Sign in with Microsoft

As we’re all using more websites, and more services, and more things that require personal and private and confidential information about ourselves, security must always be thought about. Fortunately, many of the security concerns are handled by the companies we’re providing our information to, which means there’s one less thing to think about.

One of these solutions is called “two-factor authentication”, which you’ve probably seen on services for your smartphone and computer, and this is essentially what it sounds like, requiring two specific things in order to prove who you are.

Often, this is an identification number or passcode — a secret — and an object in your possession, such as a mobile phone, with the idea being one of these might be known, but the other has to be nearby in order to prove you are who you say you are, with this combination of details seen as more secure than your standard “enter your password here” form.

But while this is more secure and used by more and more organisations, it doesn’t appear to be foolproof, with researchers for Symantec chiming in this week to say that there’s even a way to trick two-factor authentication.

Mobile phone-based two-factor authentication is essentially secure because you need your mobile phone to receive a code sent by the company checking on your identification, but what if the scammer tricks you into thinking your account has been hijacked?

In Symantec’s example, a scammer might be interested in gaining access to someone’s Google Mail account, and if they don’t know the password, they can engage the two factor authentication check of a phone number. Let’s assume the scammer knows the email address and phone number, which is pretty easy to find if the person has that information listed somewhere like Facebook, which many people seem to.

With the email address and phone number in hand, the scammer can use Google’s “I don’t know my password” setting with the email address to get a verification code sent to a smartphone. You, the owner of the phone, would receive the number all of a sudden, a series of digits that you haven’t requested. Shortly after this, the scammer sends his own message saying something along the lines of “Google has detected unusual activity on your account. Please respond with the code to sent to your device to stop the unauthorised activity.”

If you follow that direction and reply with that code, you will have essentially delivered a password reset verification code to the scammer, and that will grant them access.

Unfortunately, this concept isn’t just a bunch of research, with Symantec telling GadgetGuy that this thread is alive in Australia and New Zealand.

Fortunately, it’s pretty easy to combat, with mobile phone users asked to be on the lookout for errant numbers sent their way followed by requests for the information.

“Users should be suspicious of SMS messages asking about verification codes, especially if they did not request one,” said Nick Savvides, Security Expert at Symantec.

“If uncertain about an unexpected request, users can check with their email provider to confirm if the message is legitimate. Legitimate messages from password recovery services will simply tell you the verification code and will not ask you to respond in any way.”