State of the Web

Recently updated on March 21st, 2023

User logging in with two-factor authentication The security benefits of two-factor authentication (2FA) have thwarted many scams and attacks, but now hackers are adapting their approach and applying phishing attacks. Also called 2-step verification, this is a method of security that is becoming more popular among companies that provide accounts, and it works by asking an extra question in order to sign in. The exact method used varies from platform to platform but the concept remains the same: they ask for additional information that only you should have access to in addition to the username and password.

Platforms like Gmail use this, but most of the time it is something that needs to be enabled in order to use. Having this extra security is great for preventing accounts from getting compromised, but it is still possible for bad actors to overcome it.

The Benefits of Layered Security

The process of two-factor authentication asks for a pin number, or sometimes a personal question in order to verify your identity. Some platforms use a kind of pin number that is single-use, sent to your device by SMS (text message), and expires after 30-60 seconds. Since the pin is time-sensitive the chance of guessing it (brute force method) is much less likely. In order to increase security, businesses have started employing layered account security to spare their clients and employees from compromised accounts.

How Hackers Get Past It

The hacker will send out an email asking you to login to your account with some vague or questionable appeal. These emails can include personal information along with elements of branding to make it look authentic. Likewise, the login page can look just like the real thing. Once you authenticate your account on the fake login page, the hackers are able to highjack your username and password along with the pin number. From there, they have control of your account.

Real Example: Gmail Attack

Google’s security engineering lead, Nicolas Lidzborski, discussed such attacks in his speech at the RSA cybersecurity show. He noted the increase in two-factor authentication phishing attacks on Gmail accounts. He mentioned that hackers were able to use a method that gives them access to the time sensitive pin number which should have only been sent to your phone by SMS and automatically use it before the time limit runs out. Attacks like these have real-world consequences. Amnesty International reported that one unnamed hacking group used this two-factor method to phish more than 1,000 people.

Knowledge is the Best Preparation

In order to protect yourself from an attack, you must know what to look for. In this case, the login page can be made to look exactly like the real thing, the process can feel the same, and even the URL can look the same. In times like these, it pays to be vigilant and stay cautious of obscure or unprompted requests to authenticate your account. Also, instead of clicking the link in the email, go directly to the login page by typing out the URL or searching for it on the web.

Even with these attacks, it is still worth using two-factor authentication as an extra layer of security. With all of the data breaches these days, it is a good thing to have so be sure to enable it. Using a physical security key is another method you can try. The key looks like a USB flash drive and usually costs $25 to $50. With this a hacker would have to steal the device in order to break into your account; which is much more difficult than simply stealing information online.

What to do if your account is compromised

Acting quickly is important when a hack occurs, so keep a close eye on your accounts so that you can spot any suspicious activity. If you suspect an account has been compromised, there are places you can check to confirm it. You should also change your password right away. When trouble occurs, contact support through the platform for assistance.

If you would like more in depth assistance then you can always count on Next Horizon’s knowledgeable IT team to help. You can feel safer knowing you have a team that is on top of all the major security risks and ready to help protect you from them.

Man using phone and laptop

See More Related Articles