Smishmash - Text Based 2fa Spoofing Using OSINT, Phishing Techniques and a Burner Phone

The presentation discusses the broken state of text-based two-factor authentication (2FA) and the techniques used by attackers to bypass it using publicly available data.

• Text-based 2FA is broken and has been for a long time
• Attackers are using publicly available data to bypass 2FA
• The presentation demonstrates techniques used by attackers to bypass 2FA
• The presentation provides recommendations for protecting against 2FA attacks

The presenters share a story about a colleague who received a fraudulent text message from the local police while abroad, highlighting the long-standing issue of SMS spoofing.

In recent years the data leaks have escalated, and leaked passwords and usernames have become a common attack vector in phishing attacks. Until recently phone numbers were commonly overlooked by attackers as well as red teams. This year has seen an increase in attacks circumventing text based 2fa.In this talk, the researchers will show how it's possible to gather data from publicly available sources and connect the phone numbers most likely used by two factor authentication systems to other leaked email and login credentials. We will simulate an attack armed with your cracked password, email address and phone number.We will show techniques and methods used by real threat actors to bypass text based 2fa using only publicly leaked data using real time attack by indexing OSINT data combined with publicly available attack tools and frameworks.