Google Two-Factor Authentication Is Not Invincible: How to Secure Your Passwords
The success of any campaign depends on how well one can apply it. If a formula of any campaign can be applied more than once, we might as well say it is a success. Unfortunately, there are good and bad campaigns out there, and since we deal with cyber security in our blog, here we would like to talk about a malevolent campaign that has a potential to grow into something extremely nasty. We would like to talk about phishing attacks that can crack down two-factor authentication. Consequently, we will also look at ways you can secure your passwords from such attacks.
What is two-factor authentication?
Two-factor or multi-factor authentication is a type of authentication that confirms a user's identity using more than just one factor. The most common authentication factor is a password. We know very well that passwords have to be strong and unique, but we also know that passwords are probably the weakest brick in the security wall that protects your personal information from malicious exploitation. So two-factor authentication offers an additional layer of security where you have to provide another factor of authentication. For example, it could be a temporary code that you receive to your phone.
Technically, this type of authentication is supposed to be safe and secure. After all, who else could use your phone number, but you, right? Unfortunately, a report released by Amnesty International last month proves that even this enhanced authentication system isn't as safe as we would like it to be.
Phishing Campaigns in the Middle East and North Africa
You might be confused by this subtitle. What could a random phishing campaign in North Africa and the Middle East have anything to do with us? Sure, it might seem rather distant and irrelevant, but we have to keep in mind that the inner workings of any successful local phishing attack could be applied later on globally. Also, these phishing campaigns, in some cases, could bypass Google's two-factor authentication, and that is extremely alarming.
The attacks in North Africa and the Middle East mostly targeted Human Rights Defenders (HRDs), journalists, and political actors in the countries of the mentioned region. There were two types of attacks. The first type of attack impersonated secure email providers. The victims were redirected to the websites that looked exactly like Tutanota or ProtonMail pages. Tutanota and ProtonMail are popular email service providers in the region, and they have a positive reputation among human rights activists because they offer “secure email” services.
The second type of the attack targeted the Google two-factor authentication by employing clones of popular commercial websites. Aside from Google, Yahoo users were also targeted in this attack.
How Does the Two-Factor Authentication Scam Work?
It is very often that scammers try to convince users that their security has been breached. The same happened with these attacks, too. Potential victims were spammed with emails that claimed their accounts had been compromised. The emails come with buttons and links that the user is urged to click in order to change their password or confirm their identity. Clicking those links and buttons eventually redirects the user to a fake Google website that requires them to log in.
When the user logs into the fake Google page, they get redirected to yet another page, which says that a two-factor authentication code has been sent out via text message. And this is the disturbing part. You do receive a six-digit code into the phone number that you used to create your Gmail account. Even though you are on a phishing page, you receive a text message into your phone. As a result, you probably do not stop to think twice whether you are about to be scammed or not. This is why this phishing campaign is very dangerous, and it would be close to devastating if it were to spread across the globe.
When the affected user receives the six-digit code and enters it into the phishing page, the scammers urge the user to change their Google account password. This way, the scammers manage to sidestep Google two-factor authentication. They even manage to issue the password change to the affected account to further “prove” that the security warning was real. As you can see, it is a well-crafted social engineering attack that is good at not raising any suspicion.
If the victim goes through all the attack steps, at the end of the day, the scammers obtain the two-factor authentication code and collect sensitive personal information, thus making the attack successful. On the other hand, it doesn't mean that we should all scrap Google two-factor authentication at once because it can be breached.
How Can I Secure My Passwords?
No security measures are 100% fail proof, and that is something that we have to understand. Therefore, just because someone can crack multi-factor authentication, it doesn't mean that it is useless. Computer security experts still maintain that you should enable this type of authentication anywhere you can. You might also want to consider using the hardware type of security tokens that can be part of the multi-factor authentication process.
At the same time, perhaps we should start with the most common steps we can take to secure our personal information. Have you ever thought of using something like Cyclonis Password Manager? This tool allows you to generate and store all of your passwords without the need to remember them. The application does the job for you. What's more, if you use the Cyclonis browser extension, compatible with the specific browser that you use, you can also enable the auto-fill feature that fills in the password boxes the moment you open a certain page.
So this tool saves you time when you need to access your accounts, and you no longer need to worry about the complexity of your passwords. What's more, phishing websites sometimes come with random hyperlinks that users often overlook, but an automated tool would recognize at once that it is not a legitimate link, and the auto-fill feature would not even work. So when you think of ways to secure your passwords from potential phishing attacks, perhaps you should start with a reliable password manager tool. That is the first step to take.