June 13, 2016

How Hackers Manage To Bypass Google’s Two-Factor Authentication

The Two-factor Authentication is generally seen as the safest play for securing your Google accounts, which requires you (the user) to enter a code that you received via SMS on your phone before you can log in a 2FA-protected account. This prevents anyone from gaining unauthorized access to your account, even if they manage to get hold of your password. And this double-layered authentication process is supported by numerous online services, including big banks, Google, Facebook, and even the government.

How Hackers Manage To Bypass Google’s Two-Factor Authentication (6)

But, you might have heard some reports of Gmail accounts being hacked, despite the user having enabled the Google 2FA or two-factor authentication. This is because hackers are employing a new trick to lure gullible users, by sending them an SMS posing as Google, asking for the 2FA verification code.

How Hackers Manage To Bypass Google’s Two-Factor Authentication (3)

Earlier this week, Alex MacCaw, cofounder of data API Company Clearbit, tweeted a screenshot of a text message he had received attempting to trick its way past 2FA on a Google account.

The message reads as follows:

“(Google™ Notification) We recently noticed a suspicious sign-in attempt to jschnei4@gmail.com from IP address 136.91.38.203 (Vacaville, CA). If you did not sign-in from this location and would like to lock your account temporarily, please reply to this alert with the 6-digit verification code you will receive momentarily. If you did authorize this sign-in attempt, please ignore this alert.  ”

Here’s how the hacker’s trick works:

  • The hacker sends the target a text message, pretending to be the very company that the target has an account with.
  • The text message says that the company has detected “suspicious” activity to the target’s account and so is sending the 6-digit code to them, which the target user should then text back to them to avoid having their account locked.
  • The target user, worrying that they are being hacked and not wanting to lose access to their data, sends the code back, believing they have thwarted the attempted hack.
  • But in doing so, they actually provide the hacker with a security code to break into the account.
  • Subsequently, the hacker would enter the target user’s password, followed by this ill-gotten 2FA code, and access the account without the real user’s knowledge.

Fortunately, MacCaw was clever enough to spot their strategies and didn’t fall for this new type of social engineering hoax. However, if you are a Gmail user, you should be more careful as hackers are coming up with numerous techniques to gain access to your Gmail and Google accounts. And don’t text your 2FA codes to anyone, even if they appear legitimate.

About the author 

Chaitanya


{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}