When Two-Factor Authentication Becomes a Black Hat’s Friend

A cornerstone of any security system is making sure that someone accessing your system is who they say they are. That’s done through authentication.

When authenticating a person’s identity, you can ask them for something they have (for example, an access card), something they know (for instance, a PIN) or something they are, which is typically a biometric—a fingerprint, palm print or the iris of an eye. Those are known as authentication factors and the more of them you use to authenticate someone, the more secure your system will be.

With that in mind, some organizations, most notably Google’s Gmail, have combined their desire for stronger authentication with the growing use of mobile phones among workers. Each user creates a PIN or password for their account (something they know) and are also allowed to access their accounts via a verification code sent to their smartphones (something they have).

The idea is if a user loses their password or if it’s compromised, they can quickly ask that a verification code be sent to their phone, use that code to log into their account and set up a new password known only to them.

The idea is a good one, if you remove the human element from it. As is often the case with security schemes, even if you could have bulletproof hardware, software, systems and processes, you can never have bulletproof wetware. You see, hackers don’t need physical access to a phone. All they need is access to the phone’s owner.

One way to pry a verification code from a person is through social engineering. Professional Hacker Lokesh Singh describes such an attack at his Hackingloops website.

In that case, one of Singh’s “clients” complained about his Gmail account being hacked. After some questioning, Singh discovered that the client responded to a Google talk invitation from someone he didn’t know but had a provocative email address—earnmoneyunlimited@gmail.com.

The Black Hat already had the client’s email address—that’s how he sent the Google talk invitation to the client—so while talking to the client, the miscreant could go to Gmail, click “Can’t access your account?”, slap in the client’s email address and have a verification code sent to the client’s mobile.

That done, the con man asked the client for the code, claiming it was needed to link the client’s account to the scammer’s AdSense account. Once he had the code, the bunko artist could enter the client’s account and use it for nefarious activities like spamming and phishing.

One-on-one attacks like the one described by Singh would have limited appeal to big time hackers who want to do volume business. But with some refinement the ripoff can be scaled upward, as Chris Mims pointed out in MIT’s Technology Review.

Through a massive spam campaign, targets would be sent to a website promising some kind of benefit—free gift cards, cash or such. To qualify for the benefit, a visitor would have to enter an email address—nothing unusual there.

At the back end of the website, though, Gmail addresses, or any other addresses tied to cell phone verification schemes, would be send to their home sites, verification codes requested and the codes sent to the owners of those email addresses.

In the final step in the qualification process, a victim would be asked to enter the verification code, which would open the door to the email accounts to the fraudster.

Creating an authentication scheme that uses multiple factors to assure a person’s identity is worthwhile, but you need to do it with your weakest link in mind: your users.

Written by John P Mello Jr

John Mello is a freelance writer who has written about business and technical subjects for more than 25 years. He is frequent contributor to the ECT News Network and his work has appeared in a number of periodicals, including Byte magazine, PC World, Computerworld, CIO magazine and the Boston Globe


  1. Chris Aubert · May 22, 2012

    I think this is going to be typical of any kind of scenario in which two-or-more factor authentication is meant to be used not in tandem but as a backdoor. The accessibility is nice, but the risk is too high. If one had to have a password AND an authenticator code instead of either or, it would be a much more secure process.

  2. Voltaire Canera · May 26, 2012

    What is the appeal of doing something illegal? The rebel in a person? The need not to be a part of civil society? I mean, if the money is the only motivation, I bet there are lots of money to be made in legal, traditional means, aren’t there? Or is it just easier to make money through spamming?

    Unless, the person is so into the problem solving puzzles, isn’t it too tedious to do spam effectively on a massive scale?

    There really is no permanent solution to the spam problem if your problem is your users. There are no bounds to human stupidity, I say. The author’s right. The weakest link are the users.

  3. Rich Charles · May 27, 2012

    The scheme you describe is pretty dangerous and it can easily get sensitive information. However, I am optimistic this won’t happen on a large scale because of a very prosaic reason: it requires too much effort on user’s side. It is much more sophisticated than clicking a link, for example and this is what makes me think many users will simply not bother with it.

Leave A Reply