Do not expect that two-factor authentication is always enough to protect your accounts. OR Google has noticed a worrying increase in phishing attacks that can bypass the security setting.
"We have seen a large increase in the number of 2FA phishing attacks," said Nicolas Lidzborski, security chief Gmail.
These "2FA phishing attacks" work by cheating the victim in order to give the password and the special one-time password that protect the Gmail account. Normally, this one-time password is difficult to obtain as it appears on a person's smartphone and ends after 30 seconds.
However, Lidzborski said hackers have crafted password-crash programs to be able to find a one-time password. The so-calledphishing kits"Steals the victim's password and the two-factor authentication code as they type it into misleading email and login pages, and then access the account within the 30 second time limit.
"2FA is much better than a factor that only uses a username and a password. There is no doubt about that, "he said. "However, some hackers try to bypass 2FA."
In December, Amnesty International said a hacking team was able to bypass the protection of two agents through an automated phishing attack that can steal and connect with passwords before the 30 second has expired. A month later, a security researcher released an open source toolkit, which can also create phishing pages to bypass the two factors.
The fact that a one-time password is sent by SMS does not always help. This can authenticate two agents vulnerable to SIM attacks, in which a hacker can steal the mobile phone number.
During the talk, Lidzborski said Google is trying to protect Gmail accounts from successful phishing attacks, blocking attempts to connect from unknown geographic locations. The company's email service may also alert you to emails that look like phishing attempts and to the dangers that arise from opening suspicious links within them.
But to be protected, Lidzborski recommends that users and businesses adopt a hardware-based solution: USB security keys. They work by replacing one-time passwords with a physical piece of hardware that you can connect to your computer to access your online accounts. In July, Google said it had given all its employees security keys.
Unfortunately, security keys are not cheap. The Google product costs $ 50 for two keys. However, Lidzborski said they are very effective.
Lidzborski has not been able to quantify the exact rise of these attacks, which Google has identified. On average, the company meets 100 million fishing messages per day. But in the past, only the most specialized hackers, such as state spies, used phishing attacks, which could neutralize the identity of two players, he said. "It is now available as an open source phishing framework," he added. "So it's more widespread than before."
We must always be careful with the inbox to our email. Phishing emails often look like legitimate services, like Google, and try to trick you into visiting an official login page, and in fact the website is designed to steal your passwords. To teach the public how to detect phishing attacks, Google's Jigsaw last month developed a phishing quiz that can tell you more about the threat.