Multi-Factor Authentication Manipulation

A new smartphone scam is making its rounds, and it seeks to abuse your comfortability with multi-factor authentication. To learn what multi-factor authentication is click here, I have previously written about it here. Human vigilance is the most significant part of securing your devices and your data with any computer security tool or practice. Hackers are now trying to trick non-vigilant users. Let me explain how the attack works, and you will then see how easy it is for you to avoid this scam.
First, you should know that so many different sites have been hacked that it is highly likely that your user credentials are available on the dark web in some form or another. That is why is it is so important for users to set up a new username and password for each site they register. If you use the same user name and password for each site, no matter how mundane the website is, you are at considerable risk of having one of these sites hacked and your user account information stolen. Once the username and password are on the dark web, hackers can then start using your user name and password against any site they want, so if you use the same username and password for Facebook, Twitter, or Linkedin as you do for your online banking, credit cards, PayPal, Google Pay, Apple Pay, Zelle, or any other payment or banking service. Hackers already have all that they need to gain access to your accounts. IF you would like to check to see if your credentials have already been hacked, go to https://haveibeenpwned.com and enter the email addresses you use for your online accounts. Don’t be surprised if you have several different breaches listed.

Hackers and Scammers have a new way of doing things.

You might say, hey, I have multi-factor authentication enabled on my accounts, so hackers won’t be able to access my account, but this is where the new scam comes in. The scam currently targets multi-factor authentication that works using a text message to send you a code to verify your identity. Hackers are now using bots that will call you pretending to be your bank or payment vendor. The automated voice is most likely to say it is with the fraud department. They have detected fraudulent charges on your account; if you didn’t make this charge, press “1” or something to that effect to sound legitimate. Then the system will want to verify that it is you, so it will state that it is sending a verification code to your phone. You will need to enter the verification code over the phone to verify your identity. What is happening is that the hackers are trying to access your account, and you just relayed the multi-factor authentication code that they needed to finish the login process. Most likely, the bot will tell you to ignore any other charges you see on the account that they are aware of the costs and will remove them for you. This, of course, is, so you don’t contact the bank or payment service about the charges the hacker has made to your accounts.

How to stay safe from this scam

The best way to avoid this scam is to be aware that you should never give your information to anyone who has called you unsolicited. You must also configure your account to use multi-factor authentication without a text entry option. Additionally, you can get a physical security key such as a Yubi key that requires you to touch the device physically. These keys are very secure, but they have their drawbacks. Not all sites support physical keys yets. Not all sites that support them allow you also to turn off text message notifications. The best way to avoid all of this in the first place is to use a unique username and password for each site that requires a login. To keep track of all the usernames and passwords, you can use a password manager such as Nordpass, RoboForm, Dashlane, Keeper, LastPass, 1Password, or my personal favorite: KeePass Password Safe.
Thank you for taking the time to read this as I try to inform as many users as possible about staying safe in an online world. Feel free to share the article, and as always, if you have any questions or comments, you can post them below or contact us.