If you have a Google account you must have two-factor authentication enabled in order to prevent anyone to use your account by just having your username and password.
If you don’t know how to do that, check my free eBook here. 2FA requires something that you know (username and password) and something that you have (smartphone) in order to allow access to your account.Unless somebody gets all of them, they simply can’t steal your account.
Alex MacCaw has published screenshots from a new scam appeared that is targeting Google users who have two-factor authentication enabled (2FA).
It works like this:
- You receive an SMS pretending to come from Google requesting you to reply via SMS immediately with the code you receive from the real Google.
Or, if you were not convinced, there is even a better version available:
I will try to hack my own GMAIL account, just to see how hard it is.
This is how Google tries to help to get your password reset:
- Select option 1
2. Select a recovery email address to receive a code:
3. Click on “Verify your identity” above
Whoa… I don’t remember the second one … But the first one is definitely today 😉
4. Google doesn’t care too much about what I entered or the info I added there was valid 🙂
Next questions is one selected by me. I clicked “Skip this question”.
5. Next I am required to add up to 5 email addresses I contacted, up to four labels I created and the first recovery email address I remember.
I skipped all of them.
6.”Other Google” products I use by selecting one and adding Month and year
Seriously?! I have no idea when I started using them.
7. Last step: Contact information where they should send me to reset my password.
I do not understand how this should work…
The only way an attacker can use that code is when the attacker knows
- your username
- your password
- And additionally, reconfigures Google to send you an SMS instead of, for example, requesting the code via Authenticator.
Of course, it can be that Alex MacCaw received just a random SMS with his email address.
But then everything would be just for nothing: the attacker would have had still to enter your password in order to reach the point where to enter the code. And here Google would require a different code.
So, all this is useless unless they know your password!
And these days it is not that hard to find someone’s password with so many breaches and email + password dumps flying around.
- Enter your username and password
2. Change to “try other way to sign in”
3. Select the mobile phone
4. Receive the SMS
So, Alex MacCaw, does the attacker know your password?
Or was it just a useless random sms ?
© Copyright 2016 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity
Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch