Creating a fake web site (Phishing): the attacker somehow convinces the target to browse to a fake website, masquerading as a legitimate secured service (e.g. the users’ bank account). Once on the fake website, the user tries to access their account by entering their user identification and triggering a 2FA code, which they enter into the fake site. The attacker (operator of the fake site) catches the ID and code, enters the real site and takes over the user’s account. Convincing the target to enter the fake site can be achieved through a well-crafted phishing message by SMS or email, or by pure social engineering. A nice overview of social engineering tactics can be seen here, as explained by RCR Wireless News.

Mobile Identity theft (SIM swap) – the attacker illegitimately convinces the target’s mobile network operator (MNO) to issue the target a new SIM card, and provide it to the attacker. This is achieved by taking advantage of poor security procedures and human errors by the MNO’s personnel. Once the new SIM is operated by the attacker – all SMSs sent to the target are received by the attacker, including any 2FA SMS codes, which enable the attacker to access secured sites and apps. Stacey Schneider’s personal, frightening and well-documented case can be read here.

SS7 attack (SMS hijacking) – As we’ve described in our blog post “A step by step guide to SS7 attacks” the attacker maliciously gains access to the global SS7 network and manipulates the target’s MNO network so that eventually SMS sent to the target device are actually sent to a false location, reaching a device operated by the attacker. This is achieved by issuing crafted false SS7 messages in the network. The target may never be aware that a malicious actor is hijacking all their SMS and accessing their accounts. A well-known case is draining customer bank accounts at the UK Metro Bank.

Fake cell tower and a Man-in-the-Middle attack: Using a fake cell tower, the attacker forces the target’s mobile device to connect to a fake mobile network, controlled by the attacker using a device called “IMSI catcher”. Once the attacked device is hooked onto the IMSI Catcher, the attacker impersonates the identity of the attacked device in front of the real network and provides the target’s device connectivity to the real network. The attacker is then in control of all communication between the target device and the network, and also can intercept SMS 2FA codes to gain access to any desired system. For a better understanding of IMSI Catchers, check out our blog post “Top 7 IMSI Catcher Detection Solutions for 2020”.

https://securityboulevard.com/2020/02/what-are-the-problems-with-2fa-codes-and-whats-apples-latest-proposal-to-solve-them/