Two-step authentication is a popular method of authenticating with the server by sending numerical values from the PC to the smartphone's email and SMS in the second step as well as the user name and password in the first step. The first step is authentication using the user's knowledge, and the second step is the same one-factor authentication by use of figures sent by the server. This method is proved to be very dangerous according to a report from Police department of Japan in September in 2019. It says that a large amount of deposits in an internet banking were stolen due to a phishing attack.
As the first contact,
an email was sent from the criminal to the user. There you will be instructed to enter the Internet banking site at the URL indicated for the reason of the lie, saying "Your account is temporary halted due to security reason. Please click the following URL site to restore the account".
As the first verification, (see ①-④ in figure below)
① The deceived user clicks the button to go to the bank site. It's actually a fake site that criminals resemble a real banking site.
② The ID and password are entered as the first step authentication, but the password is actually sent to this fake site.
③ Criminals log in to the real site separately from the user. For the user name and password, you can use the real password sent by the user.
④ The bank server receives the login with the registered password and performs the first stage authentication. The bank site sends e-mail and SMS to the user's registered device according to the procedure
User - Criminal - Bank Server for 1st step verification
As the second step, (see ①-⑤ in figure below)
① The user receive a requirement to enter one-time password into the computer, which is sent to user's registered device such as smartphone or is generated by stand alone random number generator.
② The one-time password entered by the user is sent to criminals at the fake site, and the criminals receive it.
③ The criminal re-enter it at a real bank site.
④ Since the bank server has been authenticated in the second place, it will give criminals an enhanced access to the account.
⑤ The user sends the appropriate message to the criminal and logs out. At the same time, the criminal gained access to the user's account and executed fraudulent operations such as bank transfer.
User - Criminal - Bank Server for 2nd step verification
In this two-step verification, it looks safe because you have been authenticated twice and the data is sent to your registered smartphone. For phishing like this example, two-step authentication is completely meaningless. In the same way, there is also a two-factor authentication method that sends a click signal for approval etc. directly from the registered smartphone to the bank site in the second stage. If you apply the above scenario, even if you use the second element that has a smartphone, criminals can illegally obtain access to bank accounts.