Skip to main content

Hackers find a way to bypass Gmail two-factor authentication

Macbook with Gmail
Image used with permission by copyright holder

Two-factor authentification has been hailed as a significant move forward in providing online security, letting us log in with confidence to sites such as Gmail. Websites that once required an insecure password now need a complex password with a second form of authentication from a mobile device, or implement other two-factor systems. However, as with everything, two-factor authentication isn’t impervious to flaws, and a new report by Amnesty International details how hackers have been phishing two-factor codes.

Authenticating with a two-factor system is two-step, as hinted by the name, and will typically involve asking a user to enter both a password and a code, either generated by or sent to a mobile device. This secure option does indeed help to prevent hackers from accessing user accounts if they have only gained access to one factor, such as your password, if a website’s data has been breached. But, if you unknowingly give your two-factor code over to a malicious individual or site, the system has been defeated.

Recommended Videos

The Amnesty International report noted that hackers have begun to utilize an automated process that occurs by first phishing your password from a fraudulent website, then submitting the password to Gmail, triggering a two-factor text message, and finally having you submit that message into the fraudulent site.

Please enable Javascript to view this content

Because some systems don’t requiring a user to re-authenticate for switching off two-factor, hackers can then quickly walk away with your account. Even without taking full control of an account, hackers can generate app-specific passwords, secondary passwords that can be used to access two-factor accounts without needing to re-authenticate each time.

Throughout 2017 and 2018, hackers targeted more than a thousand Google and Yahoo accounts across the Middle East and North Africa. When testing, Amnesty International found that its smartphone setup for testing the phishing system did indeed receive a genuine text message from Google’s server to authenticate in connection with the malicious site. The organization notes that the attacks targeted dissidents in the United Arab Emirates.

While the news is not a reason to disengage any two-factor systems you are currently employing, we still recommend switching on two-factor authentication for any websites that offer it, it is another bit of proof that no security system is impermeable.

Michael Archambault
Former Digital Trends Contributor
Michael Archambault is a technology writer and digital marketer located in Long Island, New York. For the past decade…
Hackers are using cookies to sidestep two-factor authentication
A large monitor displaying a security hacking breach warning.

"Cookie stealing" is among the latest trends in cybercrimes that hackers are using to bypass credentials and access private databases, according to Sophos.

Typical security advice for organizations has been to move their most sensitive information to cloud services or to use multifactor authentication (MFA) as a safety means. However, bad actors have figured out how to swipe cookies connected to login details and replicate them to hack the active or recent web sessions of programs that are not commonly refreshed.

Read more
Hackers have found a way to log into your Microsoft email account
A depiction of a hacker breaking into a system via the use of code.

Account holders for Microsoft email services are being targeted in a phishing campaign, according to security researchers from Zscaler's ThreatLabz group.

The objective behind the threat actors’ efforts is believed to be the breaching of corporate accounts in order to perform business email compromise (BEC) attacks.

Read more
Hackers stole passwords from 140,000 payment terminals using malware
The Wiseasy point of sale system on a table.

An Android-based payment system has been affected by hackers who have been able to infiltrate its database and gain access to 140,000 payment terminals globally, according to TechCrunch.

The brand, Wiseasy, is well known in the Asia-Pacific region, with its payment terminals used in restaurants, hotels, retail outlets, and schools. Its accompanying Wisecloud cloud service is used for remote management and configuration for its customer's terminals.

Read more