Don't expect two-factor authentication to always protect your accounts. Google has noticed an unsettling increase in phishing attacks that can defeat the security setup.
"We've seen a big rise in the number of phishable 2FA attacks," Nicolas Lidzborski, a security engineering lead for Gmail, said during a talk at the RSA cybersecurity show.
These "2FA phishing attacks" work by tricking the victim into handing over their password and a special one-time passcode protecting the Gmail account. Normally, this one-time passcode is hard to obtain since it's generated on a person's smartphone and expires after 30 seconds.
However, Lidzborski said hackers have been refining their password-stealing schemes to also nab the one-time passcode. So-called "phishing kits" steal a victim's password and two-factor authentication passcode as they type it into deceptive email and login pages, and then quickly break into the affected account within the 30-second time limit.
"2FA is much better than single factor, using a username and password. There's no doubt about it," he said. "However, we've seen attackers actively try to defeat 2FA."
In December, Amnesty International said it noticed one hacking group defeating two-factor protection through the help of an automated phishing attack that can steal and plug in the passcodes before the 30-second time limit runs out. A month later, a security researcher released an open source toolkit, which can also create phishing pages to defeat two-factor.
It doesn't help that the one-time passcode generated over two-factor authentication can also sometimes be sent over SMS messaging. That can make two-factor authentication vulnerable to SIM swapping attacks, in which the hacker impersonates a target to steal their mobile phone number from the wireless carrier.
"This is the loophole. People can potentially go after the phone provider, get the number transferred and get the 2FA," he added.
During the talk, Lidzborski said Google has been trying to protect Gmail accounts from successful phishing attacks by blocking login attempts from unfamiliar geographic locations. The company's email service can also warn you about emails that appear to be phishing attempts and about the dangers of clicking the suspicious links inside them.
But to stay protected, Lidzborski recommends users and businesses adopt a hardware-based solution: USB security keys. They work by supplanting the one-time passcodes in two-factor authentication with a physical piece of hardware, which you can plug into your PC to access your internet accounts. In July, Google reported that it had given all its employees security keys as a way to stop account takeovers on work-related accounts.
Unfortunately, security keys aren't cheap. Google's own product costs $50 for two keys. However, Lidzborski said the technology can make an organization "unphishable."
"If you get phished, you have to really invest into the next level," Lidzborski told PCMag. "It is painfully internally to switch to unphishable 2FA. But until you do so, the attacker will succeed ultimately."
Lidzborski couldn't quantify the exact rise in two-factor phishing attacks Google has seen. On average, the company encounters 100 million phishing messages per day. But in the past only the most sophisticated hackers, such as nation-state cyberspies, employed phishing attacks that could defeat two-factor authentication, he said. "Now it's available as an open-source phishing framework," he added. "So it is an order of magnitude more prevalent than before."
The news is a reminder to be cautious around your email inbox. Phishing emails can often look like legitimate services, such as Google, and will try to trick you into visiting an official-looking login page, when in reality the site is designed to steal your passwords. To teach the public how to spot phishing attacks, Google's Jigsaw last month helped developed a phishing quiz, which can teach you more about the threat.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
