Two-factor authentification has been hailed as a significant move forward in providing online security, letting us log in with confidence to sites such as Gmail. Websites that once required an insecure password now need a complex password with a second form of authentication from a mobile device, or implement other two-factor systems. However, as with everything, two-factor authentication isn’t impervious to flaws, and a new report by Amnesty International details how hackers have been phishing two-factor codes.
Authenticating with a two-factor system is two-step, as hinted by the name, and will typically involve asking a user to enter both a password and a code, either generated by or sent to a mobile device. This secure option does indeed help to prevent hackers from accessing user accounts if they have only gained access to one factor, such as your password, if a website’s data has been breached. But, if you unknowingly give your two-factor code over to a malicious individual or site, the system has been defeated.
The Amnesty International report noted that hackers have begun to utilize an automated process that occurs by first phishing your password from a fraudulent website, then submitting the password to Gmail, triggering a two-factor text message, and finally having you submit that message into the fraudulent site.
Because some systems don’t requiring a user to re-authenticate for switching off two-factor, hackers can then quickly walk away with your account. Even without taking full control of an account, hackers can generate app-specific passwords, secondary passwords that can be used to access two-factor accounts without needing to re-authenticate each time.
Throughout 2017 and 2018, hackers targeted more than a thousand Google and Yahoo accounts across the Middle East and North Africa. When testing, Amnesty International found that its smartphone setup for testing the phishing system did indeed receive a genuine text message from Google’s server to authenticate in connection with the malicious site. The organization notes that the attacks targeted dissidents in the United Arab Emirates.
While the news is not a reason to disengage any two-factor systems you are currently employing, we still recommend switching on two-factor authentication for any websites that offer it, it is another bit of proof that no security system is impermeable.