Within a private post on Facebook recently, I noticed someone rightfully complaining about receiving hundreds of text messages consistently over a few days with an authentication link for a Google Merchant account. Google Merchant by the way is for online retailers wanting to infiltrate google searches with top line product ads.
The comments on the post were a mix of confirmation – that everything was working as intended and, advice and technical know-how. Overwhelmingly the comments were positive affirmation that the 2 factor authentication system is working and now the user needs to do something, take some action, i.e. change a password/s. So many comments alluded to recent hacking scandals that had been in the news for how the user became vulnerable but they sound like assumptions.
2 factor authentication (2FA) works like a double password for online and offline accounts. Secondary or tertiary identity checks that you are who you say you are which can be checked with personal details. Here, we are talking only digital although, there are many overlaps to real life interactions and security. Imagining the real world for a second where someone else assumes an identity with forged documents to get something they need or someone steals a key to a house and breaks in.
2FA relies on a user accessing a website and that website asking for more information. That information will pertain to either a second identity question that will ideally prove who you are or who you say you are. The website is seeking confirmation of location or identity and that can be a security token, send through email or sms or a digi-pass, a handheld device with a keypad that spits out a number.
Cybersecurity expert Roger Grimes was interviewed on The Malicious Life podcast by Cybereason and believes that 2FA is unreliable and gives users a false sense of security that they are safe from attack. He describes the myriad ways that hackers can use malware or middle-man websites to easily mimic identities or devices and just like any hacking, once your device/s have been compromised by malware or identity theft, your access token is fair game and can easily be tricked.
The US government has been recommending against 2FA via SMS since 1997 because it is so fraught. When identity theft occurs, it is so easy for a complete stranger to call a telephone company and have a mobile number carried to a different network without the original account holder ever knowing. One of the primary concerns of 2FA is that account holders are not given a choice on what method of authentication is used, it’s SMS or email.
Finally, there is such a thing as multi factor authentication fatigue – that you will lose your capacity to deny entry into your account. Thinking if you enter the code they will go away but if you do that they will inevitably have access to all your emails. Which, mind you, will also include the previous emails that have included authentication codes to all manner of websites. Not all of them expire after 2 hours or 24 hours, some of them live forever!
Don’t EVER click the link, it will send a hacker lord straight to the source, it could be malware and then they will control your phone or device and you might not even know it is happening. The temptation to get rid of the antagonist or receive a little dopamine hit through this connection feels good, right? WRONG! Don’t be phished, this is a malicious attack. Stay safe, change your passwords.