How clever social engineering can overcome two-factor authentication… or not?

If you have a Google account you must have two-factor authentication enabled in order to prevent anyone to use your account by just having your username and password.

If you don’t know how to do that, check my free eBook here. 2FA requires something that you know (username and password) and something that you have (smartphone) in order to allow access to your account.Unless somebody gets all of them, they simply can’t steal your account.

Until now…

Alex MacCaw has published screenshots from a new scam appeared that is targeting Google users who have two-factor authentication enabled (2FA).

It works like this:

  1. You receive an SMS pretending to come from Google requesting you to reply via SMS immediately with the code you receive from the real Google.

Or, if you were not convinced, there is even a better version available:


I will try to hack my own GMAIL account, just to see how hard it is.


This is how Google tries to help to get your password reset:

  1. Select option 1


2. Select a recovery email address to receive a code:


3. Click on “Verify your identity” above


Whoa… I don’t remember the second one …  But the first one is definitely today 😉


4. Google doesn’t care too much about what I entered or the info I added there was valid 🙂

Next questions is one selected by me. I clicked “Skip this question”.


5. Next I am required to add up to 5 email addresses I contacted, up to four labels I created and the first recovery email address I remember.

I skipped all of them.


6.”Other Google” products I use by selecting one and adding Month and year

Seriously?! I have no idea when I started using them.

7. Last step: Contact information where they should send me to reset my password.




I do not understand how this should work…

The only way an attacker can use that code is when the attacker knows

  • your username
  • your password
  • And additionally, reconfigures Google to send you an SMS instead of, for example, requesting the code via Authenticator.

Of course, it can be that Alex MacCaw received just a random SMS with his email address.

But then everything would be just for nothing: the attacker would have had still to enter your password in order to reach the point where to enter the code. And here Google would require a different code.

So, all this is useless unless they know your password!

And these days it is not that hard to find someone’s password with so many breaches and email + password dumps flying around.



Like this:


  1. Enter your username and password


2. Change to “try other way to sign in”


3. Select the mobile phone


4. Receive the SMS




So, Alex MacCaw, does the attacker know your password?

Or was it just a useless random sms ?

© Copyright 2016 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check for seeing the consulting services we offer.

Visit for latest security news in English
Besuchen Sie für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

1 Comment on "How clever social engineering can overcome two-factor authentication… or not?"

Comments are closed.

%d bloggers like this: