There's a sneaky new trick going around that can fool some people into divulging their two-factor authentication code to crooks, while thinking they're actually protecting their accounts.
Two-factor authentication, or 2FA, is a second layer of authentication that many online services support, from banks to Google, from Facebook to government agencies.
2FA works by requiring a user to enter a code that they received via SMS on their phone after they logged into a 2FA-protected account. If the user doesn't enter the code promptly, the login is classified as a hacking attempt, and the user blocked from accessing the account, even if they entered the correct password.
You can see the benefits, right?
Crooks pass as Google, ask users for "verification code"
This past week, Alex MacCaw, co-founder of Clearbit.com, tweeted out the image of an SMS he had just received.
An unknown attacker had sent MacCaw an SMS message posing to be from Google. The SMS read as follows:
“ (Google™ Notification) We recently noticed a suspicious sign-in attempt to
jschnei4@gmail.com from IP address 136.91.38.203 (Vacaville, CA). If you did not sign-in from this location and would like to lock your account temporarily, please reply to this alert with the 6-digit verification code you will receive momentarily. If you did authorize this sign-in attempt, please ignore this alert.
”
