+ Saturday August 24th, 2019

google 2 factor

In a week marred by several big password leaks from big names such as LinkedIn and Myspace (old, but still big for its day) at least one savvy Google account holder caught on to a rather clever attempts at defeating Google’s 2 factor authentication.

If users have enabled 2-factor authentication, after passing the username and password security challenge, users are brought to another security screen asking for a two-factor code. Two-factor codes can be generated via specialised apps or sent to you via texts, as well as some other methods. If the user has selected a text messages as a way of getting the required code, then they could be vulnerable to this attack.

As seen in the above tweet, hackers are preemptively sending users a text message telling them of a hack attempt that has been made against their Google account. Users are then prompted to send back (to the hackers) the GENUINE authentication code when they receive from a different number, under the guise of “locking your account”. Please let us make this clear; the ONLY place you should disclose your two-factor code is into a Google login page; you should never be sending it via SMS to anyone, not even someone pretending to be Google.

Any users who do fall for this trick and send their 6 digit two-factor code to the hackers will find their Google Account could well be compromised.

If you have received such a SMS, you should probably log into your Google account and go change your passwords; to get to this stage, the hackers will likely already have your existing username and password, but can’t do too much damage without this two-factor code. We are in the middle of writing a larger post, outlining the basics of web password encryption, passwords, and good practices so keep an eye out for that in the next few days.

In the meantime, tell everyone you know this is fake, because people are falling this. This is one of those pay it forward situations, they sky isn’t falling in but warn your friends and family. While we aren’t aware of any attempts being made on Australian accounts, the digital world is not restricted by geography. Please be careful.

Duncan Jaffrey   Associate

Duncan Jaffrey

Duncan has been interested in technology since coding "Mary had a little Lamb" in Basic on his ZX Spectrum. A fan of all things Android, most days you'll find Duncan trawling the web for Android news or quietly editing away on Map Maker.

Join the Ausdroid Conversation

4 Comment threads
2 Thread replies
Most reacted comment
Hottest comment thread
6 Comment authors
Robert BarkoskiDuncan_JMarkusChad RussellTheCatMan Recent comment authors
newest oldest most voted
Notify of
Robert Barkoski
Robert Barkoski

Excellent article, thank you.

Chad Russell
Chad Russell

How are they getting the cell number to send the fake alert to in the first place?


Some people share their contact details on their profile pages or they’re listed in the white pages.


Or from other database hack/ leaks. Each leak creates a bigger and bigger pool of data.


Very clever attempt.

Reuben Fergusson
Ausdroid Reader

Im surprised people still fall for these feeble attempts at stealing passwords or codes.

Check Also

Google adds photo support to Smart clocks and more

When Google announced their first Assistant-powered Smart Clock in association with Lenovo there was one …