Hackers bank heavily on tricking people into doing things that they shouldn’t: social engineering. A favorite social engineering ploy is the phishing e-mail.
How a hacker circumvents two-factor authentication:
- First collects enough information on the victim to pull off the scam, such as obtaining information from their LinkedIn profile.
- Or sends a preliminary phishing e-mail tricking the recipient into revealing login credentials for an account, such as a bank account.
- The next phase is to send out a text message appearing to be from the recipient’s bank (or PayPal, Facebook, etc.).
- This message tells the recipient that their account is about to be locked due to “suspicious” activity detected with it.
- The hacker requests the victim to send the company (which is really the hacker) the unique 2FA code that gets texted to the accountholder upon a login attempt. The victim is to wait for this code to be sent.
- Remember, the hacker already has collected enough information (password, username) to make a login attempt. Entering this data then triggers a send of the 2FA code to the victim’s phone.
- The victim then texts back the code—right into the hacker’s hands. The hacker then uses it to get into the account.
- The victim made the cardinal mistake of sending back a 2FA code via text, when the only place the victim is supposed to enter this code is the login field of their account when wanting to access it!
So in short, the crook somehow gets your password (easy with brute force software if you have a weak password) and username or retrieved in a data dump of some hacked site. They spoof their text message to you to make it look like it came from the company of your account.
Red flags/scams/behaviors/requests to look out for:
- You are asked via phone/email/IM etc to send someone the 2FA code that is sent to your mobile (prompted by their login attempt).
- If you receive the 2FA code, this means someone is trying to gain access to your account. If it’s not you, then who is it?
- Never send any 2FA code out via text, e-mail or phone voice. Never. Consider any such request to be a scam.
Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.
ROBERT SICILIANO, CEO of IDTheftSecurity.com is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Siciliano is accessible, real, professional, and ready to weigh in and comment at a moment's notice on breaking news.
- How to use two-factor authentication for critical accounts
Have a small business? Great. Have two-factor authentication for your accounts? If you’re not sure of the answer to that question, you could be in trouble. October is National Cyber Security Awareness Month, the perfect time to learn more about cyber security. As a small business owner, you certainly have thought about data breaches. They
- You need Two-Factor Verification for your Amazon Account
If you have a strong password for your Amazon account, you may still want to consider beefing up the security with two-factor verification (or authentication), which will prevent a thief from accessing your account (which is possible if he gets ahold of your password and username somehow). Log onto your Amazon account. Have your mobile phone with
- How To Recover a Hacked Facebook Account
If you found this post in search and need a quick link go here: https://www.facebook.com/help/?faq=203305893040179&ref_query=hacked If you want to learn, read on. At least weekly some stressed out victim of a Facebook hack a.k.a “account takeover”, contacts me to help them get their account back in order. While I do have a connection or two at Facebook, I’m
- 32 Million Twitter Pass for sale Add two-factor NOW
The Dark Web, according to LeakedSource, got ahold of 33 million Twitter account details and put them up for sale. Twitter thus locked the accounts for millions of users. Twitter, however, doesn’t believe its servers were directly attacked. So what happened? The bad guys may have created a composite of data from other breached sources. Or,
- How to win the War on Phishing
A phishing attack is a trick e-mail sent randomly to perhaps a million recipients, and the thief counts on the numbers game aspect: Out of any given huge number of people, a significant percentage will fall for the trick. The trick is that the e-mail contains certain information or is worded in such a way as