October is Cyber Security Awareness month, so we wanted to take a moment to update you on two-factor authentication scams, which can pose a major threat to the security of your data and accounts. Read on to learn more about these scams and how to protect yourself.
What is two-factor authentication?
Two-factor authentication, also known as 2FA, is an authentication method in which two or more authentication factors are used. Authentication factors can be something you know (for example, a password), something you have (such as a hardware token or cell phone), or something you are (biometrics, like your fingerprint).1 Using more than one authentication factor helps prevent a hacker from gaining access to your data, even if your password has been compromised. Although this adds an additional layer of security, there are scams and other techniques that can be used to circumvent 2FA.
How does a two-factor authentication scam work?
One of the most common 2FA methods uses SMS or text messages. Once you have entered your password, an authentication code is sent via text message to your mobile device, which you can then enter on the website or application to complete the authentication process. Scammers can get around SMS-based 2FA by using social engineering to get you to send them your code. An example that was recently posted on LinkedIn by Rich Malewicz showed a scammer who had posted a fake listing on Craigslist.2
When the victim responded to the fake Craigslist ad, she may have provided too much personal information to the scammer, who was able to figure out her Gmail address. The scammer initiated a password reset on her Gmail account, and because Gmail requires authentication before allowing a password reset, the victim received a text with a 2FA authentication code. The scammer then sent a message to the victim, telling her he needed the code for verification purposes and asked her to send it. If she had fallen for this scam, she may have sent the scammer her 2FA code, which would have allowed him to reset her Gmail password and gain access to her account.
Another way that attackers can thwart 2FA is by performing an attack called a SIM (Subscriber Identity Module) swap. In SIM swapping, the hacker may phish for personal information (like the last four digits of your Social Security Number) or find information like your phone number and common answers to security questions on your social media websites. Once they have your personal information, they call your cell phone carrier and ask them to port your phone number to their own mobile devices.3 If successful, any 2FA codes will be sent to their phone instead of yours, and they can use those codes to access your accounts and reset your passwords.
You can protect yourself from 2FA scams by never re-texting your SMS code and knowing how to recognize phishing attempts.4 We also recommend using more secure 2FA methods, like authenticator apps, instead of SMS-based 2FA if possible. Authenticator apps use a type of 2FA code called a time-based one-time password, which is generated within the app and expires after a set amount of time (usually 30 seconds). This method is more secure because the codes stay within the app instead of being sent by a cellular carrier, making them less likely to be intercepted.5
Although two-factor authentication remains one of the best ways to ensure your systems and accounts are secure, it is crucial to be diligent in detecting scams that hackers use to get around these security measures. A successful two-factor authentication scam could leave you locked out of your accounts, and your systems vulnerable to data theft and other cyberattacks. If you are interested in getting started with our new Phish Alert program, which can prevent you from falling victim to a phishing scam, please contact us today. If you have any questions or believe you have been the victim of a 2FA scam, contact our 24/7 Operations Center by clicking below or at +1-703-566-9463.