Two-Factor Authentication Hacking

By Chris Griesemer, partner at The Whitlock Co. and specialist in internet technology audits for banking clients.

First, let me explain how two-factor authentication (2FA) works. 2FA requires you to not only enter your username and password but also a one-time code from another source such as a phone, email, or authenticator app. When you sign up on a website or an app that requires a login, you can increase the security of that site/app by using 2FA. Take your bank for example. When you turn on the 2FA option on your online bank account, it increases your account security by texting you a code that you must enter in order to log in.

Be Vigilant Even With Two-Factor Authentication

According to Joseph Cox at Vice Magazine in an article titled, “The Booming Underground Market for Bots That Steal Your 2FA Codes”, hackers have devised a creative way to steal your 2FA access code. For this hack to work, a few assumptions must be made. First, a hacker needs access to your username, password, and cell phone number. Don’t underestimate how many people have had their financial login information stolen. In 2020 alone, nearly half of Americans experienced some form of financial identity theft. Some people have so much confidence in 2FA, they relax on the complexity of their password. Or they don’t create unique passwords for different sites because again, they know they are using 2FA and think they are safe. This could easily happen to you if you are not aware of how to identify it.

How Does 2FA Hacking Work?

Hackers begin by entering their target’s cell phone number into an automated bot. The bot then calls the cell phone number of the target and plays a recording telling them a suspicious transaction has been attempted on their account and to make sure that it should be declined; a code will be sent to the target’s cell phone. Then the hackers use the username and password they have already compromised  and attempt to log in to the service. The service then sends a code to the user and the user thinks this is the code they need to enter to tell this bot that they did not authorize the suspicious transaction. Unfortunately, when the target sends the code to the bot, it gives the hackers the 2FA code and they can log into the website or app and do what they want.

How to Avoid This Two-Factor Authentication Hack

To make sure you don’t fall for this trick, never type a code into a robo call. If this happens to you, know that your username and password have been compromised and you should start identifying which ones you need to change. Maybe all of them. If you have questions about this or any cyber security issue,  please don’t hesitate to contact Chris Griesemer or Caleb Swadley at The Whitlock Co.