Double-factor authentication is presented as a solid bulwark against hackers, but an Amnesty International report shows how clever people manage to bypass the system of several web giants including Google and Yahoo. Thousands of accounts could be hacked through a sophisticated phishing process.
For the majority of Internet users, security is one of the most important aspects of their web experience. Many have adopted the two-factor authentication system to add an additional curtain of protection to their online accounts. But does that really make him invulnerable? Not really according to an Amnesty International report which describes how hackers have been able to hack thousands of accounts over the past two years by bypassing the two-factor authentication system of Gmail (Google) and Yahoo, whose hack of 3 billion accounts is still quite fresh in the memories.
Google, Yahoo: how hackers get around double-factor authentication
The trick is quite similar to the process of a classic phishing attack, but it is much more elaborate. Targeted users first receive an email alert that directs them to a trap site. They are invited to enter their identifiers which are recovered by the hackers. The latter then make a request for double authentication using the data collected and invite the Internet user to enter the code received by SMS. After which they get to access the victims account. Everything is done through an automated system.
It is important to specify that this is not a security flaw affecting the double authentication system, but a clever bypass which is only effective with the help of the inattention of Internet users. To avoid being fooled, the report recommends that users go through two-factor authentication with a physical device.
As a reminder, Google recently launched the Titan Security Key, a dual-factor authentication USB key to strengthen the security of its online services.
- Share
- Tweet
- Share
- Envoyer à un ami