Use of two-factor authentication, also known as 2FA security, has so far been regarded as an effective way to protect one’s online accounts. However, an organization now claims this extra step is no longer beyond the reach of hackers.
Two-factor authentication is not the safest anymore
Two-factor authentication has so far proven to be an effective way to keep our devices and personal information safe. Using it is also simple. You log into an account with the username and password, and then you are sent a second authentication request in the form of a text or email containing a temporary PIN.
2FA is one of the most-used security measures currently, and it is recommended by mostly all major sites and apps, including Fortnite. However, cyber-criminals have now found ways to exploit some flaws in 2FA security. These flaws could prove more threatening if you are using your phone for most of your online work. Hackers have now devised ways to hack phone numbers.
On Wednesday, Amnesty International revealed the workings of a mysterious phishing campaign which has been infiltrating user accounts across the Middle East and North Africa. The report notes that the phishing attacks are mainly targeting journalists and activists by using phony emails and login pages. According to the organization, the main objective of these phishing attacks is to trick users into giving up access to their Google and Yahoo accounts, even though they have 2FA security in place.
“What makes these campaigns especially troubling is the lengths to which they go to subvert the digital security strategies of their targets,” Amnesty International wrote.
Using automated phishing attacks to trick 2FA security?
Since two-factor authentication is primarily a string of random digits sent to you, all a hacker needs to do is trick their victims into handing over the code. According to the organization, hackers trick their victims by sending fake security alerts which appear to be from Google and Yahoo. The alert says their account security may have been compromised. It also includes a link to an official-looking page to reset the password.
“To most users a prompt from Google to change passwords would seem a legitimate reason to be contacted by the company, which in fact it is,” says Amnesty International.
The organization learned of such phishing attacks when it investigated some suspicious emails it received from human rights activists and journalists. To investigate further, the group created a temporary Google account and did what the hackers wanted them to do.
“Sure enough, our configured phone number did receive an SMS message containing a valid Google verification code,” the organization said.
Amnesty International also found that the mysterious group used web application testing tools to automate the attacks. This automation helps the hacker enter the one-time code sent for 2FA security into the real Google or Yahoo login page before the time limit expires.
Despite such phishing attacks, Amnesty International still recommends using two-factor authentication. However, the agency also wants people to be more careful because such a system also has limitations.
How can you stay ahead of cyber-criminals?
Apart from being careful, there are a few other ways which may help you avoid such attacks. One efficient way is to use a secondary number which directs calls and texts to your primary cell phone, according to USA Today. A secondary number helps keep your primary number safe when setting up 2FA security.
Moreover, your secondary number will still be accessible via web or another phone even if you lose your phone or switch to another carrier. You can easily get a free secondary number from Google Voice for voice calls, texts and voicemail. You will need to have an active Google account to get a number.
Once you get a secondary number, you can use it in 2FA instead of your primary number. However, it has one limitation. If hackers took control of your Google account somehow, this secondary number would not help you since it’s connected to your Google account.
Another way is to use authenticator apps for two-factor authentication, which are easier to use and are considered safer than text messages. There are many popular authenticator apps you can use, like those offered by Google, Authy, Microsoft, LastPass, FreeOTP and others.
You can also opt for a security key to protect your online property. These keys are hardware-based devices and are a substitute for the two-factor authentication process. Users need to enter these USB-based keys into their device to log into the supported account. It is the safest method because it would be pretty hard for the hacker to steal this key.