Recently I came across an article relating to a Two-Factor Authentication Scam. I passed on this information to our employees here at SmartVault and we believe this
information should be passed on to you, our customers, as well as your clients.
What is a two-factor authentication scam?
Well, first off, let me explain Two-Factor authentication. This type of authentication typically involves sending a code to your registered mobile device after you’ve entered your username and password into a website that has enabled Two-Factor authentication. After a successful username/password entry, the website will text you a code which you will input into the website to gain full access. Some sites which offer Two-Factor authentication are Google, Yahoo, and various banking facilities.
How does this scam work?
For this Two-Factor authentication scam to work, the bad guys need the following three things:
- Your username
- Your password
- Your authentication code
With the data breaches that have occurred, chances are your username and password (one reason why using the same password for multiple sites is a very bad idea) may be in the wrong hands. Now the bad guys just need to phish for your authentication code.
How do they do that? They send you a phishing text messages stating your account may have been compromised, and request that you text-reply the authorization code you are about to receive to confirm your identity. The bad guys then attempt a login to the target website using your username/password. That login triggers a text message to you containing the authentication code.
The bad guys now send another phishing text to your phone requesting that authentication code sent by the website. If you fall for this phishing attempt and text the authentication code back to the bad guys, they immediately enter that code, finalize the login for that target website and immediately change the password/security/phone numbers associated with that account. You are now locked out of your account and they have it for their use!
How can you protect yourself?
Here are the key takeaways for keeping your identity protected:
- Never re-text your authorization code.
- If you are receiving authorization codes to your mobile device, your account associated with that site may have had the password compromised. Change the password for that account by directly logging into to that website (type website address directly in your web browser’s address bar).
- Don’t be afraid to ask your IT department for assistance or that computer security-savvy friend you know for guidance!