Hackers are using this nasty text message trick to break into people's accounts

The attacker can sometimes even spoof their identity - so the text looks like it comes from Google, or Facebook

Rob Price
Saturday 11 June 2016 11:58 BST
Comments
The hacker enters the victim's password, followed by an ill-gotten 2FA code, and they're in
The hacker enters the victim's password, followed by an ill-gotten 2FA code, and they're in (iStock)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Two-factor authentication is a godsend for securing your accounts.

It requires a second level of proof of who you are - typically a code sent to your phone - before you can log in. This prevents anyone from gaining unauthorised access to your account, even if they manage to get hold of your password.

However, hackers and hijackers are managing to find ways around it.

Earlier this week, Alex MacCaw, cofounder data API company Clearbit, shared a screenshot of a text attempting to trick its way past two-factor authentication (2FA) on a Google account.

Here's how it works:

The attacker sends the target a text message, pretending to be the very company that the target has an account with.

They say they have detected “suspicious” activity to the account, and so are sending the 2FA code to the target, which they should then text back to them to avoid having their account locked.

The victim, worried they are being hacked and not wanting to lose access to their data, sends the code back, believing they have thwarted the attempted hack.

But in doing so, they actually give the hacker the one thing they needed to break into the account.

The hacker enters the victim's password, followed by this ill-gotten 2FA code, and they're in.

The attacker can sometimes even spoof their identity - so the text looks like it comes from Google, or Facebook, or Apple, rather than an unknown number.

Of course, the attacker still needs the victim's password for this to work. But there are a number of ways they could get hold of it. Often they look at data dumps from old hacks for emails/usernames and passwords which they then try on other sites, because so many people reuse passwords across multiple accounts and platforms.

Huge databases of tens of millions of email addresses and passwords have been floating around in the last few weeks - notably from LinkedIn and MySpace. So if you reuse passwords, your login details may be being shared online right now without you realising.

The text message that Alex MacCaw shared on Twitter is above.

To stay safe, use a strong, unique password for every account you have - managing them all with a password manager if necessary - and don't text your two-factor authentication codes to anyone, even if they appear legitimate.

Read more:

• Analysts question the way Apple describes its data
• Mike Ashley has a plan to save BHS with no job losses
• Investors think central banks have lost their power

Read the original article on Business Insider UK. © 2016. Follow Business Insider UK on Twitter.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in