2-Step Verification Scam
With more users realising the security benifits of 2-step authentication, the criminals are coming up with new ways to break into your account.What is 2-Step Authentication?
2-step authentication is the process of using a trusted device, such as your smartphone, to authenticate you when you log into a webservice from a non-trusted device.
Site such as Gmail, Facebook, Twitter and Outlook/Hotmail have been offering 2-step authentication for some time, and all users should have it activated where possible.
When you (or someone else) attempts to log into your account on an untrusted device, such as a friends computer, internet cafe or some hackers pc, the website sends a request to a previously registered trusted device, usually your smartphone, either by texting you a security code or activating an installed app to generate a code that you can type into the website to confirm you are indeed you.
Why should I have this?
Most websites allow you to change you password from the logon screen as long as you and have access to your email address by clicking through the 'Forgot Your Password' link. So if a hacker can get to your emails, then they can potentially access any website you use and prevent you from being able to get in.
How do they get around 2-step authentication?
The latest tactic to this is for the criminal to use publically searchable sites to find your email address and mobile phone number, you'll be surprised how easy this can be, especially if you're a big internet user!
Once they have both these bits of info, they send you a text message along the lines of "Outlook.com security have identfied unusual activiry on your account, please reply to this text with the securty code we text you to confirm your identity" so an unsuspecting user is now thinking something is up and waits for Outlook (or whoever) to send them a security number.
The hacker then logs into Outlook.com with the users email and activates the 'forgot password' to get the server to send out the security code.
Once the user has the code, they reply unknowingly to the hacker with the code needed to verify them, allowing the hacker to log in and access your emails.
What should I do?
No 2-step verification services will require you to text your security code back to them, you only need to enter this into the web interface when logging in from an untrusted computer. Being vigilant is the best defence against this kind of phishing attack.
tinsleyNET IT Services Consultant
IT Support for small to medium sized businesses, home office workers and home users across the West Midlands and Shropshire.
Comments
Post a Comment