Until recently, access to an account using a one-time, short-lived password in an SMS message was considered a simple and reliable barrier for cyber villains. However, hackers have learned to bypass two-factor authentication of Internet accounts.
How it works
Hackers by any convenient means get a login and password from a certain user’s account in the Google service. This is mainly done through phishing. The user receives a fake letter allegedly from the Google administration, the text of which says about the need to urgently go to the site to carry out any actions related to ensuring the security of the account. An unsuspecting user follows the link in the letter and ends up on a fraudulent site that looks exactly like an official one; enters his username and password, which are instantly received by hackers.
Finding the phone number to which the account is linked is also not difficult. But no one is in a hurry with further hacking; instead, an SMS message is first generated in the style of the service’s official messages with a fake notification. Say, an unauthorized attempt was made to log into your account, but we caught the hooligans by the hand.
To avoid blocking your account and prove that you are its true owner, send us the verification code from the following SMS.
The message contains reliable data – the IP address and login, its style copies the real messages of Google technical support, so the victim is worried, but does not feel the trick, thoughts slide in a different direction.
Then everything is played out in minutes, since the code lifetime is short:
- hackers initiate an account login and receive a request to enter a code
- SMS with it comes to the victim’s phone number in a regular manner
- the code is trustingly sent to hackers
- verification occurs and voila
In fact, instead of the fact of a security breach, there is a deception, enticing a confidential key from a gullible user. Claims against Google? Why – two-factor authentication worked as described in the standard and user agreement. Another thing is that when it was created, they did not think about “protection from the fool”, no matter how offensive it may sound to millions of people.
What can be done?
The key information for hacking is the login-password link – if hackers have something to catch on, it makes sense to launch an attack. They can extract this data in a thousand and one ways, but often the most careless users suffer. For example, Mark Zuckerberg, embarrassed by his super-password “dadada” in several accounts. Giant databases are regularly stolen and leaked to the Internet – make it a habit to use different, beautiful and complex passwords, as well as change them at least once a quarter, and not when it’s too late and offensive.
Security experts recommend that you read the texts of messages from service robots, even if you receive dozens of them a day. What if you notice in time that Facebook is specified as the addressee, and you are using a Yandex or Gmail account? Attackers are constantly changing their identities, but due to minor inconsistencies in the scheme of work, they can be brought to clean water. If you are asked to follow a link, look at the symbols, it may be a phishing page. And if you have any doubts about anything, it is better to notify the security service once again. It’s easier than winning your account back.