Warning: Cybercriminals learn to bypass 2FA banner

Warning: Cybercriminals learn to bypass 2FA

Apr 3, 2024 Tech blog

Stay alert and learn how to protect yourself against this threat

Until recently, multi-factor authentication, also known as ‘2FA’, has been a bulletproof way of protecting our online identities and accounts. It has now been revealed that cybercriminals have developed a method to circumvent this trusted security measure.

The good news is the technology behind multi-factor authentication has not been breached, it is the human side of the process that criminals have learned to manipulate. The key is to remain knowledgeable and vigilant so you stay in control of your account logins and therefore stay secure.

What’s happened?

Multi-factor authentication on accounts relies on two verification steps involving something the user ‘knows’ (the password) and something the user ‘has’ (the randomly generated code sent to email/text or found in an authenticator app on the user's phone).

This is what gives this form of login process its strength - even if the cybercriminal discovers your password, either saved in your browser or through poor password management, the account is still safe as they cannot access the 2FA code.

This step is what this new form of attack focuses on, using phishing techniques. Phishing is a form of social engineering scam where attackers deceive people by impersonating a legitimate identity. In these new attacks which bypass 2FA security, the criminal sends an email or text with a link or QR code that leads to a fake, cloned login page for an account a user is familiar with and trusts.

If the user does not notice the login screen is not legitimate and enters their details, the password AND 2FA credentials are intercepted and captured, allowing the cybercriminal access to the account themselves via the correct login screen.

Identifying this scam and protecting yourself

The most important takeaway from this incident is that you are in full control of protecting yourself from phishing attacks. It is about staying alert and not rushing to click on links. Looking twice and assessing the content can literally make the difference between opening your bank account to a stranger or keeping your account secure.

When receiving emails, this is what you should look out for:

  • Assess the email for likeliness, grammar, and authenticity - is it likely that the organisation sending you this message would approach customers this way? Is the text well-written and grammatically correct?

  • Check the sending email address - are there spelling mistakes or other irregularities? Does it come from a commercial domain (eg. info@companyname.com.au) or is it sent from a gmail or hotmail account (companyname@gmail.com)?

  • Hover over the link without clicking it - check in the bottom left-hand corner of your browser screen for a preview of where the link is pointing. Does the URL look correct?

  • If you have already clicked on a link or scanned a QR code - before entering any details, check the URL in the address bar. If it is a cloned, fake page there will be something amiss in the URL, for example, a misspelling or different variation of the company’s correct domain address.

Logging into accounts securely

This is how you can log into your online accounts safely:

  • Don’t use email or text message links or QR codes to log into any account - to be on the safe side just don’t use the links in the email or text. If a company you have an account with sends you a message requesting you to log into your account for any reason, go to the login page independently instead of using the link in the message. If it is a scam - you will side-step it!

  • Don’t save passwords in your browser or use the ‘remember me’ function for logging in - use a non-browser-based password manager instead to create safe passwords and store them in a secure place.

  • Store your login pages in bookmarks or in your password manager for easy access - or type them directly into the search bar of your web browser and check again if it is the correct URL.

  • Always set up multi-factor authentication (2FA) on accounts - ensure you also set up a recovery method such as backup email, or download backup codes to store somewhere safely.

To ensure your business stays ahead of cyber threats check out IT Basecamp’s cyber security concierge service Cyber Heroes.

And for more tips and advice on keeping you and your family safe online take a look at our free Cyber Security Fundamentals course.

acknowledgement flag acknowledgement flag

ITBasecamp acknowledges the traditional owners and custodians of the country in this area and pay our respects to elders past, present and emerging. The South Coast of New South Wales where we live is Yuin country but indigenous people here come from a number of different groups including Brinja-Yuin, Budawang, Jerrinja, Murramarang, Walbunja, Wandandian and Wodi Wodi. We recognise their continuing connection and contribution to this land.