No matter how safe your neighborhood is, you’d always lock your front door, wouldn’t you? That is, unless you live in a utopian commune (send me the address, please). We all have precious things we want to protect, like jewelry, furniture, vinyl records, and that stamp collection Grandpa left us. Although it’s easier to think of our precious items as physical objects that we protect with a lock and key. It’s important to remember that these days a lot of our valuable information is stored online - behind a username and password.
Although sophisticated passwords are a great start, they can’t guarantee that your information is totally secure online. In the past decade, data breaches and password leaks have struck companies like Facebook, Home Depot, Discord, Yahoo, Target, LinkedIn, and many others. In other words, if you have online accounts, there’s a good chance that hackers have stolen and leaked data from at least one of them.
Enter - Two-factor authentication (2FA) a popular method of protecting your identity and accounts - due to its enhanced security and ease of use. It’s been adopted by organizations, government agencies, social media platforms like Facebook, Twitter, Instagram, and even banks. It’s like a secret digital handshake between us and our most frequented online accounts
Great right? Just use 2FA for all of your online accounts, and you’ll be safe and sound. Unfortunately, as we’ve seen time and time again, scammers are getting increasingly sneaky. And to be perfectly honest, while 2FA is a significant step up from simple password protection, it isn’t completely immune to sophisticated phishing attacks. Gasp… In this article, we’ll deep dive into 2FA and see if it’s really what it’s hacked up to be (pun intended).
What is two-factor authentication?
Two-factor authentication (2FA) is a security measure that requires users to provide two different forms of verification to access an online account. Chances are, you've already encountered 2FA in your daily life. Think of withdrawing money from an ATM: you insert your bank card - one physical layer of verification, and then enter your Personal Identification Number (PIN)—that's the second layer of verification.
Online, the process is remarkably similar, you’ll need to provide two different authentication factors to verify your identity. Typically, this involves something you know (like a password) and something you have (like a mobile device). Here’s a quick look at the two most widely used methods when it comes to 2FA:
SMS, emails, and phone calls One of the most common 2FA methods involve sending a time-sensitive code via SMS, email, or phone call. After entering your username and password, you’ll receive a code on your phone, in your inbox, or via voice call - that you’ll have to enter to complete the login process. An example of this would be using an unknown device to log into your Gmail or Apple account. You’ll need to fill in your username and password, but you’ll also need to enter the multi-digit code that Apple or Google send to your mobile. Only then you’ll be able to access your account.
Authenticator apps Another method involves using an app, like Google Authenticator, which generates a time-based, one-time password (TOTP) that you enter after your regular password.
Let’s break it down for a sec, when you access your bank account, for example, you'll typically sign in with your user ID and a password. But 2FA takes security a step further: it requires you to enter a one-time password (OTP). Only after entering this code on the bank’s website you’ll be able to access your account. This additional step makes it super difficult to hack your account, or does it? Scammers are now turning this extra security method against us, using 2FAs for phishing attacks and creating fake authentication sites. Wowza.
How secure are your online accounts?
The 2FA dilemma: Verification code scams
As security measures evolve, so do cybercriminals and their tactics. While 2FA was once considered a robust defense against unauthorized access, attackers are now deploying sophisticated social engineering and phishing techniques to deceive people into sharing their verification codes.
2FA phishing attacks
In order for cybercriminals to perpetrate verification code scams and gain full access to any of your 2FA-protected accounts, they need three things:
-
Your username
-
Your password
-
Your authentication code
Here’s how it works, scammers send emails or text messages posing as a trusted service (like your bank), asking you to confirm a login attempt by replying with your 2FA code. This is a classic case of social engineering in action. Let’s say an email from your bank lands in your inbox. The email warns you that your account has been locked and you need to re-enter your credentials to resolve the issue. While the email is totally fake, it looks exactly like a real communication you’d get from your bank, same font, colors, and logo, you wouldn’t even know the difference.
The email contains a link to a fake login page identical to the bank’s real one. After you enter your credentials (including cell number), you’ll be asked to enter a 2FA code sent to your mobile. This is where things get nasty - now the scammer has your credentials and all they need is your one-time 2FA password. Once you enter the 2FA code, it’s game over. The scammers have everything they need and a brief window of time (before 2FA expires) to - reuse your credentials and wreak havoc on your account. Ironically, the security tool that’s meant to protect us has been exploited by cybercriminals to harm us.
Man-in-the-Middle Attacks (MiTM)
Using this tactic, scammers secretly relay and possibly alter the correspondence between two people who think they are directly communicating with each other. This is how it works, hackers will "hijack" information by appearing as though they are participating in a conversation or data transfer. Metaphorically, the cybercrinals position themselves between the user's web browser and the website server. Next, they steal or change the information that you just exchanged.
They do this by using MiTM phishing toolkits designed to function as reverse proxies, channeling traffic between the victim (1), the phishing site (2), and the genuine service (3).
For example, when you enter your 2FA code on a phishing site, you’re essentially accessing a legitimate site. However, since all data passes through the reverse proxy, a scammer can intercept your session and then use your code to access your account in real time. Once they have your details and authentication cookies, the scammer can then hack your accounts or sell your details in specialized underground markets like the dark web.
MiTM phishing is ideal when cybercriminals aim to steal credentials without resorting to malware, eliminating the need for human intervention. This might explain why email, social media, and certain gaming accounts—unlike banking sites—are prime targets. Because usually, these platforms have a more lenient login procedure, keeping you signed in until they choose to log out.
How do I protect myself from 2FA scams?
Two-factor authentication (2FA) has been a huge advancement in digital security, but cybercriminals have created strategies to sidestep or manipulate it. So while 2FA remains an essential security component, it's important to understand its boundaries and not solely depend on it.
To make sure you’re fully protected, it’s important to add these extra layers of security:
Multi-factor authentication (MFA): This involves using three or more factors of authentication. It might include something you know (password), something you have (a phone or hardware token), and something you are (fingerprint or facial recognition).
Hardware tokens: These are physical devices that generate authentication codes and are immune to phishing attacks since they are not connected to the internet. Additionally, there are "soft tokens," which are mobile applications designed to display similar information, serving the same security purpose.
Spotting phishing attempts: Be cautious with unsolicited communications asking for your credentials. Always double-check the URL and the sender’s email to ensure it’s truly from the organization it claims to be from. If you want to learn more about how to stay safe from phishing, check out our comprehensive guide.
Security software: Having online security tools is becoming a must when it comes to keeping your accounts safe online. Guardio is a web extension and app that protects your accounts from scammers. Identifies senders with a bad reputation.
-
Constantly protects your inbox from phishing emails and new threats.
-
Tells you if the email contains links that lead to dangerous sites.
-
Notifies you in real-time if malicious emails bypass your spam filter.
-
Alerts you of emails with verification code scams that pose a risk to your personal information.
Guardio offers a comprehensive solution that goes beyond traditional 2FA, and helps eliminate the risk of falling victim to verification code scams, phishing attempts, and clicking on dangerous links.
Nowadays, safeguarding our online presence is as crucial as locking our physical doors. Strong passwords are a start, but even giants like LinkedIn and Facebook have faced data breaches. While 2FA is a commendable layer of security, it is not perfect. To stay one step ahead of cybercriminals it’s important to use Multi-factor authentication (MFA), or hardware tokens and arm yourself with security tools like Guardio.
