Two-Factor Authentication (2FA) is currently one of the best ways to protect applications from intrusion. However, it is not hack-proof―to a social engineer.
I came across an interesting post in KnowBe4’s Security Blog the other day. Read and learn how a social engineer defeated 2FA and robbed a hapless victim who thought he knew better:
A tech savvy user that never reuses passwords and employs two-factor authentication received a call from his bank on his cell. The agent on the phone said they identified suspicious activity on his credit card and needed to discuss it with him but first he must verify his identity. The agent said that they’ll send a text to his cell and asked the user to read back the 6-digit number. The user complied.
The agent then listed a number of charges, which the user verified as legitimate except one for $1000. The agent said they’ll cancel the card, refund the money and issue a new credit card. The user once again was asked to read back a new 6-digit security code to serve as confirmation. The user complied, and the agent hung up.
During the conversation, the user’s cell was buzzing with new email notifications―which he ignored.
After the call ended, the user (now turned victim), saw the following 4 unread emails:
- Your user name has been reset.
- Your password has been reset.
- Welcome to Zelle!
- You’ve just forwarded $1000.
By the way, Zelle is a money forwarding service.
The scammer had somehow gotten hold of the victim’s bank login credentials but because of two-factor authentication, needed the security codes the bank would send to the user’s cell to access the account. So, the social engineer scammed the victim into unwittingly aid in the theft of his own money.
What we can learn from this true incident:
- First and foremost―caller ID can be spoofed. Don’t believe them. If you get a call from bank security: get the person’s name, hang up and call the official published number. Ask for the security department and to be transferred to the agent who called you.
- The “agent” called the victim on his cell and then asked him to identify himself by reading back the security code sent to the same cell phone the “agent” just called him on. What kind of security is that? It doesn’t make sense and is a sure sign of a scam.
- After providing the first security code as proof of identity (which should have been a big red flag to begin with), why would the “agent” continually need the victim to read additional authorization codes? Real Bank personnel would be able to perform transactions without them.
- Most importantly: Never reveal the authorization codes to anyone via phone or email. If you’re asked for them, it’s a scam. Hang up and call your institution’s security department using official published numbers to report the incident.
This victim’s sad story shows that a social engineer can bypass technological barriers to penetrate security. They are masters at manipulation, and they know that people are the weakest link in security.
The fact is that technology PLUS user awareness equals strong security. One without the other just isn’t good enough.
Let’s go one step further. The above story was about an individual user. What if a call such as described above came into your company’s financial department or even directly to the CEO? Would they realize that a scam was in progress? Maybe―maybe not. That is a chance a scammer is more than willing to take. Are you?
All companies should initiate ongoing security awareness training for their employees (including management) to increase security.
XSolutions is an Elite Partner of Datto, the world leader in Hybrid-Cloud Business Continuity solutions whose systems protect 300+ Petabytes of data with over 800 employees and 9 offices around the globe. Call (845) 362-9675 and let us introduce you to the ultimate defense against data loss—whatever the cause.