Learning to Bypass Two-Factor Authentication
Tuesday, June 14, 2016 @ 03:06 PM gHale
There is a way to trick victims into revealing their two-factor authentication code, while thinking they’re actually protecting their accounts.
Two-factor authentication is a second layer of authentication online services support, from banks to Google, from Facebook to government agencies.
Two-factor authentication works by requiring a user to enter a code they received via SMS on their phone after they logged into a two-factor authentication-protected account. If the user doesn’t enter the code promptly, the login is classified as a hacking attempt, and the user blocked from accessing the account, even if they entered the correct password.
This past week, Alex MacCaw, co-founder of Clearbit.com, tweeted out the image of an SMS he had just received.
An unknown attacker sent MacCaw an SMS message. The SMS read:
“(Google Notification) We recently noticed a suspicious sign-in attempt to firstname.lastname@example.org from IP address 22.214.171.124 (Vacaville, CA). If you did not sign-in from this location and would like to lock your account temporarily, please reply to this alert with the 6-digit verification code you will receive momentarily. If you did authorize this sign-in attempt, please ignore this alert.”
Basically, the attackers were mentally preparing the victim to receive the two-factor authentication verification code, for their illegal login attempt they were about to carry out.
The crooks were going to access MacCaw’s account, and when his two-factor authentication system would kick in, MacCaw would act to lock his account by sending the “verification code to Google.” MacCaw would be sending the two-factor authentication code to the crook, who would then enter it in the login page and access his account, with his cooperation.
MacCaw recognized their tactics and didn’t fall for this new type of social engineering trick.
If you receive an SMS like this, don’t reply with any verification code and change your password immediately.
An attacker will try this type of attack only when he is in possession of a password, otherwise sending this SMS would be useless.