Various tech giants data breaches were reported lately, with millions of accounts passwords and information being leaked (ex: Twitter, LinkedIn, Email Service Giants, etc…) as if this is not bad news already, hackers are now using those leaked information to target accounts with enabled Two-Factor authentication (2FA) where activated.

What is Two-Factor Authentication?

As a measure to improve security to our digital accounts, 2FA is a feature provided by various service providers such as Twitter, Google, etc.. to enable users to verify their identity when accessing their account through two separate validation processes. The first form of authentication is usually set to be password authentication, and once this is validated the user is presented with the second authentication mechanism to confirm his identity, and this can take various forms such as physical or digital tokens, security codes sent to personal emails or through SMS.

Google’s 2-step verification process.

So even if hackers managed to steal your accounts password, still they need to get their hands on the second form of authentication validation code to get to your account.

Social Engineering as the Trick

Unfortunately hackers will always try to get to your information and account using what ever technique or trick they can apply, and in this case, tricking the users to disclose the second authentication code is what they are after through social engineering techniques.

2fa sample

As reported and warned by Alex MacCaw, the co-founder of data API company Clearbit, hackers are spoofing text messages to trick the user disclose verification codes for the second stage of the 2FA.

Here is the technique

  1. The victim will receive a text message from the attacker impersonating the service vendor where the victim has an account with.
  2. The attacker message explains to the user in a formal way that they have detected a “suspicious” activity on his account and requesting the victim to send back any 2FA code received as a result of the verification process to avoid locking out their account.
  3. The victim, fearing loosing access to their account and worried about the attach replies back with the access code believing they are replying to the actual vendor.
  4. Whereas their action here is allowing the attacker to break into their account and bypass the 2FA.

Now you might question here, how would the attacker know in the first place the victims phone number to send the text to? Well with all the data leakage faced by those giants, not only your email and password hashes are leaked, also our personal information such as address and phone numbers.

Stay Safe

Use strong, complex and remember-able passwords for your accounts, and don’t use the same passwords across different accounts.

Don’t trust every email and text message you receive regarding your account being breached, always assume that someone is trying to scam you.

Finally, when in doubt, go directly to the source, the original service provider website, and change there your account credentials.

References and original post:

Images courtesy of