Bypassing 2FA with phishing and OTP bots


Two-factor authentication (2FA) is a security feature we have come to expect as standard by 2024. Most of today’s websites offer some form of it, and some of them won’t even let you use their service until you enable 2FA. Individual countries have adopted laws that require certain types of organizations to protect users’ accounts with 2FA.

Unfortunately, its popularity has spurred on the development of many methods to hack or bypass it that keep evolving and adapting to current realities. The particular hack scheme depends on the type of 2FA that it targets. Although there are quite a few 2FA varieties, most implementations rely on one-time passwords (OTPs) that the user can get via a text message, voice call, email message, instant message from the website’s official bot or push notification from a mobile app. These are the kind of codes that most online scammers are after.

Read more…
Source: Kaspersky


Sign up for our Newsletter


Related:

  • ‘RockYou2024’: Nearly 10 billion passwords leaked online

    July 8, 2024

    On a popular hacking form, a user has leaked a file that contains 9,948,575,739 unique plaintext passwords. The list appears to be a compilation of passwords that were obtained during several old and more recent data breaches. The list is referred to as RockYou2024 because of its filename, rockyou.txt. To cybercriminals the list has some value ...

  • Twilio data breach gets a whole lot worse as it confirms hackers accessed Authy user phone numbers

    July 4, 2024

    The recent data breach affecting Twilio may have taken a rather unfortunate extra turn after new reports claim the hackers can single out Authy users from the archives. The infamous ShinyHunters hacking collective recently said it stole 33 million phone numbers from Twilio, and the company has now revealed that the attackers were able to determine ...

  • Social Engineering Tactics Targeting Healthcare & Public Health Entities and Providers

    June 24, 2024

    Access to employees’ email accounts, and then pivoted to specifically target login information related to the processing of reimbursement payments to insurance companies, medicare, or similar entities. To gain initial access to victim networks, the threat actor acquired credentials through social engineering or phishing. In some observed instances, the threat actor called an organization’s IT Help ...

  • Analysis of user password strength

    June 18, 2024

    The processing power of computers keeps growing, helping users to solve increasingly complex problems faster. A side effect is that passwords that were impossible to guess just a few years ago can be cracked by hackers within mere seconds in 2024. For example, the RTX 4090 GPU is capable of guessing an eight-character password consisting of ...

  • QR code SQL injection and other vulnerabilities in a popular biometric terminal

    June 11, 2024

    Biometric scanners offer a unique way to resolve the conflict between security and usability. They help to identify a person by their unique biological characteristics – a fairly reliable process that does not require the user to exert any extra effort. Yet, biometric scanners, as any other tech, have their weaknesses. This article touches on biometric ...

  • Bypassing 2FA with phishing and OTP bots

    June 10, 2024

    Two-factor authentication (2FA) is a security feature we have come to expect as standard by 2024. Most of today’s websites offer some form of it, and some of them won’t even let you use their service until you enable 2FA. Individual countries have adopted laws that require certain types of organizations to protect users’ accounts ...