Be warned, there's a nasty Google 2 factor auth attack going around (opens in new tab)

(twitter.com)

142 pointsmaccman9y ago56 comments

56 comments

So the scam is, attacker knows your gmail address and your phone number. They send you the text message about suspicous activity on your account. Then they attempt to reset the password on your gmail account. That triggers Google to send you the code. You reply to the attacker's message with the code as instructed, and they own your account.

stephengillie9y ago

Again, this is a social engineering attack. 2-factor remains mathematically secure.

untog9y ago

Sure, but implementation matters. I've long thought that 2 factor via SMS is a sub-optimal solution because it trains you to expect secure login info from a random shortcode SMS number.

fragsworth9y ago

It doesn't sound like "2-factor" if all they need is the single code on your phone.

2 more replies

jrockway9y ago

Mathematically secure is totally meaningless. OTPs can be phished, and this attack is a great example of that.

U2F is the fix for this.

wdr19y ago

Was anyone claiming otherwise?

bitL9y ago

This sounds like an ancient Agora protocol interaction attack back in the beginning of e-commerce :-D

JohnTHaller9y ago

This isn't a 2 factor attack. It's a social engineering Google account password reset attack. The attacking party is resetting your Google password and asking you to provide the code Google sends your registered mobile number via text to them.

kjaftaedi9y ago

It is a 2 factor attack in the sense that it reduces the two factors down to one.

sievebrain9y ago

2 factor auth is not a defence against phishing. This is such a common misconception. All two-factor means is that someone with only your password cannot log in, or only your device.

What's happening here is that Google accounts without 2-factor but with a phone recovery path set up are being "account recovered" by a bad guy. It's just plain old phishing.

oplav9y ago

I don't think there were ever 2 steps in this account recovery flow. There seems to be only 1 step when initiating a account recovery: provide the code sent to your phone.

A 2 factor recovery flow would be 1) verify an email that was sent to your recovery email address that triggers 2) this account recovery code sent to your phone.

parent54469y ago

It does not reduce the two factors down to one. You still need two factors (password and SMS code) to login. It's just that you're giving both of them to the attacker.

azinman29y ago

I wonder if this is at all related to a phishing attempt that just got my mom and all her friends. It came in as a "docusign" email that looked reasonably legit (to an ordinary person) that just had one button to sign and review a document. Apparently they asked for email, email password, and phone number. I was surprised to learn about the phone number bit and how they'd use it. Something like this is probably how.

While I'd have thought entering your email password would have been red flag galore, my mom and her friends were all exploited by the social trust aspect "I figured if it was coming from you it would be real."

Sephr9y ago

> "I figured if it was coming from you it would be real."

You should set up a strict DMARC policy (p=reject) to prevent people from spoofing your email address. It appears that you have not[1].

Additionally, you should harden your SPF record: change ~all to -all.

[1]: https://dmarcian.com/record-tools/azinman.com

azinman29y ago

It's not a spoof when you're phished and hand over your credentials.

It also was my mom that was phished, not me.

1 more reply

imglorp9y ago

I just saw one of those. It's especially convincing when they target realtors' address books, because everyone in a real estate transaction is expecting a bunch of docusign links to be flying around from their realtor and their title company. So if something doesn't look kosher, they attribute it to a clunky process and hand over their login.

twoodfin9y ago

This is exactly how my parents were phished. Interesting to hear it likely wasn't a coincidence that it came from their realtor.

I subsequently set them up with two factor almost everywhere, but I'd give at least even odds they'd fall for this, too. Sigh.

yborg9y ago

Clever. If you've never actually had 2FA trigger before to know how it works, you could fall for this.

tjohns9y ago

This is one of nice things about using a hardware security key (FIDO U2F), like Yubikey.

Since the security key works with the browser to ensure its communicating directly with a specific site, you can't MITM them like you can mobile app (TOTP) or SMS-based two-factor codes.

I wish more browsers would add support for them.

libeclipse9y ago

This "attack" could be semi-mitigated by using Authy or Google Authenticator instead of SMS. If users knew to never ever paste the generated codes anywhere but the site, this attack wouldn't exist at all.

tehwebguy9y ago

A friend is currently receiving spear phishing attempts via text. Claims their lost iPhone has been found and that they need to log into icloud10 . com

koolba9y ago

While you're add it, verify that your password has not been hacked by entering it here: hxxp://evil.example.com/password-checker

ikeboy9y ago

hunter2

nhumrich9y ago

password123

fragsworth9y ago

How can this possibly work?

Even if an attacker gets the phone code, they should still need your password to sign in. How do they get past that?

kinofcain9y ago

As ams6110 noted, it's likely not a 2-factor auth attack but rather a password reset attack.

jschwartzi9y ago

I guess I'm going to go set all my security question answers to random 64-byte strings that are base-64 encoded.

chris_wot9y ago

Don't forget to apply a ROT-13 encoding afterwards, that should make it super secure.

technofiend9y ago

I'm doubly secure with ROT-13 applied twice! ROT-26 (Patent Pending). Don't leave home without it.

1 more reply

j / k navigate · click thread line to collapse

56 comments

ams61109y ago

stephengillie9y ago

Again, this is a social engineering attack. 2-factor remains mathematically secure.

untog9y ago

Sure, but implementation matters. I've long thought that 2 factor via SMS is a sub-optimal solution because it trains you to expect secure login info from a random shortcode SMS number.

fragsworth9y ago

It doesn't sound like "2-factor" if all they need is the single code on your phone.

2 more replies

jrockway9y ago

Mathematically secure is totally meaningless. OTPs can be phished, and this attack is a great example of that.

U2F is the fix for this.

wdr19y ago

Was anyone claiming otherwise?

bitL9y ago

This sounds like an ancient Agora protocol interaction attack back in the beginning of e-commerce :-D

JohnTHaller9y ago

kjaftaedi9y ago

It is a 2 factor attack in the sense that it reduces the two factors down to one.

sievebrain9y ago

2 factor auth is not a defence against phishing. This is such a common misconception. All two-factor means is that someone with only your password cannot log in, or only your device.

What's happening here is that Google accounts without 2-factor but with a phone recovery path set up are being "account recovered" by a bad guy. It's just plain old phishing.

oplav9y ago

I don't think there were ever 2 steps in this account recovery flow. There seems to be only 1 step when initiating a account recovery: provide the code sent to your phone.

A 2 factor recovery flow would be 1) verify an email that was sent to your recovery email address that triggers 2) this account recovery code sent to your phone.

parent54469y ago

It does not reduce the two factors down to one. You still need two factors (password and SMS code) to login. It's just that you're giving both of them to the attacker.

azinman29y ago

Sephr9y ago

> "I figured if it was coming from you it would be real."

You should set up a strict DMARC policy (p=reject) to prevent people from spoofing your email address. It appears that you have not[1].

Additionally, you should harden your SPF record: change ~all to -all.

[1]: https://dmarcian.com/record-tools/azinman.com

azinman29y ago

It's not a spoof when you're phished and hand over your credentials.

It also was my mom that was phished, not me.

1 more reply

imglorp9y ago

twoodfin9y ago

This is exactly how my parents were phished. Interesting to hear it likely wasn't a coincidence that it came from their realtor.

I subsequently set them up with two factor almost everywhere, but I'd give at least even odds they'd fall for this, too. Sigh.

yborg9y ago

Clever. If you've never actually had 2FA trigger before to know how it works, you could fall for this.

tjohns9y ago

This is one of nice things about using a hardware security key (FIDO U2F), like Yubikey.

Since the security key works with the browser to ensure its communicating directly with a specific site, you can't MITM them like you can mobile app (TOTP) or SMS-based two-factor codes.

I wish more browsers would add support for them.

libeclipse9y ago

tehwebguy9y ago

A friend is currently receiving spear phishing attempts via text. Claims their lost iPhone has been found and that they need to log into icloud10 . com

koolba9y ago

While you're add it, verify that your password has not been hacked by entering it here: hxxp://evil.example.com/password-checker

ikeboy9y ago

hunter2

nhumrich9y ago

password123

fragsworth9y ago

How can this possibly work?

Even if an attacker gets the phone code, they should still need your password to sign in. How do they get past that?

kinofcain9y ago

As ams6110 noted, it's likely not a 2-factor auth attack but rather a password reset attack.

jschwartzi9y ago

I guess I'm going to go set all my security question answers to random 64-byte strings that are base-64 encoded.

chris_wot9y ago

Don't forget to apply a ROT-13 encoding afterwards, that should make it super secure.

technofiend9y ago

I'm doubly secure with ROT-13 applied twice! ROT-26 (Patent Pending). Don't leave home without it.

1 more reply

j / k navigate · click thread line to collapse