Friday , August 18 2017

PSA: Hackers targeting two-factor authentication codes for Google accounts

google 2 factor

In a week marred by several big password leaks from big names such as LinkedIn and Myspace (old, but still big for its day) at least one savvy Google account holder caught on to a rather clever attempts at defeating Google’s 2 factor authentication.

If users have enabled 2-factor authentication, after passing the username and password security challenge, users are brought to another security screen asking for a two-factor code. Two-factor codes can be generated via specialised apps or sent to you via texts, as well as some other methods. If the user has selected a text messages as a way of getting the required code, then they could be vulnerable to this attack.

As seen in the above tweet, hackers are preemptively sending users a text message telling them of a hack attempt that has been made against their Google account. Users are then prompted to send back (to the hackers) the GENUINE authentication code when they receive from a different number, under the guise of “locking your account”. Please let us make this clear; the ONLY place you should disclose your two-factor code is into a Google login page; you should never be sending it via SMS to anyone, not even someone pretending to be Google.

Any users who do fall for this trick and send their 6 digit two-factor code to the hackers will find their Google Account could well be compromised.

If you have received such a SMS, you should probably log into your Google account and go change your passwords; to get to this stage, the hackers will likely already have your existing username and password, but can’t do too much damage without this two-factor code. We are in the middle of writing a larger post, outlining the basics of web password encryption, passwords, and good practices so keep an eye out for that in the next few days.

In the meantime, tell everyone you know this is fake, because people are falling this. This is one of those pay it forward situations, they sky isn’t falling in but warn your friends and family. While we aren’t aware of any attempts being made on Australian accounts, the digital world is not restricted by geography. Please be careful.

 

Duncan Jaffrey   Journalist

Join the Ausdroid Conversation

6 Comments on "PSA: Hackers targeting two-factor authentication codes for Google accounts"

avatar
Sort by:   newest | oldest | most voted
Robert Barkoski
Valued Guest
Robert Barkoski

Excellent article, thank you.

Chad Russell
Valued Guest
Chad Russell

How are they getting the cell number to send the fake alert to in the first place?

Duncan_J
Valued Guest
Duncan_J

Or from other database hack/ leaks. Each leak creates a bigger and bigger pool of data.

Markus
Valued Guest
Markus

Some people share their contact details on their profile pages or they’re listed in the white pages.

TheCatMan
Valued Guest
TheCatMan

Very clever attempt.

Member

Im surprised people still fall for these feeble attempts at stealing passwords or codes.

wpDiscuz

Check Also

Google brings at-a-glance pollen count to the Google app

Winter is no longer coming. It is now Spring that is on the way and …