New Phone Scam Bypasses Two-Factor Authentication Security Codes.

New Phone Scam Bypasses Two-Factor Authentication Security Codes.
Image of a computer and a telescope. Photo made by Diamond Garcia.

Unsurprisingly, there’s a new phone scam surfacing on the internet. This scam particularly focuses on Two-Factor Authentication. This security feature verifies your identity and ownership of an account you have. The most common methods used to do so are texts that are sent to you containing a code that you’ll receive, or an authenticator app such as Authenticator made by Microsoft. What’s happening is users will unintentionally give up that SMS text which has what’s needed to sign in. On most occasions, I’ve always emphasized the importance of internet safety and security. Having Two-Factor Authentication on all of your accounts will improve your security. However just because you have this enabled doesn’t mean you have to stop being vigilant. 


The Setup. 


Unfortunately, what happens first isn’t in your control. Your login credentials will be leaked due to a database breach. This happens more often than many would assume. Over 772 billion accounts’ login credentials were leaked or stolen online. If you weren’t aware already, your online security has likely been compromised. These are the reasons why you should not have the same password for every account. As well as why you need to set unique passwords. You may disregard if a website and\or its domain has been hacked. Keep in mind that if you’ve used the same password for every website, hackers are going to use the same credentials for any other login pages. What’s practiced is hackers will open these databases and try numerous preexisting passwords from this database. Next, they’ll use the same credentials on major websites such as Facebook or banking sites. When there’s a match they will be able to sign in without any Two-Factor Authentication preventing them. You’re going to lose your money and any other important information such as your phone number. This scam specifically applies to those who have enabled Two-Factor Authentication. If the hacker were to successfully sign in and have a confirmation code, this is where vulnerability starts. 


The Bypass. 


There are new services for scammers in which an automated call will contact the user pretending to be the website they’re attempting to sign in to. This tricks the user into providing their credentials, at which point the scammer will use to sign in. This is done with an application where the scammer will enter your phone number. You’ll receive a call with an automated text-to-speech (TTS) voice saying phrases such as “This is PayPal Fraud and security division. We’ve detected a $X amount charge on your account. If this is correct, press 1. If not, press 2.” So someone would dial 1 indicating that they weren’t aware of this. Next, you’ll be prompted to enter a code in order to verify your account. But this is not the service you’re getting a call from. This will convince you that there was a charge or something similar on your account. What will happen as the call continues the scammer will sign in to your account with the correct credentials, which will trigger a real Two-Factor Authentication code to be sent to the person on the other line. While at the same time receiving that phone call. So when the AI notifies you that a code has been sent and you provide that code, the tones then get translated and will feed the scammer with that code. This person never had to interact with the owner of that account. All that was done was an automated call was made. Once your code has been received, the TTS voice would say “Order canceled. If you see changes to your account within the next 24-48 hours, don’t worry. ” Or something similar. This is common for banking sites. As there was no charge to begin with. Eventually, charges will start appearing. The scammer has your contact information, knows the login process, and will obtain what your Two-Factor Authentication requires. Simply, you’re giving your Two-Factor Authentication code to someone pretending to be whatever website. Which will be used to sign in. 


How to Avoid This. 


To avoid scams and security vulnerabilities in the first place is to know what they are. If you are aware of deceiving phone calls being made to obtain sensitive information, be advised that is not the website’s actual automated communication service, and that you’re being scammed. Verification codes or any other security credentials are not to be given over the phone. Whether that would be orally or entered through your phone’s dialer. Especially from an unsolicited phone call. Never give any kind of information to anyone. Just because you have Two-Factor Authentication enabled on your accounts doesn’t mean that you can’t be phished in other ways. For example, there are websites that are programmed to use Two-Factor Authentication. So that website may look like a login page. The most common site that hackers practice on is Facebook. You’ll enter those credentials, which will then be passed to the website’s real login page. Two Factor Authentication is also used. The fake website will ask for your confirmation code and will use that as well. This isn’t always the case. Having Two-Factor Authentication enabled will drastically mitigate the chances of someone just logging into your accounts. That doesn’t mean that you won’t be phished if you provide your confirmation code. We suggest purchasing one or two physical Security Keys. These are USB devices on which you would press a button to confirm your login rather than a security code. If you decide to use a Security Key, only use that physical device no matter what other methods you’re asked to set up. 


Other Methods.

What you should be aware of also is Stalkware. Stalkerware is monitoring software or spyware that is used for cyberstalking. The term was coined when people started to widely use commercial spyware to spy on their spouses or intimate partners. Stalkerware has been criticized lately due to its use by abusers, stalkers, and employers. The United States has the fourth-highest proportion of individuals who are potentially affected by Stalkware, worldwide. Despite the 57% of adults in the United States that aren’t aware of this form of online creeping. In order to prevent this, be mindful of who has access to your device, and keep your passcodes and pins secure. Regularly check your devices for unusual or suspicious applications and remove any that you don’t recognize. Enable Two-Factor Authentication for your accounts. Such as a pin and any other form of identity verification. Like an e-mail or fingerprint. Use an anti-virus program other than your basic firewall installed on your operating system. This is why it’s important to know what malicious code is and how to identify it.  Be sure to stay safe online, and offline