Hacking Around Two-Factor Authentication
Tens of millions of social media usernames and passwords have been compromised over the last few years, the effects of which are just now really starting to surface. One such effect is that these cybercriminals are using your credentials to hack into other accounts. Thank goodness you have Two-Factor Authentication (2FA), right?
You would be… until last week, that is.
Before getting into the specifics of the scam, it is important to review the 2FA and the reasons it is effective:
The user logging into your account must know your username and password. Unfortunately, this information has become increasingly more simple and less expensive for cyber thieves to purchase, thanks to those recent massive data breaches. It can also be attained by logging into phishing emails that send the username and password that you entered back to the hacker.
The user logging into your account must also have access to the text or email code in real time.
This second step is what allows you to feel more confident about your security, because if you are NOT the one logging into your account, you see the access code not the would-be hacker. You can then log into your account and change your password.
Well, they don’t say “necessity is the mother of all inventions” for nothing.
Last week, a new scam was uncovered in which hackers (who already gained access to their targets’ credentials) are then effectively tricking their victims into texting the access code back to the criminal.
The attacker sends the target a text message, spoofing the company that the target has an account with. The text states they have detected "suspicious" activity to the account, and so are sending the 2FA code to the target, which they should then text back to them to avoid having their account locked.
The attacker logs into the account with the known credentials, which prompts the 2FA code to be sent to the target.
The (worried) target tries to prevent a negative consequence and texts the code back to the attacker, but by doing that they give the hacker just the thing they needed to break into the account.
The hacker now enters the victim's 2FA code, and they're in. The French would say: "Simple comme Bonjour".
Below you will find a template, written by Stu Sjouwerman. We urge you to send this ASAP to all of your employees, friends and family members so they are not the next victims.
Share this information via email, social media or carrier pigeon; whatever medium you feel it is necessary to get the word out.
If you, your friends, co-workers, employees or family members receive a text and you are not sure if it is legitimate, or for tips on how to make your accounts more secure, please contact us right away, via phone or email. Or carrier pigeon. Our customers’ security is a top priority.