Protecting yourself from two-factor authentication hacking
For years we have strengthened authentication by adding additional steps beyond just usernames and passwords. Many of us remember the answers to our security questions that allowed us to log into our bank accounts and other secure sites. In addition to the name of our first childhood pet guarding our most personal and sensitive information, we have all become accustomed to having codes sent via email or text message to help verify our identity. While the additional steps for authentication makes us feel safer, it is important to be aware of what hackers are doing today to undermine and sidestep these protections.
One of the most common ways hackers seek to undermine two-factor authentication is pretending that they sent a code while on the phone. If a hacker gained access to the username and password for your bank account through either social engineering or hacking, they still are unlikely to succeed given the protection of completing two-factor authentication. However, hackers are deceptive, and many have begun to phone users directly claiming to represent your bank’s security department and needing to inform you about some fictitious security issue.
Hackers will claim that they need to verify your identity by sending you a code via text message or email. Often, they will ask you to read the code generated by the system’s authenticator app or to approve the request they are sending by attempting to log into your account. If you provide the hacker with the code because you believed you were speaking with your bank’s security department, you’ve just granted the hacker access to your account.
Fortunately, there are four steps you can take to protect yourself from this type of hacking:
- Always assume that an incoming call, text, or email is a scam. Tell the caller that you will call back using a known phone number. This could be a number from your bank statement, your credit card, a website you visit, etc. Never call them back at a phone number they provide.
- Never give out a code sent by text or email or generated via your authenticator application.
- Do not approve a request in your authenticator application unless you yourself triggered it by logging into a website.
- If your bank is going to right-party-verify you, they will usually transfer you to a secure IVR where you enter a PIN you previously setup.
By being aware and following these guidelines, you will be much safer.