2 ways hackers could secretly break 2FA. Hard lesson Learned
A Hard Lesson Learned with social engineering hack
In the ever-changing digital world, the only thing that doesn't change is "change" itself. Once upon, we have this false sense of security when we have a complex password that no one could guess is safe, not anymore. Canada Revenue had 800,000 Canadian accounts with sensitive information leaked to hackers in March 2021 despite heightened security measures.
2FA means two-factor authentication, and many software designers incorporate mobile devices such as email, SMS as extra means of verifying. The corporate world introduced the concept of 2FA security, such as an additional passcode sent to a cell phone before gaining access to the account. Think this is good enough? Unfortunately no.
Intercept is now possible.
Emails can be intercepted. What's new? So do SMS. a simple search on google with "SMS intercept" will lead you to many such cases, showing you how easy it is. Even when one is doing everything right, you cannot prevent social engineering.
A Hard Lesson
The term social engineering refers to "the use of deception to manipulate individuals into divulging confidential or personal information for fraudulent purposes." Even when the hackers could not intercept the SMS, other means could lure the victim into giving up the 2FA code.
Consider this situation.
An incoming robocall showing "XXX Bank" called the victim, stating, "You have an unauthorized transaction of $103 from your bank account now. If this is not you, please press '1' now". (obviously, the victim would be shocked as they didn't do it, did press 1), the script goes on by saying, "to confirm that this is you, we are sending a secret code to your cellphone now. Please enter the secret code when you receive them, don't worry, we will reverse the charge immediately."
Little does the victim knows the culprit. The hacker already possesses the victim's cellphone number, username and password to the bank, so while the phone is in progress, they access the victim's bank account that triggers the bank's 2FA to send the SMS to the victim's cellphone. Beware, the SMS is genuine and sent directly from the bank, but when the victim enters the genuine code to the spoofed caller, the person gives up access to their bank.
Social engineering hack is getting complex each day. To protect against situations like such, be sure your corporation staff are constantly trained and stay alert. Make sure you have the underlying cyber insurance as a safety net.
Call UW Insure Brokers to discuss your cyber insurance need. Having one of the most comprehensive coverage, be assured you are protected.