But the latest news claim that hackers have bypassed the most secure Two Factor Authentication of Google. Reports are flying in the socials media sites like Facebook and Reddit that their accounts were compromised even after enabling the 2 Factor Authentication for their google accounts.
Even clearbit.com co-founder Alex MacCaw tweeted that hackers tried to compromise his Gmail account that obviously has a 2-Factor Authentication. Though he did not fall prey to this attack he warned users through his tweet.
Be warned, there's a nasty Google 2 factor auth attack going around. pic.twitter.com/c9b9Fxc0ZC— Alex MacCaw (@maccaw) June 4, 2016
The Message that MacCaw received on his mobile is a follows,
(Google™ Notification) We recently noticed a suspicious sign-in attempt to email@example.com from IP address 184.108.40.206 (Vacaville, CA). If you did not sign-in from this location and would like to lock your account temporarily, please reply to this alert with the 6-digit verification code you will receive momentarily. If you did authorize this sign-in attempt, please ignore this alert.
Let's dig a little to see what went wrong actually and what the message in his screenshot says.
How Two-factor Authentication of Gmail Works?When a user logs into a 2FA enabled account Gmail account using the credentials, the user is stuck at 2-step verification screen until he enters the Verification Code that has been sent via SMS to the registered mobile number. Unless the user enter the Verification Code, he will not be able to access the account. Until now there is no detected flaw in Googles system that lets users bypass the 2 Factor Authentication. But this means that the user reports are false.
Well that's also not completely true. Hackers seem to have used a special technique called Social Engineering to get the Verification Code sent to the users. Social Engineering is a method of intelligently fooling the users to fall into the trap.
How was the 2-Factor Authentication Attack carried out?Here is what they've done.
- The hacker initially enters the credentials of the account that has the 2FA enabled.
- The Company then sends Verification through SMS to the registered mobile number.
- Then the hacker sends the target account holder a text message, pretending to be the very company that the person has an account with. In the above case the message seems to be coming from Gmail.
- The text message sent from the hacker says that they've detected "suspicious" activity to the target’s account and so is sending the 6-digit code to them, which the target user should then text back to them to avoid having their account locked.
- The users, worrying that their account is being hacked and not wishing to lose access to their data, sends back the code, believing that they have prevented the attack. But by doing so, they've actually provide the hacker with a security code to break into the user's account.
- Subsequently, the hacker would enter the 2FA Verification code, and access the account without the user’s knowledge.
How to Prevent Social Engineering Attacks on Two Factor Enabled Accounts
- Remember that if you have enabled Two factor authentication, google or any other company in which you are holding an account will never ask you to text back the code of call to any phone number and share the verification code.
- Verification Codes must not be shared to anyone.
- Make sure that you check the logged in devices and the devices that you've authenticated not to ask for verification codes. You can check your logged in devices going to this link https://security.google.com/settings/security/activity
- Try to use a private phone number to register with the accounts so that hackers cannot spoof such messages or emails to you as they will not have access to your number.
- And the last one, Never give an unknown person to get physical access to your phone.
Enabling 2 Factor Authentication for Gmail is very simple. Do it now and make your account Hack Secure. Numerous Online companies support the double-layered protection to accounts including like gaints like Microsoft, Dropbox and even some government agencies.