How Hackers Bypass Gmail 2FA at Scale

[InfoSec News <alerts () infosecnews org>]

https://motherboard.vice.com/en_us/article/bje3kw/how-hackers-bypass-gmail-two-factor-authentication-2fa-yahoo

By Joseph Cox
Motherboard.vice.com
December 19, 2018

If you're an at risk user, that extra two-factor security code sent to 
your phone may not be enough to protect your email account.

Hackers can bypass these protections, as we've seen with leaked NSA 
documents on how Russian hackers targeted US voting infrastructure 
companies. But a new Amnesty International report gives more insight into 
how some hackers break into Gmail and Yahoo accounts at scale, even those 
with two-factor authentication (2FA) enabled.

They do this by automating the entire process, with a phishing page not 
only asking a victim for their password, but triggering a 2FA code that is 
sent to the target’s phone. That code is also phished, and then entered 
into the legitimate site so the hacker can login and steal the account.

The news acts as a reminder that although 2FA is generally a good idea, 
hackers can still phish certain forms of 2FA, such as those that send a 
code or token over text message, with some users likely needing to switch 
to a more robust method.

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_