If you’re an at risk user, that extra two-factor security code sent to your phone may not be enough to protect your email account. Hackers can bypass these protections, as we’ve seen with leaked NSA documents on how Russian hackers targeted US voting infrastructure companies. But a new Amnesty International report gives more insight into how some hackers break into Gmail and Yahoo accounts at scale, even those with two-factor authentication (2FA) enabled.
They do this by automating the entire process, with a phishing page not only asking a victim for their password, but triggering a 2FA code that is sent to the target’s phone. That code is also phished, and then entered into the legitimate site so the hacker can login and steal the account. The news acts as a reminder that although 2FA is generally a good idea, hackers can still phish certain forms of 2FA, such as those that send a code or token over text message, with some users likely needing to switch to a more robust method.
“Virtually in that way they can bypass any token-based 2FA if no additional mitigations are implemented” Claudio Guarnieri, a technologist at Amnesty, told Motherboard in an online chat. 2FA is adding another layer of authentication onto your account. With token-based 2FA, you may have an app that generates a code for you to enter when logging in from an unknown device, or, perhaps most commonly, the service will send a text message containing a short code that you then type into your browser.