Social Engineering Against 2FA: New Tricks

In the digital age, data protection is important for every Internet user since today people entrust network with too much information: passport data, electronic and physical addresses, payment cards information, and social security numbers.

There are various authentication scenarios used to protect the user’s confidential information. And two-factor authentication has been recognized as one of the most reliable. All information security experts, and Protectimus as well, strongly recommend enabling 2FA on all accounts where it is possible.

However, hackers constantly invent new tricks to bypass the existing data protection systems. Recently the network was stirred up with the message about a new form of social engineering attacks used to compromise 2FA. This time, the victim is SMS authentication – the most popular 2-factor authentication form as of today.

The newness of this method is that to intercept one-time passwords it is not necessary to infect a victim’s computer or smartphone with the Trojan virus, as it was before. It has turned out that a little of cunning in combination with social engineering is enough to get the necessary OTP password.

Let’s recall how two-factor authentication works on the majority of resources. Often, they activate smart identification to improve the ease of use. Thus, the one-time password is requested only when the user enters his account from new device or browser.

And this is a possible loophole the hackers have found. First of all, the potential victim receives a phishing SMS message on behalf of a service (in this case we are talking about Google, but the same thing can happen with any other site supporting 2FA) about an attempt of unauthorized access to his/her account.


The SMS also reports that in the nearest future the user will receive another message with the OTP password in it. He/she has to send this OTP password back in the response message if he or she wants the account to be temporarily blocked.

At the same time scammers are trying to enter the victim’s account (of course, from another computer), and the system sends a temporary password to the real owner of the account with the aim to confirm authorization. Whereupon the naive user sends the OTP password straight to the hackers’ greedy hands – at the specified phishing address or phone number.

Is it possible to avoid such a threat? It is, and the same 2FA can help you in it. A higher level of data security can be achieved if to use hardware tokens to generate one-time passwords. We have already written on the advantages of the hardware tokens in the article – “Hardware or software token – which one to choose.” You can get some information here on different kinds of OTP tokens – hardware, software, and SMS.

Hardware OTP tokens are not connected to any network (Internet, GSM, etc.), and that’s why the one-time passwords generated with the help of the hardware token cannot be intercepted. In addition, the users who opted for the hardware tokens, do not need to worry about the social engineering of the sort described earlier.

After all, the hackers simply won’t know the phone number and won’t be able to send an SMS on it. As you can see, the 2FA has something to respond the fraudsters.

Author: Morgan

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This