![]() Using 2FA in this way is atrocious, but that doesn’t stop it from happening. The threat actor will then ask for the victim to pay a ransom if they want to use these online services. When the new user tries to sign up for the same services, the hacker will be notified via 2FA, and deny them a way to use the service. Once complete, they discontinue the service so the number can be recycled for a new subscriber to start using. A nasty trick sees a hacker obtain a number to sign up to several online services that require a phone number. To make matters worse, attackers can also take your account hostage. If they had, the attacker could buy the password on a cybercriminal black market and break into a 2FA-enabled account without needing to reset a password. Using online people search service BeenVerified, a hacker could search for an email address by using a recycled phone number, then check if the email addresses had been involved in data breaches using Have I Been Pwned?. Researchers found another variation of the attack that allowed malicious actors to hijack accounts without having to reset a password. This is called a “reverse lookup attack.” mobile carriers and found that 171 of them had a linked account on at least one of six commonly used websites: Amazon, AOL, Facebook, Google, PayPal, and Yahoo. The researchers tested 259 numbers they obtained through the two U.S. Using 2FA, they will then receive and enter the special code sent via SMS. ![]() By viewing their online profiles and checking to see if their old number is linked, attackers can buy the recycled number (just $15 at T-Mobile) and reset the password on the accounts. How 2FA puts you at riskĪ study at Princeton University discovered how easily anyone can obtain a recycled phone number and use it for several common cyberattacks, including account takeovers and even denying access to an account by holding it hostage and asking for a ransom in exchange for access.Īccording to the study, an attacker can find available numbers and check if any of them are associated with online accounts from previous owners. Recycled numbers can be harmful to those who originally owned them, as many platforms, including Gmail and Facebook, are linked to your mobile number for password recovery or, and here’s the kicker, two-factor authentication. There are millions of recycled phone numbers available, with more piling up each day. In the U.S., network providers including Verizon and T-Mobile let customers change and choose the available numbers shown on online number change interfaces via their website or app. Vodafone disconnects and recycles a phone number after just 90 days of no activity, while O2 does this after 12 months. network providers, states (via The Evening Standard) that it has a strict “use it or lose it” policy for pay-as-you-go mobile numbers. ![]() The U.K.’s Office of Communications (Ofcom), the entity that assigns mobile numbers to U.K. This second factor can also be used before a transaction is made.Īs explained by software company Ping Identity, 2FA’s required credentials are split into three different categories: “what you know”, “what you have”, and “what you are.” In terms of “what you know”, or your knowledge, this comes down to your passwords, PIN number, or answer to a security question such as “what is your mother’s maiden name?” (something I never seem to remember). This means if an unauthorized user gets their hands on a password, they will still need access to an email or phone number linked to the account where a special code is sent for an extra level of protection.įor example, a bank will require a username and password in order for a user to access their account, but it also needs a second form of authentication such as a unique code or fingerprint recognition to confirm a user’s identity. In order for 2FA to work, a user must have at least two important pieces of credentials in order to log in to an account (with multi-factor usually involving more than three different details). Two-factor authentication, more popularly known as 2FA, is the most commonly used method. Multi-factor authentication (MFA) is a digital authentication method used to confirm the identity of a user to allow them access to a website or app through at least two pieces of evidence. (Image credit: Reddit) What is two-factor authentication?
0 Comments
Leave a Reply. |