How clever social engineering can overcome two-factor authentication… or not?

If you have a Google account you must have two-factor authentication enabled in order to prevent anyone to use your account by just having your username and password.

If you don’t know how to do that, check my free eBook here. 2FA requires something that you know (username and password) and something that you have (smartphone) in order to allow access to your account.Unless somebody gets all of them, they simply can’t steal your account.

Until now…

Alex MacCaw has published screenshots from a new scam appeared that is targeting Google users who have two-factor authentication enabled (2FA).

It works like this:

  1. You receive an SMS pretending to come from Google requesting you to reply via SMS immediately with the code you receive from the real Google.

Or, if you were not convinced, there is even a better version available:

 

I will try to hack my own GMAIL account, just to see how hard it is.

 

This is how Google tries to help to get your password reset:

  1. Select option 1

tfa-google

2. Select a recovery email address to receive a code:

tfa-google2

3. Click on “Verify your identity” above

tfa-google3

Whoa… I don’t remember the second one …  But the first one is definitely today 😉

 

4. Google doesn’t care too much about what I entered or the info I added there was valid 🙂

Next questions is one selected by me. I clicked “Skip this question”.

 

5. Next I am required to add up to 5 email addresses I contacted, up to four labels I created and the first recovery email address I remember.

I skipped all of them.

 

6.”Other Google” products I use by selecting one and adding Month and year

Seriously?! I have no idea when I started using them.

7. Last step: Contact information where they should send me to reset my password.

tfa-google7

 

Conclusion

I do not understand how this should work…

The only way an attacker can use that code is when the attacker knows

  • your username
  • your password
  • And additionally, reconfigures Google to send you an SMS instead of, for example, requesting the code via Authenticator.

Of course, it can be that Alex MacCaw received just a random SMS with his email address.

But then everything would be just for nothing: the attacker would have had still to enter your password in order to reach the point where to enter the code. And here Google would require a different code.

So, all this is useless unless they know your password!

And these days it is not that hard to find someone’s password with so many breaches and email + password dumps flying around.

 

 

Like this:

 

  1. Enter your username and password

tfa-g

2. Change to “try other way to sign in”

tfa-g2

3. Select the mobile phone

tfa-g3

4. Receive the SMS

tfa-g-sms

 

 

So, Alex MacCaw, does the attacker know your password?

Or was it just a useless random sms ?


© Copyright 2016 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch

One thought on “How clever social engineering can overcome two-factor authentication… or not?

Comments are closed.