solutions to ensure higher user-satisfaction rate along with stronger security for their assets. Adaptive authentication is an advanced and excellent methodology for authenticating users based on machine-learning and data analytics to deliver great user-experience in addition to reliable security.

What is Adaptive Authentication?

As briefed above, adaptive authentication is a machine-learning based security solution which is driven by certain parameters to benefit users with easy, engaging, simplified, and yet stronger security authentication.

Adaptive authentication is not a separate solution or application, rather it’s an integral part of 2FA or any other Multi-factor authentication solution. During adaptive authentication, different parameters and user-attributes are taken into consideration to identify the risk and the credibility of the login attempt. Positive results during adaptive authentication grant direct access to users without letting them undergo token based second-factor authentication. However, if the login attempt is found to be suspicious, based on multiple risk-identifying factors, then it is further subjected to second-factor authentication where the user needs to present hardware or software token, or discredited entirely.

What parameters are considered during adaptive authentication?

Given below are some of the most used parameters and user-attributes to authenticate the veracity of a user’s login. Based on the following factors, a user may be granted direct access or may be subjected to 2nd-factor authentication check.

  • User-Behaviour
  • Login Time
  • Device and other software/hardware resources being used for access
  • IP address of the login
  • Geographical location of user’s login

The attributes mentioned above, with the aid of machine learning tools and algorithms, are being used to evaluate and assess the credibility of the login attempt. Some more parameters and attributes may also be added to the list to ensure a stronger authentication check.

Why is Adaptive authentication getting popular?

The primary and maybe the single-most reason behind the hype of adaptive authentication is the ease of authentication, which the users are finding to be pretty useful and engaging. Although second-factor authentication has been proven to deliver stronger security, some users find the authentication procedure very tiresome and frustrating because of the second-factor authentication that takes place each time they try to log in.

Adaptive authentication is a very useful mechanism that lets genuine and authorized user gain direct access to their account without performing the 2nd-factor authentication unless the user tries to log in from some unusual location, IP address, using unconventional software, or hardware devices in odd timings.

Thus, Adaptive authentication, not only ensures productive machine learning based security check, but also increases and maintains user-interests and thereby delivers higher satisfaction rate.

At present, very few network security solution providers, e.g.  REVE Secure, are delivering adaptive authentication features with their 2FA or MFA solution to ensure a high level of security, but not at the cost of the user’s interest and experience.