Google Two-Factor Authentication Is Not Invincible: How to Secure Your Passwords

The success of any campaign depends on how well one can apply it. If a formula of any campaign can be applied more than once, we might as well say it is a success. Unfortunately, there are good and bad campaigns out there, and since we deal with cyber security in our blog, here we would like to talk about a malevolent campaign that has a potential to grow into something extremely nasty. We would like to talk about phishing attacks that can crack down two-factor authentication. Consequently, we will also look at ways you can secure your passwords from such attacks.

What is two-factor authentication?

Two-factor or multi-factor authentication is a type of authentication that confirms a user's identity using more than just one factor. The most common authentication factor is a password. We know very well that passwords have to be strong and unique, but we also know that passwords are probably the weakest brick in the security wall that protects your personal information from malicious exploitation. So two-factor authentication offers an additional layer of security where you have to provide another factor of authentication. For example, it could be a temporary code that you receive to your phone.

Technically, this type of authentication is supposed to be safe and secure. After all, who else could use your phone number, but you, right? Unfortunately, a report released by Amnesty International last month proves that even this enhanced authentication system isn't as safe as we would like it to be.

Phishing Campaigns in the Middle East and North Africa

You might be confused by this subtitle. What could a random phishing campaign in North Africa and the Middle East have anything to do with us? Sure, it might seem rather distant and irrelevant, but we have to keep in mind that the inner workings of any successful local phishing attack could be applied later on globally. Also, these phishing campaigns, in some cases, could bypass Google's two-factor authentication, and that is extremely alarming.

The attacks in North Africa and the Middle East mostly targeted Human Rights Defenders (HRDs), journalists, and political actors in the countries of the mentioned region. There were two types of attacks. The first type of attack impersonated secure email providers. The victims were redirected to the websites that looked exactly like Tutanota or ProtonMail pages. Tutanota and ProtonMail are popular email service providers in the region, and they have a positive reputation among human rights activists because they offer “secure email” services.

The second type of the attack targeted the Google two-factor authentication by employing clones of popular commercial websites. Aside from Google, Yahoo users were also targeted in this attack.

How Does the Two-Factor Authentication Scam Work?

It is very often that scammers try to convince users that their security has been breached. The same happened with these attacks, too. Potential victims were spammed with emails that claimed their accounts had been compromised. The emails come with buttons and links that the user is urged to click in order to change their password or confirm their identity. Clicking those links and buttons eventually redirects the user to a fake Google website that requires them to log in.

When the user logs into the fake Google page, they get redirected to yet another page, which says that a two-factor authentication code has been sent out via text message. And this is the disturbing part. You do receive a six-digit code into the phone number that you used to create your Gmail account. Even though you are on a phishing page, you receive a text message into your phone. As a result, you probably do not stop to think twice whether you are about to be scammed or not. This is why this phishing campaign is very dangerous, and it would be close to devastating if it were to spread across the globe.

When the affected user receives the six-digit code and enters it into the phishing page, the scammers urge the user to change their Google account password. This way, the scammers manage to sidestep Google two-factor authentication. They even manage to issue the password change to the affected account to further “prove” that the security warning was real. As you can see, it is a well-crafted social engineering attack that is good at not raising any suspicion.

If the victim goes through all the attack steps, at the end of the day, the scammers obtain the two-factor authentication code and collect sensitive personal information, thus making the attack successful. On the other hand, it doesn't mean that we should all scrap Google two-factor authentication at once because it can be breached.

How Can I Secure My Passwords?

No security measures are 100% fail proof, and that is something that we have to understand. Therefore, just because someone can crack multi-factor authentication, it doesn't mean that it is useless. Computer security experts still maintain that you should enable this type of authentication anywhere you can. You might also want to consider using the hardware type of security tokens that can be part of the multi-factor authentication process.

At the same time, perhaps we should start with the most common steps we can take to secure our personal information. Have you ever thought of using something like Cyclonis Password Manager? This tool allows you to generate and store all of your passwords without the need to remember them. The application does the job for you. What's more, if you use the Cyclonis browser extension, compatible with the specific browser that you use, you can also enable the auto-fill feature that fills in the password boxes the moment you open a certain page.

So this tool saves you time when you need to access your accounts, and you no longer need to worry about the complexity of your passwords. What's more, phishing websites sometimes come with random hyperlinks that users often overlook, but an automated tool would recognize at once that it is not a legitimate link, and the auto-fill feature would not even work. So when you think of ways to secure your passwords from potential phishing attacks, perhaps you should start with a reliable password manager tool. That is the first step to take.

By Foley
January 30, 2019
Password Security
English
January 30, 2019
Password Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Password Security

Why Should You Create a Google Backup Code When Using Two-Factor Authentication?

You may have heard of two-factor authentication (2FA). It's a fantastic secondary layer of security that prevents unwanted guests who know your password from accessing your accounts from an unverified device by giving... Read more

July 17, 2018
Password Security

The Differences Between Two-Factor Authentication and Multi-Factor Authentication

No doubt those who have seen Perfect Strangers by Paolo Genovese realize how sensitive the information accessible through our mobiles, computers, social media accounts, etc. is, however, unlike in the film, there are... Read more

July 18, 2018
How To

How to Keep Your Account Secure with Two Factor Authentication

We hope that you've heeded the multiple articles we've written on the subject of Two-Factor Authentication (2FA). It's one of the best security features you can to protect your online life. 2FA can be added to your... Read more

November 13, 2018
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.