Skip to main content

How Hackers Get Around 2-Step Authentication

Hackers Get Around 2-Step Authentication

Many of the most popular branded websites out there including your bank and your brokerage account, lets you enable 2-factor authentication. What that means is not only do you need  your username and password to log into the site, but the site will text you a 6-digit code, and you have to put in the code to complete the login process. And that confirms that you actually have that mobile phone. So it's something you know your password and something you have, which is your cell phone. And there's no way to hack into a SIM card. It has crypto keys. And unless you have a certain key called a Ki, you can't really do anything with it.

It's easier to trick the phone company into switching the SIM card to the one that the attacker has in his or her possession. You have to use social engineering. And what social engineering is, it's using manipulation, deception, and influence to trick a target into doing something or complying with a request.

Deray Mckesson Account Hacked

In the case of Deray Mckesson, who is a black rights activist, what these hackers did is they called Verizon, pretending to be Deray Mckesson and basically said that he had a problem with his phone, he has to put in a new SIM card. So they verified his identity, then they activated the new SIM. So now when the text message came in for the 2-step authentication, it wnr to the bad guy's phone. So they got the code and were able to access his account.

Another way of bypassing 2-factor authentication is phishing. So they'll basically send you a message, pretending to be from Google or Microsoft or whoever you're doing the 2-factor authentication through, and try to trick you into texting the code back at that time and then the attacker will go ahead and use that code to log in to your account, as long as you text that code within 60 seconds. Because it changes every 60 seconds. So that's kind of an amateurish type of attack, but it works.